For those that cannot find their tape drive within their software.


Please check if you've installed your driver included on your USB stick for your appropriate operating system, and if you approved the Kernel Extension within MAC OS High Sierra or above.


Introduction

macOS High Sierra 10.13 introduces a new feature that requires user approval before loading newly-installed third-party kernel extensions (KEXTs). When a request is made to load a KEXT that the user has not yet approved, the load request is denied. Apps or installers that treat a KEXT load failure as a hard error will need to be changed to handle this new case.

Approval is automatically granted to third-party KEXTs that were already present when upgrading to macOS High Sierra.

Note that approval doesn't guarantee that a KEXT is compatible and won't panic the system. The reason this feature exists is to give users more control over what KEXTs will load, which should reduce the number of panics.

Back to Top

In-Depth Explanation

This feature enforces that only kernel extensions approved by the user will be loaded on a system. When a request is made to load a KEXT that the user has not yet approved, the load request is denied and macOS presents the alert shown in Figure 1.

Figure 1  Blocked kernel extension

This prompts the user to approve the KEXT in System Preferences > Security & Privacy as shown in Figure 2.

Figure 2  User approval to load a KEXT

This approval UI is only present in the Security & Privacy preferences pane for 30 minutes after the alert. Until the user approves the KEXT, future load attempts will cause the approval UI to reappear but will not trigger another user alert.

The alert shows the name of the developer who signed the KEXT so the user has some information to decide whether to approve the KEXT. This name comes from the Subject Common Name field of the Developer ID Application certificate used to sign the KEXT. Because of this, developers are encouraged to provide an appropriate company name when requesting KEXT signing identities.

When the user approves a KEXT, they are at the same time approving these other KEXTs signed by the same Team ID:

  • If the approved KEXT is located in an application's bundle, all other KEXTs signed by the same Team ID in the same application's bundle are also approved.

  • If the approved KEXT is located in the app's sub-directory inside /Library/Application Support, all other KEXTs signed by the same Team ID found in that same sub-directory are also approved.

  • All KEXTs in /Library/Extensions signed by the same Team ID are also approved.

Once approved, the KEXT will immediately be loaded or added to the prelinked kernel cache, depending on what action was blocked. Subsequent requests to load the KEXT will proceed silently as on previous macOS versions.

Approved KEXTs are tracked in a system-wide policy database through the team identifier in the KEXT's code signature and the bundle identifier from the KEXT's Info.plist, so updating a KEXT that has already been approved will not trigger a new approval request.