How to deploy Parallels Desktop to some Mac computers with macOS High Sierra, macOS Mojave, or macOS Catalina as a main system, because after installing the application it requires kernel extensions approval first?
Resolution
Kernel extensions in macOS
If you deploy Parallels Desktop on macOS High Sierra, macOS Mojave, or macOS Catalina, Mac users will need to approve kernel extensions before they can launch Parallels Desktop.
Kernel extensions can be approved manually on a Mac computer. See Manually approving kernel extensions. As a system administrator, you can make the deployment more transparent for your Mac users by allowing Parallels Desktop kernel extensions to load before you deploy it on Mac computers. This can be done using one of the following options:
- Allowing kernel extensions to load via MDM configuration. See Using MDM configuration.
- If your Mac computers are not enrolled in MDM, you can use the spctl command while booted to macOS Recovery. See Using spctl command.
Please note that kernel extensions don't require user consent if:
- The extensions were on a Mac before macOS was updated to one of the versions listed above. This means that if Parallels Desktop was installed on a Mac before the update, you don't have to approve its kernel extensions.
- The extensions are replacing previously approved extensions.
- A Mac runs macOS Big Sur or later and the Apple hypervisor option is used in the virtual machine configuration.
Using MDM configuration
Starting with macOS 10.13.4, enrolling in MDM no longer disables User Approved Kernel Extension Loading, and extensions previously allowed to load for that reason now require approval. However, you can use MDM to specify kernel extensions that load without approval. This requires a Mac that is using macOS 10.13.2 or later and is either enrolled in MDM via DEP or whose MDM enrollment is User Approved. For more information about User Approved Kernel Extension Loading and User Approved MDM enrollment, please see the following Apple Support article: https://support.apple.com/en-gb/HT208019.
To approve Parallels Desktop kernel extensions, you need to create a macOS configuration profile with the Kernel Extension Policy payload and then install it via MDM on Mac computers. The following table describes the payload keys and how to specify them to approve Parallels Desktop kernel extensions. Please note that this can also be done using Parallels Device Management for Configuration Manager. For more info, please see https://kb.parallels.com/124937.
|
Key
|
Type
|
Value
|
|---|---|---|
AllowUserOverrides |
Boolean | If set to true, users can approve additional kernel extensions not explicitly allowed by the configuration profile. |
AllowedTeamIdentifiers |
Array of Strings | Specifies team identifiers that define which validly signed kernel extensions will be allowed to load. Parallels team identifier is 4C6364ACXT. When set, all possible Parallels kernel extensions will be authorized. Alternatively, you can specify kernel extensions individually (see below). |
AllowedKernelExtensions |
Dictionary | A set of kernel extensions that will be allowed to load on a Mac computer. The dictionary maps the team ID to an array of bundle IDs. The Parallels team ID is 4C6364ACXT. The bundle IDs are as follows: com.parallels.kext.usbconnectNote that the AllowedTeamIdentifiers key (described above) does the same thing, but approves all possible Parallels extensions, while here you can specify them individually. You can use either key depending on your requirements. |
If your Mac computers are not enrolled in MDM, you can use the spctl command described in the section that follows this one.
Using spctl command
You can disable the user approval requirement for Parallels Desktop kernel extensions using the spctl command on a Mac. This can be done either via booting into macOS Recovery or while preparing NetBoot/NetInstall/NetRestore images. The command is as follows:
spctl kext-consent add 4C6364ACXTThe 4C6364ACXT value in the example above is the Parallels Team ID. The command disables User Approved Kernel Extension Loading for Parallels Desktop, so user consent to load the extensions will not be required.
Please note that if you reset NVRAM after executing the spctl command, the Mac reverts to its default state with User Approved Kernel Extension Loading enabled. To prevent unauthorized changes to NVRAM, you can set a firmware password on the Mac.
Manually approving kernel extensions
If you don't disable User Approved Kernel Extension Loading for Parallels Desktop in advance, Mac users will need to approve them manually.
To manually authorize Parallels Desktop kernel extensions on a Mac:
1. If user consent is required to load the extensions, Parallels Desktop version 13.2.0 or later will guide the user by displaying the dialog shown below.
Note that earlier versions of Parallels Desktop will not display this dialog, so a user will need to open the Security & Privacy window (see the second screenshot below) directly.
2. The user clicks the Open Security Preferences button, which will open the Security & Privacy dialog (the user can also open the dialog by going to System Preferences > Security & Privacy > General):
3. The user then clicks the Allow button located next to the message about the software from "Parallels International GmbH". This will approve Parallels Desktop kernel extensions.
Parallels Desktop will now start normally. This has to be done only once when the user starts Parallels Desktop for the first time.
Was this article helpful?
Tell us how we can improve it.