Activation of org.pqrs.Karabiner-DriverKit-VirtualHIDDevice fails on macOS11.3 beta

[nikhilm]

macOS: 11.3 Beta (20E5172i) (This is an Intel mac) Karabiner version: 13.3.0

I do not see the Allow button in the preference pane, and attempting to click "Activate Driver" (which fails with error -1 in the UI), leads to this on the console

2021-02-19 08:56:35.538578-0800 0xaeed     Default     0x0                  283    0    sysextd: initial activation decision: activateNew
2021-02-19 08:56:35.549510-0800 0xaeed     Default     0x0                  283    0    sysextd: staging extension with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice                                                                                                                                           
2021-02-19 08:56:35.549579-0800 0xaeed     Default     0x0                  283    0    sysextd: [com.apple.sx:StateChanges] extension G43BCU2T37 org.pqrs.Karabiner-DriverKit-VirtualHIDDevice (1.0.0/1.0.0) advancing state from realizing to staging                                                                    
2021-02-19 08:56:35.557051-0800 0xaeed     Default     0x0                  283    0    sysextd: [sysextd:staging] staging bundle from /Applications/.Karabiner-VirtualHIDDevice-Manager.app/Contents/Library/SystemExtensions/org.pqrs.Karabiner-DriverKit-VirtualHIDDevice.dext to: /Library/SystemExtensions/.staging/75C78C8C-EFDB-4C2B-9738-14F0C3B759AF/org.pqrs.Karabiner-DriverKit-VirtualHIDDevice.dext
2021-02-19 08:56:35.563387-0800 0xaeed     Default     0x0                  283    0    sysextd: [com.apple.sx:StateChanges] extension G43BCU2T37 org.pqrs.Karabiner-DriverKit-VirtualHIDDevice (1.0.0/1.0.0) advancing state from staging to validating                                                                   
2021-02-19 08:56:35.570514-0800 0xaeed     Default     0x0                  283    0    sysextd: Making activation decision for extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice                                                                                       
2021-02-19 08:56:35.570530-0800 0xaeed     Default     0x0                  283    0    sysextd: Extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is not in the list of allowed extensions.                                                                            
2021-02-19 08:56:35.570545-0800 0xaeed     Default     0x0                  283    0    sysextd: Activation decision for extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is Deny                                                                                      
2021-02-19 08:56:35.570550-0800 0xaeed     Default     0x0                  283    0    sysextd: immediately uninstalling never-started extension: org.pqrs.Karabiner-DriverKit-VirtualHIDDevice                                                                                                                           
2021-02-19 08:56:35.570555-0800 0xaeed     Default     0x0                  283    0    sysextd: notifying extension delegates of uninstall of extension 75C78C8C-EFDB-4C2B-9738-14F0C3B759AF with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice  

Does someone with more macOS experience know where the "list of allowed extensions" is?

Things I've tried:

1. Several restarts.
2. Resetting NVRAM.
3. disabling and re-enabling SIP.

[talos]

macOS 11.2.3 (20D91) Intel mac Karabiner version 13.3.14

I'm getting identical behavior: no Allow button in the preference pane, and clicking "Activate Driver" yields "Activation was failed. (error: 1)". This has remained the same through multiple restarts, uninstalling & reinstalling Karabiner, upgrading Karabiner to beta, and upgrading macOS entirely (from Catalina to Big Sur.)

I'm seeing similar logs too, after clicking "Activate Driver":

default 22:13:49.160087-0700    sysextd initial activation decision: activateNew
default 22:13:49.171041-0700    sysextd staging extension with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
default 22:13:49.171082-0700    sysextd extension G43BCU2T37 org.pqrs.Karabiner-DriverKit-VirtualHIDDevice (1.0.0/1.0.0) advancing state from realizing to staging
default 22:13:49.173250-0700    sysextd staging bundle from /Applications/.Karabiner-VirtualHIDDevice-Manager.app/Contents/Library/SystemExtensions/org.pqrs.Karabiner-DriverKit-VirtualHIDDevice.dext to: /Library/SystemExtensions/.staging/ABB96947-CB8B-48C2-BACB-97EF457E3DFE/org.pqrs.Karabiner-DriverKit-VirtualHIDDevice.dext
default 22:13:49.177913-0700    sysextd extension G43BCU2T37 org.pqrs.Karabiner-DriverKit-VirtualHIDDevice (1.0.0/1.0.0) advancing state from staging to validating
default 22:13:49.185134-0700    sysextd Making activation decision for extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
default 22:13:49.185178-0700    sysextd Extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is not in the list of allowed extensions.
default 22:13:49.185214-0700    sysextd Activation decision for extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is Deny
default 22:13:49.185239-0700    sysextd immediately uninstalling never-started extension: org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
default 22:13:49.185261-0700    sysextd notifying extension delegates of uninstall of extension ABB96947-CB8B-48C2-BACB-97EF457E3DFE with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice

Curious if anyone has any leads on what to do next, or other debugging steps I can try!

[zzacal]

I have this same problem MacOS 11.3.1 Karabiner-Elements 13.4.0

no Allow button in privacy and security window.

Tried:

1. Deactivate Driver, Activate Driver. I get an error: Activation was failed.
2. Safe mode boot. I get no Allow button in the Privacy and Security window.

[cesargutierrezo]

Getting this too on my Intel Mac MacOS 11.4 Karabiner-Elements 13.4.90

[inthroxify]

Intel Mac MacOS 11.4 13.4.0 and 13.4.90

So I did some investigation on this, and I have discovered the problem (at least for my Mac). My device is managed by my organization via MDM, and a profile delivered by the MDM is causing the "is not in the list of allowed extensions" error found in the logs, the "Activation was failed. (error: 1)" error, and is the cause of the missing Allow button in the Security & Privacy settings after rebooting.

The cause, in my case, is a device profile (System Preferences > Profiles) sent by the MDM that blocks both a) any System Extension / TeamID that is not listed in the profile and b) the ability of a user to manually allow a System Extension of their own choosing.

To see if you are affected, you can do the following: Step 1) Determine if the machine is under an MDM

• Open a terminal and enter the following: sudo profiles list -output stdout-xml > ~/Documents/ohno.txt This is going to export the entire profile system configuration as xml for you to view.
• Open ohno.txt in your Documents folder with your favorite text editor
• Search for ServerURL. If it is there, the string tag nearby is going to be the MDM server your machine is tied to, most likely.
• Look a little below for PayloadDescription, it is probably going to be MDMSettings. If that is the case, I believe this means the machine is under an MDM.

Step 2) Find the profile that is causing your woes

• With ohno.txt in your editor still open, search for system-extension-policy.
• Once you find it, scroll up a little until you find AllowUserOverrides.
  • You will probably find a little <false /> tag under it. If this is the case, you are a victim of this profile. You are not permitted to add extensions to your machine. This setting is the cause of the "not in the list of allowed extensions" error in the logs and the missing Allow button in (System Preferences > Security & Privacy).
  • If you do not find a false, but a true, search again for another AllowUserOverrides. There can be multiple profiles, and it only takes one profile containing AllowUserOverrides set to false to cause this problem as one false AllowUserOverrides overrides any true AllowUserOverrides.

If you have found no system-extension-policy in your ohno.txt, then a policy is not likely your problem here, sorry. If you did find it, I have bad news for you so far. If you look at the documentation for the SystemExtensions policy under Profile Availability, you will see Allow Manual Install | - and Requires User Approved MDM | macOS which, through some painful trial and error, I have discovered means that if you try to create your own local profile that adds the Karabiner TeamID to the System Extensions Policy in an attempt to work around this problem, it will fail. Only the MDM can add new TeamIDs and Extension Identifiers. You as the local administrator have no say.

Things I have tried to workaround this problem:

• Creating a local signed profile with iMazing Profile Editor that permits the Karabiner TeamID, and adding the profile to the system by hand.
  • I get the error Profile installation failed. The profile must originate from a user approved MDM server.. Stands to reason, given Apple's documentation stating this setting has to come from an MDM.
• Deleting the offending profile that restricts via AllowUserOverrides being set to false.
  • You may be able to manually disable the profile with sudo profiles -R -p <UUID> where <UUID> is the UUID found under ProfileIdentifier, right at the top of the <dict> that contains AllowUserOverrides. In my case, my MDM doesn't permit profile deletion locally, though the apple documentation suggests it is a possibility.

The only way I can see to solve this problem at this time is to either beg the MDM folks to set AllowUserOverrides to true, or get them to add the Karabiner TeamID as permitted in a profile. I suppose you could un-enroll from the MDM at your peril as well, but depending on how that is configured, you may have to wipe and reinstall the machine.

If you are a developer who uses a Mac at least in part as a way to escape your inept IT department, I'm sad to say, Apple's helped them capture you again. After reading the apple documentation on the configuration profile system it is clear the future is no brighter, the potential restrictions are even worse. Might as well switch back to a PC, at least the keyboard will be sane again.

Edit: I just learned you may not be able to even get a list of the profiles that are affecting you. Search your ohno.txt for AccessRights. You can decode the value with the table found here.

[mattchivers]

I manage our companies MDM and was troubleshooting how to allow an exception for Karabiner-Elements if the environment is locked down to prevent user-approved extensions. We use JAMF and I wanted to post my fix in case anyone else is dealing with this or needs to send info to their IT dept.

This is for Big Sur (11.4), but should work in Catalina too though I didn't test it there.

• Create a new Configuration Profile
  • Add a payload for System Extensions
  • Check the box to Allow users to approve system extensions
  • Add display name and select from the drop down Allowed System Extensions
  • Team Identifier: G43BCU2T37
  • Click Add under the "Allowed System Extensions" menu and enter org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
• Set your scope to who needs it and verify it deployed to the user's profile list

The driver loads without issue at this point and I verified it also works after an uninstall/reboot/reinstall.

[mansweet]

For what it's worth, the above solution of modifying the MDM profile by the IT dept ended up resolving my issue. I still had to do the "disable driver" and then "reactivate driver" steps once they shipped the new profile to my machine. Thank you IT admins!

[kszys]

Kudos to @inthroxify and @mattchivers - it solved this issue for me as well!

[phil-workato]

I can't find System Extensions in Apple Configurator on MacOS Ventura 13.2.1 anymore. Is this related to deprecation of kexts? How to deal with this?

[systemswizard]

@phil-workato it does look like Apple removed this from the new Apple Configurator (Version 2.16 (8A14)), it still works with the Apple Configurator 2 app if you have it. Otherwise you would want to use a tool like Imazing Profile Editor (free), make it via your MDM, or make it manually. I think Apple's intention is to manage this stuff via your MDM.

[iakoug]

Intel Mac MacOS 11.4 13.4.0 and 13.4.90

So I did some investigation on this, and I have discovered the problem (at least for my Mac). My device is managed by my organization via MDM, and a profile delivered by the MDM is causing the "is not in the list of allowed extensions" error found in the logs, the "Activation was failed. (error: 1)" error, and is the cause of the missing Allow button in the Security & Privacy settings after rebooting.

The cause, in my case, is a device profile (System Preferences > Profiles) sent by the MDM that blocks both a) any System Extension / TeamID that is not listed in the profile and b) the ability of a user to manually allow a System Extension of their own choosing.

To see if you are affected, you can do the following: Step 1) Determine if the machine is under an MDM

• Open a terminal and enter the following: sudo profiles list -output stdout-xml > ~/Documents/ohno.txt This is going to export the entire profile system configuration as xml for you to view.
• Open ohno.txt in your Documents folder with your favorite text editor
• Search for ServerURL. If it is there, the string tag nearby is going to be the MDM server your machine is tied to, most likely.
• Look a little below for PayloadDescription, it is probably going to be MDMSettings. If that is the case, I believe this means the machine is under an MDM.

Step 2) Find the profile that is causing your woes

• With ohno.txt in your editor still open, search for system-extension-policy.

• Once you find it, scroll up a little until you find AllowUserOverrides.

  • You will probably find a little <false /> tag under it. If this is the case, you are a victim of this profile. You are not permitted to add extensions to your machine. This setting is the cause of the "not in the list of allowed extensions" error in the logs and the missing Allow button in (System Preferences > Security & Privacy).
  • If you do not find a false, but a true, search again for another AllowUserOverrides. There can be multiple profiles, and it only takes one profile containing AllowUserOverrides set to false to cause this problem as one false AllowUserOverrides overrides any true AllowUserOverrides.

If you have found no system-extension-policy in your ohno.txt, then a policy is not likely your problem here, sorry. If you did find it, I have bad news for you so far. If you look at the documentation for the SystemExtensions policy under Profile Availability, you will see Allow Manual Install | - and Requires User Approved MDM | macOS which, through some painful trial and error, I have discovered means that if you try to create your own local profile that adds the Karabiner TeamID to the System Extensions Policy in an attempt to work around this problem, it will fail. Only the MDM can add new TeamIDs and Extension Identifiers. You as the local administrator have no say.

Things I have tried to workaround this problem:

• Creating a local signed profile with iMazing Profile Editor that permits the Karabiner TeamID, and adding the profile to the system by hand.

  • I get the error Profile installation failed. The profile must originate from a user approved MDM server.. Stands to reason, given Apple's documentation stating this setting has to come from an MDM.

• Deleting the offending profile that restricts via AllowUserOverrides being set to false.

  • You may be able to manually disable the profile with sudo profiles -R -p <UUID> where <UUID> is the UUID found under ProfileIdentifier, right at the top of the <dict> that contains AllowUserOverrides. In my case, my MDM doesn't permit profile deletion locally, though the apple documentation suggests it is a possibility.

The only way I can see to solve this problem at this time is to either beg the MDM folks to set AllowUserOverrides to true, or get them to add the Karabiner TeamID as permitted in a profile. I suppose you could un-enroll from the MDM at your peril as well, but depending on how that is configured, you may have to wipe and reinstall the machine.

If you are a developer who uses a Mac at least in part as a way to escape your inept IT department, I'm sad to say, Apple's helped them capture you again. After reading the apple documentation on the configuration profile system it is clear the future is no brighter, the potential restrictions are even worse. Might as well switch back to a PC, at least the keyboard will be sane again.

Edit: I just learned you may not be able to even get a list of the profiles that are affecting you. Search your ohno.txt for AccessRights. You can decode the value with the table found here.

Exactly!!! Wow man!

[mansweet]

For what it's worth, one could make a claim to your IT dept managing the MDM that you need Karabiner on an accessibility basis in order to do your job. I have a bad RSI in my hand and have to remap my keyboard in order to work without discomfort or pain. If I don't have this tool, my work output will be affected and it will result in my filing a workers comp claim. If you really need, I'm sure you can convince your doctor to write you a note -- Mine did to justify them purchasing a Karabiner Advantage II Keyboard.

I'm sure if you looped the legal dept in with this reasoning, they would force the hand of IT to enable a small but critical tool if they were still resisting.