System Extension Blocked message in High Sierra

[vssbg]

Hello,

I am trying to install an app named pCloud. It requires FUSE. Installation of FUSE is OK and I see it in System Preferences.

When I start the pCloud it gives me the message on the picture attached to the message.

I don't understand how to add it, because when I try to add something it opens Finder and I don't know where the FUSE is.

Spotlight search doesn't find it...

Any suggestions? Thank you in advance!

[gtimmy]

You have to open System Preferences -> Security & Privacy -> General or click Open System Preferencesbutton and click Allow for Benjamin Fleischer

[vssbg]

It works! Thanks a lot! :)

[gtimmy]

Message tells the same thing ;)

[RafalLukawiecki]

I have just tried installing, and reinstalling OSXFuse several times, with plenty of reboots along the way. I am afraid that the "Allow" button on the System Preferences pane does nothing in my case. I can press it, but nothing happens. Installer does not complete, OSXFuse does not work.

For what it is worth, installation using MacPorts (with a workaround for another issue) gets me to the same point. "Extension blocked" pops up but I cannot "allow" it.

I wonder if this is related to OSXFuse or something else. Could it be related to #426 and #426? Any suggestions what else to look at would be welcome.

In any case, many thanks for maintaining this very useful utility.

[RafalLukawiecki]

For what it is worth, dumping the kext_policy shows that the extension is still not "Allowed" (see value of 0 for column flags:

sqlite3 /private/var/db/SystemPolicyConfiguration/KextPolicy
sqlite> .dump kext_policy
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE kext_policy ( team_id TEXT, bundle_id TEXT, allowed BOOLEAN, developer_name TEXT, flags INTEGER, PRIMARY KEY (team_id, bundle_id) );
INSERT INTO kext_policy VALUES('MLZF7K7B5R','at.obdev.nke.LittleSnitch',1,'Objective Development Software GmbH',8);
VALUES('3T5GSNBU6W','com.github.osxfuse.filesystems.osxfuse',0,'Benjamin Fleischer',4);
COMMIT;

If you have any suggestions, please share, other than completely disabling the HIgh Sierra SKEL system. Thank you. PS. Even after fully uninstalling the software, the above entry remains in the KextPolicy table. I wonder if that is expected behaviour of SKEL or is that, perhaps, what makes it impossible to approve the policy.

[RafalLukawiecki]

I thought I would see if I could install the extension if I were to build locally, but I am afraid both the master and support/osxfuse-3 branches fail to build:

$ ./build.sh -t distribution
T:distribution       | Clean target
T:distribution       | Build target for macOS 10.13
T:fsbundle           | Clean target
T:fsbundle           | Build target for macOS 10.13
T:kext               | Clean target
T:kext               | Build target for macOS 10.13
T:kext               | Install target
T:fsbundle           | Install target
T:library            | Clean target
T:library            | Build target for macOS 10.13
T:library            | Install target
T:framework          | Clean target
T:framework          | Build target for macOS 10.13
T:framework          | Failed to build target
Terminated: 15

Giving up, hoping for suggestions.

[catrancher]

I'm having the same issue on High Sierra as @RafalLukawiecki. The "Allow" button on the Security & Privacy System Preferences pane is doing nothing when I try to install OSXFuse. Since the KEXT is not being allowed, the install never completes. I've rebooted numerous times. I'm open to any suggestions also.

Thanks!

[gtimmy]

@RafalLukawiecki @catrancher I've faced with a similar issue when Allow button does nothing and it has been reported to Apple, they haven't provided a solution, they just said that it can be caused by some installed software which can capture mouse clicks (maybe even LittleSnitch, not sure) and this button is able to pressed only by user and it's a feature and not a bug. I have to notice that this issue with Allow button is not related to OSXFUSE and has been reproduced with other kexts as well. As a workaround I can suggest 2 options:

1. Disable System Integrity Protection (not recommended). With SIP disabled this warning won't be shown
2. Update KextPolicy database directly update kext_policy set allowed = 1 where team_id = '3T5GSNBU6W'

both of them should be done in Recovery mode.

Self-builded osxfuse won't help you anyway because it won't be signed (if you don't have a certificate witр a kext signing option) unless you disable SIP what shouldn't be done.

[catrancher]

@gtimmy Very interesting. Many thanks! As it turns out, I was running a copy of MagicPrefs. Quit that and ran the FUSE install again and it worked properly. I was able to "allow" the KEXT. Thanks a lot for the tip.

[rivera-ernesto]

In 10.13.1 I don't even see the developer name in the pane.

[ligand-lg]

me too!! thanks @catrancher

[RafalLukawiecki]

The workaround suggested by @gtimmy 4 posts above (Recovery mode boot then edit the KextPolicy database directly) has worked for me. Thank you!

[gwerty]

I had the same issue, and also had an input modifying application running like Apple said.

In my case I only had to stop BetterTouchTool, and I could click the Allow button in the prefPane just fine!

Interesting...

[nhooyr]

Trying to edit the database directly gives me

Error: attempt to write a readonly database

Any ideas?

[jaytruepill]

Disabling MagicPrefs did it for me. Thank you!

[gtimmy]

@nhooyr do it in Recovery mode

[llahnoraa]

@gtimmy when you said "capture mouse clicks" that got me thinking.. instead of using the mouse, I used the keyboard and tabbed all the way till it highlight "Allow" and I hit spacebar.

It worked! Thank you very much!

[nhooyr]

@gtimmy didn't end up testing it yet because I got busy but will do soon, your response was appreciated. thank you.

[KiSchulte]

Yepp BTT was my problem as well.

[Jarown]

Smart thinking @llahnoraa, that did the trick! (i also disabled BetterTouchTool, I didn't check if that was actually necessary)

[yuchant]

All, I am using a Wacom Pro tablet. The allow button did nothing for me, but if I used the system trackpad, the button worked.

"It's a feature not a bug" was a great hint.

If it's a feature, it should show to the user that a third party click was detected.

[kode54]

Quick hint to anyone having that "Allow" button problem: The Console.app will display the emitted messages telling you which PID is interfering with input. You can use Activity Monitor or Console.app and the ps command to find which process that PID belongs to. In my case, it was my own audio player app, Cog, presumably hooking due to its crappy decade old Media Keys hook. If only I knew a better way to deal with that crap.

[squiles]

Karabiner wasn't allowing me to click the button just in case anyone has the same problem

[wschenk]

For me it was Chrome that was blocking, as I discovered by looking at Console.app and seeing the pid in the error message.

[andresodio]

Thanks, @wschenk ! I was about to go crazy and closing Chrome did the trick :)

[fardelian]

I started Console.app and then I clicked on the "Allow" button (which didn't work) but in Console I could see which PID was interfering with my mouse. I did a ps axu | grep PID and found the culprit: VLC Player. I quit VLC, I clicked the "Allow" button again and everything worked. I did not expect VLC to interfere with my mouse at the OS level.

[lugipfupf]

In my case it was Spotify. Thanks :-)

[l3robot]

@squiles I've tried to quit Karabiner, but I wasn't able to click the button afterwards. Did you do something else than quitting the app, like rebooting the mac?

[fardelian]

@l3robot Maybe you have another app that's stealing the clicks. Does Console.app say anything helpful in the event list?

[l3robot]

Yeah thanks it helped a lot. So basically, the console tell : Dropping mouse down event because sender's PID (PID of the one blocking) isn't 0 or self (PID security service) You just have to quit the process blocking the click, first PID. Turns out it was not Karabiner on my side, it was Google Play Desktop Player.

[iicky]

Thanks @wschenk! Chrome was the issue for me as well.

[mannuk]

Apart from @llahnoraa says. If you can't navigate using the tab key, activate this setting https://support.apple.com/en-us/HT204434

[tliet]

@kode54 Thanks for the hint that the console showed the PID of the culprit. In my case, it was PowerKey, a small app that prevents the Eject key on the keyboard from opening the DVD tray.

The sequence of resolving this issue is:

1. Open the Console app and Search for 'Dropping', it will start showing only lines with "Dropping mouse down event because sender's PID ([value]) isn't 0 or self ([value])
2. Open Activity Viewer and see which PID is preventing this and kill it.
3. Click on the Allow button.
4. There's no step 4.

@mannuk Tabbing using the keyboard to select the Allow button is apparently no longer allowed. In my case, with High Sierra 10.13.5 (17F77) tabbing works in the General tab of the Security and Privacy panel, but it didn't want to select anything from the bottom of the pane where the Allow button lives.

[kode54]

I have a workaround for this in Cog, by the way. It would be nice if word of this could be spread to other developers. It is sort of inconvenient to not have hotkeys in Preferences, but it should prevent mouse clicks from being hooked and blocked. Basically, I added com.apple.systempreferences to the blacklist in my software, so it stops hooking when that becomes the active process. Hopefully, it works.

[rahimnathwani]

I couldn't click 'Allow' with my Microsoft wireless mouse (which uses a USB dongle), but clicking the trackpad worked fine.

[drewchapin]

Many thanks to @andresodio! I too had Chrome open (Chromium specifically). Note that clicking "Close" is not enough. I had to click "Quit".

[pale2hall]

@tliet I just got it to work with 10.13.6. Had to enable the feature in Keyboard as suggested above.

[virtualritz]

I have just tried installing, and reinstalling OSXFuse several times, with plenty of reboots along the way. I am afraid that the "Allow" button on the System Preferences pane does nothing in my case. I can press it, but nothing happens. Installer does not complete, OSXFuse does not work.

I can confirm this for macOS 10.13. The Allow button is dysfunctional.

I just updated macOS and it works as expected in 10.14. But that's hardly a fix as one can't expect people to upgrade their macOS just to run osxFUSE.

[kode54]

I have just tried installing, and reinstalling OSXFuse several times, with plenty of reboots along the way. I am afraid that the "Allow" button on the System Preferences pane does nothing in my case. I can press it, but nothing happens. Installer does not complete, OSXFuse does not work.

I can confirm this for macOS 10.13. The Allow button is dysfunctional.

I just updated macOS and it works as expected in 10.14. But that's hardly a fix as one can't expect people to upgrade their macOS just to run osxFUSE.

And as I’ve already stated, this effect is accompanied by notices in the system log, accessible from Console.app, which identify the process id of the offending global hook which is blocking the Allow button. If it’s not that, then it may be disallowing USB mouse input on a laptop, so you’ll have to use the trackpad.

[YehudaBialik]

Booting into safe mode was the trick for me. Then the Allow button opened a window with check boxes beside a whole list of software that has never been allowed, and obviously not functioning properly (thanks Apple). Selected the ones I wanted to allow, clicked Okay, rebooted and the software in question now works properly. Good luck.

[ggrelet]

Here is another workaround for those of you who can't perform a proper click due to "X" Application being open. •Open the Apple Script Editor, •Copy / paste this code

tell application "System Events"
  click at {123,456}
end tell

But change the coordinates in the { } to make it match the actual Allow button. You can find those coordinates easily with the built-in screenshot tool (Cmd + Shift + 4 by default). •Build •Launch (you probably need to allow some extra accessibility permissions)

Good luck!

[jtpereyda]

Reports of uninstalling BetterTouchTool suggested that I should uninstall a similar extension, SteerMouse. That Worked for me.

[garfieldnate]

Does anybody else have the issue where the "allow" button doesn't even show up in the pane? This is very confusing. When I dump the currently allowed extensions, it looks like Fuse is already allowed:

$ sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> .headers on
sqlite> select * from kext_policy;
team_id|bundle_id|allowed|developer_name|flags
...
3T5GSNBU6W|com.github.osxfuse.filesystems.osxfuse|1|Benjamin Fleischer|8
...

Yet every time my application starts it asks me to open the preferences pane and allow the extension.

In the end I just disabled the whole mechanism by booting into recovery mode and doing spctl kext-consent disable in the terminal.

[Patrick-vB]

I had to disable the SONOS controller app in order to allow the installation. 🤦‍♂

[YehudaBialik]

My problem was Forticlient, but the button was available in Safe boot. Moved to Mosyle, now no problems.

On Fri, Sep 20, 2019 at 11:29 AM Patrick-vB notifications@github.com wrote:

I had to disable the SONOS controller app in order to allow the installation. 🤦‍♂

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/osxfuse/osxfuse/issues/437?email_source=notifications&email_token=ACL5G7624C3IVJB2E73FV43QKTT3ZA5CNFSM4EBAHTTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7HBVRI#issuecomment-533600965, or mute the thread https://github.com/notifications/unsubscribe-auth/ACL5G7YXUAL3CSBSGM47MWDQKTT3ZANCNFSM4EBAHTTA .

[rwiesbach]

Based on the comments I don't know yet whether the absence of the button (not the disfunctionality) is caused by the same issue on other Mac OS Versions. In Console (which to me is a synonym for shell or terminal, but not in the world of biten fruits) I was not able to find out which application causes the absence of the button on my 10.14 machine.

Thats a really stupid idea from Apple. Instead of showing a message "You need to close application x, because this app has rights to manipulate user input" or isolating specific elements from those manipulation abilities, they make users disable kext security completely - that is much safer.

tldr: On 10.14 the author and the allow button are not shown for me. Hope this might help tracing down the issue for this flavour of the issue.