Managing kexts in High Sierra and later via CLI : Support Portal

Introduction

The preferred way for accepting 3rd party kernel extensions ("kexts" for short, and sometimes referred to as "system extensions") is to hit the "Allow" button that comes up in the "Security & Privacy" PrefPane, typically during software install. However sometimes this method doesn't work properly, and manual intervention must take place. For HyperFS you need to allow a kext from "Blue Whale Information Technologies"

Manually allowing kexts:

Boot into a recovery OS (hold Cmd+r while booting), open Terminal, and run the appropriate command below

HyperFS:

spctl kext-consent add JS776ETM39

For ATTO (both software and drivers):

spctl kext-consent add FC94733TZD

Querying:

While still in the recovery terminal , you can check that the kext IDs have proper consent to load with:

spctl kext-consent list

Which should give output similar to this:

afx01:~ digital08$ spctl kext-consent list

Allowed Team Identifiers: JS776ETM39 FC94733TZD afx01:~ digital08$

Alternatively, from a normally-booted system, you can get a list of approved kext IDs at runtime:

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

Once withing the sql prompt, run this query:

SELECT * FROM kext_policy;

This will give an output similar to this:

sqlite> SELECT * FROM kext_policy;

You can now leave the sql prompt with exit or hitting Ctrl+d

Disabling Gatekeeper

This is not a supported method, but can be used for testing purposes. It essentially bring back the "Anywhere" option for which software developers to allow apps to run from:

From a normal macOS terminal (recovery is not needed for this), run this command:

sudo spctl --master-disable

To revert the changes, simple re-enable: