User Approved Kernel Extension Loading
In macOS 10.13 or later, user consent is required to load kernel extensions. This feature is known as User Approved Kernel Extension Loading. With it, any user can approve a kernel extension, even if they don’t have administrator privileges. Kernel extensions don’t need authorization if they:
Were on the Mac prior to the upgrade to macOS 10.13
Are replacing previously approved extensions
Are allowed to load without user consent by using the spctl command while started up from macOS Recovery
Are allowed to load using the Kernel Extension Policy payload
Any Mac user can approve the kext, not just a user with administrator privileges. If you want to disable User Approved Kernel Extension Loading, boot into macOS Recovery and use the spctl command. To prevent users from changing the setting, set a Firmware password to prevent NVRAM changes, which can reset User Approved Kernel Extension Loading and System Integrity Protection settings.
Starting with macOS 10.13.4, enrolling in a mobile device management (MDM) solution no longer disables User Approved Kernel Extension Loading, so extensions you were previously allowed to load now need approval. To specify that MDM load extensions without approval, make sure you’ve installed macOS 10.13.2 or later and that you meet one of the following requirements:
You’re enrolled in MDM through Apple School Manager or Apple Business Manager.
Your MDM enrollment is User Approved.
The following payloads must meet one of the above requirements: