System Extension Updated. You must approve it in the Security & Privacy System Preferences.

Question

Level 1

9 points

System Extension Updated. You must approve it in the Security & Privacy System Preferences.

Yesterday my M1 Macbook Air running macOS Monterey 12.1 popped up a dialog window titled System Extension Updated, with a message that said something like "A program has updated system extension(s). To finish the update, you must approve it in the Security & Privacy System Preferences", and two buttons, OK and Open Security Preferences. I clicked Open Security Preferences (without first taking a screenshot of the dialog window which then disappeared, so I can't be sure of the message exactly) thinking that System Preferences would show which application/extension has been updated. But all that System Preferences > Security & Privacy > General says is that "Your current security settings prevent the installation of system extensions" and a button titled Enable system extensions...

I don't want to enable system extensions without first knowing which system extension and which app this all has to do with. I can tell that none of the installed apps or extensions have been updated recently by looking at the Last Modified dates in System Information > Applications and System Information > Extensions respectively. Also, System Information > Legacy Software says "No information found."

I've scanned my computer using Bitdefender Virus Scanner and Malwarebytes and they didn't find anything. But I'm a bit worried because I've never seen such a dialog message before.

Posted on Jan 3, 2022 7:23 AM

Reply

Answer 1

Top-ranking reply

Encryptor5000

Level 5

7,568 points

Jan 3, 2022 11:54 AM in response to Quzi

Hi Quzi,

Thanks for the detailed info!

One of your apps is trying to install an updated kernel extension (which macOS incorrectly labelled as a system extension). This is a special piece of software that integrates directly with the macOS kernel (XNU), the very core of macOS.

The kernel is the most privileged software in any operating system; it acts as the go-between for system software and hardware resources. By implication, any kernel extensions installed also receive these extreme privileges, as they run in kernel-space. Because of this, you should only install kernel extensions that you absolutely need, and only those that require these extreme privileges.

In macOS Big Sur and later, your Mac now has extra security for installing kernel extensions (kexts):

On Macs with Apple silicon (including your M1 MacBook Air), installing third-party kexts is blocked by default. Apps should instead use the new system extension model. Unlike kernel extensions, system extensions run in user-space, and do not have kernel-level privileges. This makes them much safer to use. That said, if you still need to use kernel extensions, you can permit them. (Click the Enable system extensions button for details on how to do this.)

Kernel security is significantly improved. When your Mac starts up, it loads the kernel, along with any kexts provided by Apple and/or you. After that, kernel memory is locked as read-only to prevent further tampering. (This happens in hardware on Apple silicon Macs). Because of this, you must approve new/updated kexts and restart your Mac before they can be loaded.

Check which software is trying to load kernel extensions

In the Finder, press Command-Shift-G, then navigate to this path: /Library

Once in there, check these folders:

StagedExtensions
StagedDriverExtensions

If any kexts appear in there, right-click (or hold down Control as you click on) one of them, then select Show Package Contents. Check the Info.plist file inside for info about the developer of the kext.

If you choose to enable kexts in Security and Privacy preferences, you will still need to authorize each kext before it is loaded. Hopefully that should also identify the developer at that time.

Reply

Answer 2

Jan 3, 2022 4:36 PM in response to Quzi

The kextstat command output looks fine - since your Mac is running in Full Security, third-party kexts are blocked, and only Apple-supplied kexts can be loaded.

On my M1 MacBook Air, I also have the group.is.my.workflow.my.app showing a prohibited symbol.

Unfortunately, I'm not sure of a way to query which kexts are pending approval. You could check in /Library/Extensions or /Library/Apple/System/Library/Extensions and check if any new (non-Apple) kexts are there.

If you want to see in System Preferences which developer is trying to load a kext, you can temporarily permit third-party kexts by starting up in macOS Recovery and modifying the security settings. Once third-party kexts are permitted, System Preferences (in Security and Privacy) should prompt you to approve the requested kext and restart your Mac. Before you approve the kext, you should be able to see which developer is trying to load it.

Shut down your Mac.
Press and hold the power button (Touch ID) until Startup Options starts loading.
At the boot selection screen, select Options and click Continue. This continues to macOS Recovery.
If you're prompted for an administrator password, enter it to continue.
The list of utilities should now appear. At the top of the screen, select Utilities -> Startup Security Utility.
Select your startup disk and unlock it if required. Then, click Security Policy.
Select Reduced Security, and check the box for "Allow user management of kernel extensions from identified developers". Then, click OK.
Enter your administrator password when prompted to save the changes. When the process is finished, restart your Mac.

To return to Full Security and deny all third-party kexts, complete the above steps again, but choose Full Security instead. Or, run this command in Terminal (doesn't require macOS Recovery): sudo bputil -f

Reply

Answer 3

Quzi Author

Level 1

9 points

Jan 3, 2022 12:45 PM in response to Encryptor5000

Sadly, both of those folders are empty, based on both looking at them in Finder and using Terminal:

$ ls -a /Library/StagedExtensions /Library/StagedDriverExtensions
/Library/StagedDriverExtensions:
.	..

/Library/StagedExtensions:
.	..

Also, based on the following, I don't currently have any non-Apple kexts installed:

$ kextstat | grep -v com.apple
Executing: /usr/bin/kmutil showloaded
No variant specified, falling back to release
Index Refs Address            Size       Wired      Name (Version) UUID <Linked Against>

When I look at System Information > Software > Applications, the following is a list of all the ones whose Obtained From column says Unknown (while for all the other ones the column says either Apple, App Store, or Identified Developer):

Automator Application Stub:

  Version:	1.3
  Obtained from:	Unknown
  Last Modified:	2021-12-08, 01:39
  Kind:	Universal
  Location:	/System/Library/CoreServices/Automator Application Stub.app

Cocoa-AppleScript Applet:

  Version:	1.0
  Obtained from:	Unknown
  Last Modified:	2021-12-08, 01:39
  Kind:	Universal
  Location:	/Library/Application Support/Script Editor/Templates/Cocoa-AppleScript Applet.app

com.apple.ctcategories:

  Obtained from:	Unknown
  Last Modified:	2021-11-01, 00:00
  Kind:	Other
  Location:	/Users/myusername/Library/HTTPStorages/com.apple.ctcategories.service

Droplet with Settable Properties:

  Version:	1.0
  Obtained from:	Unknown
  Last Modified:	2021-12-08, 01:39
  Kind:	Other
  Location:	/Library/Application Support/Script Editor/Templates/Droplets/Droplet with Settable Properties.app

group.is.workflow.my:

  Obtained from:	Unknown
  Last Modified:	2021-10-25, 23:24
  Kind:	Other
  Location:	/Users/myusername/Library/Application Scripts/group.is.workflow.my.app

Inviska MKV Extract:

  Version:	11.0
  Obtained from:	Unknown
  Last Modified:	2021-06-07, 07:10
  Kind:	Intel
  Location:	/Applications/Inviska MKV Extract.app
  Get Info String:	11.0

Recursive File Processing Droplet:

  Version:	1.0
  Obtained from:	Unknown
  Last Modified:	2021-12-08, 01:39
  Kind:	Other
  Location:	/Library/Application Support/Script Editor/Templates/Droplets/Recursive File Processing Droplet.app

Recursive Image File Processing Droplet:

  Version:	1.0
  Obtained from:	Unknown
  Last Modified:	2021-12-08, 01:39
  Kind:	Other
  Location:	/Library/Application Support/Script Editor/Templates/Droplets/Recursive Image File Processing Droplet.app

WebKitPluginHost:

  Obtained from:	Unknown
  Last Modified:	2021-05-27, 09:01
  Kind:	Other
  Location:	/Library/Developer/CommandLineTools/SDKs/MacOSX11.3.sdk/System/Library/Frameworks/WebKit.framework/Versions/A/Frameworks/WebKitLegacy.framework/Versions/A/WebKitPluginHost.app

WebKitPluginHost:

  Obtained from:	Unknown
  Last Modified:	2021-05-27, 09:01
  Kind:	Other
  Location:	/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/Frameworks/WebKit.framework/Versions/A/Frameworks/WebKitLegacy.framework/Versions/A/WebKitPluginHost.app

WebKitPluginHost:

  Obtained from:	Unknown
  Last Modified:	2021-05-27, 09:01
  Kind:	Other
  Location:	/Library/Developer/CommandLineTools/SDKs/MacOSX11.1.sdk/System/Library/Frameworks/WebKit.framework/Versions/A/Frameworks/WebKitLegacy.framework/Versions/A/WebKitPluginHost.app

XLD:

  Version:	20210101
  Obtained from:	Unknown
  Last Modified:	2020-12-31, 11:58
  Kind:	Universal
  Location:	/Applications/XLD.app
  Get Info String:	X Lossless Decoder version 20210101, Copyright 2006-2021 tmkk.

I also noticed that the Finder icon for the /Users/myusername/Library/Application Scripts/group.is.workflow.my.app bundle (listed above) shows the following forbidden sign:

Reply

Answer 4

Quzi Author

Level 1

9 points

Jan 4, 2022 3:15 AM in response to Encryptor5000

Thank you for great instructions!

I'll first mention that I did restart my computer before posting here just to see if that would either cause the "Your current security settings prevent the installation of system extensions" message in System Preferences to disappear or the System Extension Updated dialog window to reappear. Neither of those things happened.

According to the Date Modified column in Finder, none of the following extensions were recently modified:

$ ls -a /Library/Extensions /Library/Apple/System/Library/Extensions
/Library/Apple/System/Library/Extensions:
.				AppleKextExcludeList.kext	RemoteVirtualInterface.kext
..				AppleMobileDevice.kext

/Library/Extensions:
.			HighPointIOP.kext	SoftRAID.kext
..			HighPointRR.kext

Also, looking at System Information > Software > Extensions, the following is a list of all the non-Apple extensions (and none of them have been recently updated):

ArcMSR:

  Version:	1.4.2
  Last Modified:	2021-12-08, 01:39
  Bundle ID:	com.Areca.ArcMSR
  Notarized:	No
  Loaded:	No
  Get Info String:	Areca RAID Driver 1.4.2
  Obtained from:	Identified Developer
  Kind:	Intel
  Architectures:	x86_64
  64-Bit (Intel):	Yes
  Location:	/System/Library/Extensions/ArcMSR.kext
  Kext Version:	1.4.2
  Loadable:	Yes
  Dependencies:	Satisfied
  Signed by:	Developer ID Application: Areca Technology Corporation (34JN824YNC), Developer ID Certification Authority, Apple Root CA

HighPointIOP:

  Version:	4.4.5
  Last Modified:	2021-12-08, 01:39
  Bundle ID:	com.highpoint-tech.kext.HighPointIOP
  Notarized:	Yes
  Loaded:	No
  Get Info String:	Version: 4.4.5, Copyright (c) 2020 HighPoint Technologies, Inc.
  Obtained from:	Identified Developer
  Kind:	Intel
  Architectures:	x86_64
  64-Bit (Intel):	Yes
  Location:	/Library/Extensions/HighPointIOP.kext
  Kext Version:	4.4.5
  Loadable:	Yes
  Dependencies:	Satisfied
  Signed by:	Developer ID Application: HighPoint Technologies, Inc (DX6G69M9N2), Developer ID Certification Authority, Apple Root CA

HighPointRR:

  Version:	4.22.1
  Last Modified:	2021-12-08, 01:39
  Bundle ID:	com.highpoint-tech.kext.HighPointRR
  Notarized:	Yes
  Loaded:	No
  Get Info String:	Version: 4.22.1, Copyright (c) 2020 HighPoint Technologies, Inc.
  Obtained from:	Identified Developer
  Kind:	Intel
  Architectures:	x86_64
  64-Bit (Intel):	Yes
  Location:	/Library/Extensions/HighPointRR.kext
  Kext Version:	4.22.1
  Loadable:	Yes
  Dependencies:	Satisfied
  Signed by:	Developer ID Application: HighPoint Technologies, Inc (DX6G69M9N2), Developer ID Certification Authority, Apple Root CA

PromiseSTEX:

  Version:	6.2.13
  Last Modified:	2021-12-08, 01:39
  Bundle ID:	com.promise.driver.stex
  Notarized:	No
  Loaded:	No
  Get Info String:	Version: 6.2.13, Copyright (c) 2010-2019 Promise Technology, Inc.
  Obtained from:	Identified Developer
  Kind:	Intel
  Architectures:	x86_64
  64-Bit (Intel):	Yes
  Location:	/System/Library/Extensions/PromiseSTEX.kext
  Kext Version:	6.2.13
  Loadable:	Yes
  Dependencies:	Satisfied
  Signed by:	Developer ID Application: Promise Technology Mobile Apps (268CCUR4WN), Developer ID Certification Authority, Apple Root CA

SoftRAID:

  Version:	6.0
  Last Modified:	2021-12-08, 01:39
  Bundle ID:	com.softraid.driver.SoftRAID
  Notarized:	Yes
  Loaded:	No
  Get Info String:	SoftRAID version 6.0, Copyright © 2002-19 Other World Computing, Inc.  All rights reserved.
  Obtained from:	Identified Developer
  Kind:	Intel
  Architectures:	x86_64
  64-Bit (Intel):	Yes
  Location:	/Library/Extensions/SoftRAID.kext
  Kext Version:	6.0
  Loadable:	Yes
  Dependencies:	Satisfied
  Signed by:	Developer ID Application: Other World Computing (Q9P8K45M5C), Developer ID Certification Authority, Apple Root CA

I followed your instructions to change the Security Policy to Reduced Security (Allow user management of kernel extensions...), restarted the computer, logged in, and waited maybe 20 minutes. System Preferences no longer showed the "Your current security settings prevent the installation of system extensions" message, and there was no dialog window or anything popping up. I then changed the Security Policy back to Full Security, and still the System Preferences shows no message about system extensions.

The cause of all this remains a mystery. But at least the nagging System Preferences message is gone.

Reply

System Extension Updated. You must approve it in the Security & Privacy System Preferences.

Similar questions