As some kinds of MacOS developers know, Apple implemented Secure Kernel Extension Loading .
Users can approve third party KEXT by clicking Approve
button in Security and Privacy
.
However, once the KEXT is approved, are there any methods for cancelling the approval?
Imagine, the case of testing the app with KEXT loading, etc.
If there are no way but the clean install, it's very difficult to test apps.
The command is as follows: spctl kext-consent add 4C6364ACXT. The 4C6364ACXT value in the example above is the Parallels Team ID. The command disables User Approved Kernel Extension Loading for Parallels Desktop, so user consent to load the extensions will not be required.
The information about approvals is stored in sqlite3
database:
/var/db/SystemPolicyConfiguration/KextPolicy
The tables you're interested in are: kext_policy
and kext_load_history_v3
. E.g. here is how you can view the data and the table schema:
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
sqlite> select * from kext_policy;
54GTJ2AU36|com.joshuawise.kexts.HoRNDIS|1|Joshua Wise|1
sqlite> .schema kext_policy
CREATE TABLE kext_policy ( team_id TEXT, bundle_id TEXT, allowed BOOLEAN, developer_name TEXT, flags INTEGER, PRIMARY KEY (team_id, bundle_id) );
Removing the approval is tricker, since the System Integrity Protection does not allow you to modify the database. So, you'd need to reboot into a recovery partition, or a different MacOS installation, then cd into the root of your volume, and run the commands like these (replace with your team_id, or use other criteria):
usr/bin/sqlite3 var/db/SystemPolicyConfiguration/KextPolicy
delete from kext_load_history_v3 where team_id='54GTJ2AU36';
delete from kext_policy where team_id='54GTJ2AU36';
.quit
To echo what people are saying in the comments, I found that the accepted solution did not work. I also had to reset the PRAM.
Working steps:
Create the following script somewhere on your filesystem (you will be running this from recovery mode, so you won't be able to copy and paste in that mode). You will need to replace TEAMID1234
with the team ID of the kext(s) you want to revoke consent for. Note that the full paths to /Volumes/Macintosh\ HD
are required in recovery mode.
I called my script /Users/me/revoke_kext_consent.sh
, and ran
chmod +x /Users/me/revoke_kext_consent.sh
.
#!/bin/sh -e
/Volumes/Macintosh\ HD/usr/bin/sqlite3 /Volumes/Macintosh\ HD/var/db/SystemPolicyConfiguration/KextPolicy 'delete from kext_policy where team_id="TEAMID1234";'
/Volumes/Macintosh\ HD/usr/bin/sqlite3 /Volumes/Macintosh\ HD/var/db/SystemPolicyConfiguration/KextPolicy 'delete from kext_load_history_v3 where team_id="TEAMID1234";'
Reboot into recovery mode (boot with Cmd-R)
Open Terminal, and run the above script (/Volumes/Macintosh\ HD/Users/me/revoke_kext_consent.sh
).
Reboot and reset the PRAM (boot with Cmd-Opt-P-R)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With