Sunday
Jul292018

System Extension Gets Blocked on Newly Installed MacOS High Sierra (10.13)

Hi all,

to keep in short; I cloned my Mac OS System Drive into a 2TB external SSD and used this as startup drive with MacOS High Siearra. So far so good. There were some smaller issuss but it worked.

But as soon when started a remote session with Citrix Receiver after being connected there popped up a lot of warnings that the System extension for Cytrix Inc could not be loaded. The odd thing was that there was no allow button visible in Security & Privacy dialog to add/allow the System Extension. That is what I call a deadlock.

 

A workaround could be to disable the check for adding a System extensions completely :

  • start into recovery mode
  • start terminal
  • disable SIP , execute : csrutil disable
  • restart your system

But this is very unsafe as now Sytem Objects could be modified by any process uncontrolled - perfect for an attack.

After hours of internet research and scanning thru blogs I found a reasonable solution. Instead of hunting for the missing or deactivated add-button or disableing SIP completley you are able again only in recovery-mode to add the System Extensions, in my case for Citrix, to a white list manually.

  • start into recovery mode
  • start Terminal
  • then I added all Citrix related team-Ids (Thats how the software-owner is somehow identified) to the System Extensions White list :

/usr/sbin/spctl kext-consent add U42NNPDKG7
/usr/sbin/spctl kext-consent add KBVSJ83SS9
/usr/sbin/spctl kext-consent add TDNYQP7VRK
/usr/sbin/spctl kext-consent add DE8Y96K9QP
/usr/sbin/spctl kext-consent add B74XLY78T6
/usr/sbin/spctl kext-consent add 6HB5Y2QTA3

  • enable SIP again : csrutil enable
  • restart your system

this worked, is resaonable and fine graded - I feel like a MacOS hacker now.

Be aware that all suggested described operations are on own risk.
see references for the most important discussions to this topic and also a link to a google document
listing / describing relevant team Ids.

I thank the internet community for providing a solution!

Cheers

/Karl