Prepare for changes to kernel extensions in macOS High Sierra

If you’re a system administrator, use this information to prepare for changes to kernel extensions when you upgrade your business or education institution to macOS High Sierra.

To improve security on the Mac, kernel extensions installed with or after the installation of macOS High Sierra require user consent in order to load. This is known as User Approved Kernel Extension Loading. Any user can approve a kernel extension, even if they don’t have administrator privileges.

Kernel extensions don't require authorization if they:

  • Were on the Mac before the upgrade to macOS High Sierra.
  • Are replacing previously approved extensions.

If you want to disable User Approved Kernel Extension Loading, boot into macOS Recovery and use the spctl command. Run the command by itself to get more information about how to use the spctl command.

If you reset NVRAM your Mac will revert to its default state with User Approved Kernel Extension Loading enabled. You can set a firmware password on your Mac to prevent unauthorized changes to NVRAM.

In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables User Approved Kernel Extension Loading. The behavior for loading kernel extensions will be the same as macOS Sierra.

In a future update to macOS High Sierra, you will be able to use MDM to enable or disable User Approved Kernel Extension Loading and to manage the list of kernel extensions which are allowed to load without user consent.

 

Published Date: