Open nikhilm opened 3 years ago
macOS 11.2.3 (20D91) Intel mac Karabiner version 13.3.14
I'm getting identical behavior: no Allow button in the preference pane, and clicking "Activate Driver" yields "Activation was failed. (error: 1)". This has remained the same through multiple restarts, uninstalling & reinstalling Karabiner, upgrading Karabiner to beta, and upgrading macOS entirely (from Catalina to Big Sur.)
I'm seeing similar logs too, after clicking "Activate Driver":
default 22:13:49.160087-0700 sysextd initial activation decision: activateNew
default 22:13:49.171041-0700 sysextd staging extension with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
default 22:13:49.171082-0700 sysextd extension G43BCU2T37 org.pqrs.Karabiner-DriverKit-VirtualHIDDevice (1.0.0/1.0.0) advancing state from realizing to staging
default 22:13:49.173250-0700 sysextd staging bundle from /Applications/.Karabiner-VirtualHIDDevice-Manager.app/Contents/Library/SystemExtensions/org.pqrs.Karabiner-DriverKit-VirtualHIDDevice.dext to: /Library/SystemExtensions/.staging/ABB96947-CB8B-48C2-BACB-97EF457E3DFE/org.pqrs.Karabiner-DriverKit-VirtualHIDDevice.dext
default 22:13:49.177913-0700 sysextd extension G43BCU2T37 org.pqrs.Karabiner-DriverKit-VirtualHIDDevice (1.0.0/1.0.0) advancing state from staging to validating
default 22:13:49.185134-0700 sysextd Making activation decision for extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
default 22:13:49.185178-0700 sysextd Extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is not in the list of allowed extensions.
default 22:13:49.185214-0700 sysextd Activation decision for extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is Deny
default 22:13:49.185239-0700 sysextd immediately uninstalling never-started extension: org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
default 22:13:49.185261-0700 sysextd notifying extension delegates of uninstall of extension ABB96947-CB8B-48C2-BACB-97EF457E3DFE with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
Curious if anyone has any leads on what to do next, or other debugging steps I can try!
I have this same problem MacOS 11.3.1 Karabiner-Elements 13.4.0
no Allow button in privacy and security window.
Tried:
Getting this too on my Intel Mac MacOS 11.4 Karabiner-Elements 13.4.90
Intel Mac MacOS 11.4 13.4.0 and 13.4.90
So I did some investigation on this, and I have discovered the problem (at least for my Mac). My device is managed by my organization via MDM, and a profile delivered by the MDM is causing the "is not in the list of allowed extensions" error found in the logs, the "Activation was failed. (error: 1)" error, and is the cause of the missing Allow button in the Security & Privacy settings after rebooting.
The cause, in my case, is a device profile (System Preferences > Profiles) sent by the MDM that blocks both a) any System Extension / TeamID that is not listed in the profile and b) the ability of a user to manually allow a System Extension of their own choosing.
To see if you are affected, you can do the following: Step 1) Determine if the machine is under an MDM
sudo profiles list -output stdout-xml > ~/Documents/ohno.txt
This is going to export the entire profile system configuration as xml for you to view. ServerURL
. If it is there, the string tag nearby is going to be the MDM server your machine is tied to, most likely.PayloadDescription
, it is probably going to be MDMSettings
. If that is the case, I believe this means the machine is under an MDM.Step 2) Find the profile that is causing your woes
system-extension-policy
.AllowUserOverrides
.
<false />
tag under it. If this is the case, you are a victim of this profile. You are not permitted to add extensions to your machine. This setting is the cause of the "not in the list of allowed extensions" error in the logs and the missing Allow button in (System Preferences > Security & Privacy).false
, but a true
, search again for another AllowUserOverrides
. There can be multiple profiles, and it only takes one profile containing AllowUserOverrides
set to false
to cause this problem as one false AllowUserOverrides
overrides any true AllowUserOverrides
.If you have found no system-extension-policy
in your ohno.txt, then a policy is not likely your problem here, sorry. If you did find it, I have bad news for you so far. If you look at the documentation for the SystemExtensions policy under Profile Availability, you will see Allow Manual Install | -
and Requires User Approved MDM | macOS
which, through some painful trial and error, I have discovered means that if you try to create your own local profile that adds the Karabiner TeamID to the System Extensions Policy in an attempt to work around this problem, it will fail. Only the MDM can add new TeamIDs and Extension Identifiers. You as the local administrator have no say.
Things I have tried to workaround this problem:
Profile installation failed. The profile must originate from a user approved MDM server.
. Stands to reason, given Apple's documentation stating this setting has to come from an MDM.AllowUserOverrides
being set to false.
sudo profiles -R -p <UUID>
where <UUID>
is the UUID found under ProfileIdentifier
, right at the top of the <dict>
that contains AllowUserOverrides
. In my case, my MDM doesn't permit profile deletion locally, though the apple documentation suggests it is a possibility.The only way I can see to solve this problem at this time is to either beg the MDM folks to set AllowUserOverrides
to true, or get them to add the Karabiner TeamID as permitted in a profile. I suppose you could un-enroll from the MDM at your peril as well, but depending on how that is configured, you may have to wipe and reinstall the machine.
If you are a developer who uses a Mac at least in part as a way to escape your inept IT department, I'm sad to say, Apple's helped them capture you again. After reading the apple documentation on the configuration profile system it is clear the future is no brighter, the potential restrictions are even worse. Might as well switch back to a PC, at least the keyboard will be sane again.
Edit: I just learned you may not be able to even get a list of the profiles that are affecting you. Search your ohno.txt for AccessRights. You can decode the value with the table found here.
I manage our companies MDM and was troubleshooting how to allow an exception for Karabiner-Elements if the environment is locked down to prevent user-approved extensions. We use JAMF and I wanted to post my fix in case anyone else is dealing with this or needs to send info to their IT dept.
This is for Big Sur (11.4), but should work in Catalina too though I didn't test it there.
The driver loads without issue at this point and I verified it also works after an uninstall/reboot/reinstall.
For what it's worth, the above solution of modifying the MDM profile by the IT dept ended up resolving my issue. I still had to do the "disable driver" and then "reactivate driver" steps once they shipped the new profile to my machine. Thank you IT admins!
Kudos to @inthroxify and @mattchivers - it solved this issue for me as well!
I can't find System Extensions in Apple Configurator on MacOS Ventura 13.2.1 anymore. Is this related to deprecation of kexts? How to deal with this?
@phil-workato it does look like Apple removed this from the new Apple Configurator (Version 2.16 (8A14)), it still works with the Apple Configurator 2 app if you have it. Otherwise you would want to use a tool like Imazing Profile Editor (free), make it via your MDM, or make it manually. I think Apple's intention is to manage this stuff via your MDM.
Intel Mac MacOS 11.4 13.4.0 and 13.4.90
So I did some investigation on this, and I have discovered the problem (at least for my Mac). My device is managed by my organization via MDM, and a profile delivered by the MDM is causing the "is not in the list of allowed extensions" error found in the logs, the "Activation was failed. (error: 1)" error, and is the cause of the missing Allow button in the Security & Privacy settings after rebooting.
The cause, in my case, is a device profile (System Preferences > Profiles) sent by the MDM that blocks both a) any System Extension / TeamID that is not listed in the profile and b) the ability of a user to manually allow a System Extension of their own choosing.
To see if you are affected, you can do the following: Step 1) Determine if the machine is under an MDM
- Open a terminal and enter the following:
sudo profiles list -output stdout-xml > ~/Documents/ohno.txt
This is going to export the entire profile system configuration as xml for you to view.- Open ohno.txt in your Documents folder with your favorite text editor
- Search for
ServerURL
. If it is there, the string tag nearby is going to be the MDM server your machine is tied to, most likely.- Look a little below for
PayloadDescription
, it is probably going to beMDMSettings
. If that is the case, I believe this means the machine is under an MDM.Step 2) Find the profile that is causing your woes
- With ohno.txt in your editor still open, search for
system-extension-policy
.Once you find it, scroll up a little until you find
AllowUserOverrides
.
- You will probably find a little
<false />
tag under it. If this is the case, you are a victim of this profile. You are not permitted to add extensions to your machine. This setting is the cause of the "not in the list of allowed extensions" error in the logs and the missing Allow button in (System Preferences > Security & Privacy).- If you do not find a
false
, but atrue
, search again for anotherAllowUserOverrides
. There can be multiple profiles, and it only takes one profile containingAllowUserOverrides
set tofalse
to cause this problem as one falseAllowUserOverrides
overrides any trueAllowUserOverrides
.If you have found no
system-extension-policy
in your ohno.txt, then a policy is not likely your problem here, sorry. If you did find it, I have bad news for you so far. If you look at the documentation for the SystemExtensions policy under Profile Availability, you will seeAllow Manual Install | -
andRequires User Approved MDM | macOS
which, through some painful trial and error, I have discovered means that if you try to create your own local profile that adds the Karabiner TeamID to the System Extensions Policy in an attempt to work around this problem, it will fail. Only the MDM can add new TeamIDs and Extension Identifiers. You as the local administrator have no say.Things I have tried to workaround this problem:
Creating a local signed profile with iMazing Profile Editor that permits the Karabiner TeamID, and adding the profile to the system by hand.
- I get the error
Profile installation failed. The profile must originate from a user approved MDM server.
. Stands to reason, given Apple's documentation stating this setting has to come from an MDM.Deleting the offending profile that restricts via
AllowUserOverrides
being set to false.
- You may be able to manually disable the profile with
sudo profiles -R -p <UUID>
where<UUID>
is the UUID found underProfileIdentifier
, right at the top of the<dict>
that containsAllowUserOverrides
. In my case, my MDM doesn't permit profile deletion locally, though the apple documentation suggests it is a possibility.The only way I can see to solve this problem at this time is to either beg the MDM folks to set
AllowUserOverrides
to true, or get them to add the Karabiner TeamID as permitted in a profile. I suppose you could un-enroll from the MDM at your peril as well, but depending on how that is configured, you may have to wipe and reinstall the machine.If you are a developer who uses a Mac at least in part as a way to escape your inept IT department, I'm sad to say, Apple's helped them capture you again. After reading the apple documentation on the configuration profile system it is clear the future is no brighter, the potential restrictions are even worse. Might as well switch back to a PC, at least the keyboard will be sane again.
Edit: I just learned you may not be able to even get a list of the profiles that are affecting you. Search your ohno.txt for AccessRights. You can decode the value with the table found here.
Exactly!!! Wow man!
For what it's worth, one could make a claim to your IT dept managing the MDM that you need Karabiner on an accessibility basis in order to do your job. I have a bad RSI in my hand and have to remap my keyboard in order to work without discomfort or pain. If I don't have this tool, my work output will be affected and it will result in my filing a workers comp claim. If you really need, I'm sure you can convince your doctor to write you a note -- Mine did to justify them purchasing a Karabiner Advantage II Keyboard.
I'm sure if you looped the legal dept in with this reasoning, they would force the hand of IT to enable a small but critical tool if they were still resisting.
macOS: 11.3 Beta (20E5172i) (This is an Intel mac) Karabiner version: 13.3.0
I do not see the Allow button in the preference pane, and attempting to click "Activate Driver" (which fails with error -1 in the UI), leads to this on the console
Does someone with more macOS experience know where the "list of allowed extensions" is?
Things I've tried: