Parallels Desktop mass deployment to macOS High Sierra, macOS Mojave, or macOS Catalina Macs

1 users found this article helpful

How to deploy Parallels Desktop to some Mac computers with macOS High Sierra, macOS Mojave, or macOS Catalina as a main system, because after installing the application it requires kernel extensions approval first?

Resolution

Kernel extensions in macOS

If you deploy Parallels Desktop on macOS High Sierra, macOS Mojave, or macOS Catalina, Mac users will need to approve kernel extensions before they can launch Parallels Desktop.

Note: To avoid dealing with kernel extensions, Parallels recommends to update all of your Mac computers to macOS Big Sur or higher where Parallels Desktop has the capability to run without using kernel extensions. Installation of Parallels Desktop on Mac computers with Apple M1 chip is also seamless and you won't have to deal with kernel extensions.

Kernel extensions can be approved manually on a Mac computer. See Manually approving kernel extensions. As a system administrator, you can make the deployment more transparent for your Mac users by allowing Parallels Desktop kernel extensions to load before you deploy it on Mac computers. This can be done using one of the following options:

Please note that kernel extensions don't require user consent if:

Using MDM configuration

Starting with macOS 10.13.4, enrolling in MDM no longer disables User Approved Kernel Extension Loading, and extensions previously allowed to load for that reason now require approval. However, you can use MDM to specify kernel extensions that load without approval. This requires a Mac that is using macOS 10.13.2 or later and is either enrolled in MDM via DEP or whose MDM enrollment is User Approved. For more information about User Approved Kernel Extension Loading and User Approved MDM enrollment, please see the following Apple Support article: https://support.apple.com/en-gb/HT208019.

To approve Parallels Desktop kernel extensions, you need to create a macOS configuration profile with the Kernel Extension Policy payload and then install it via MDM on Mac computers. The following table describes the payload keys and how to specify them to approve Parallels Desktop kernel extensions. Please note that this can also be done using Parallels Device Management for Configuration Manager. For more info, please see https://kb.parallels.com/124937.

Key
Type
Value
AllowUserOverrides Boolean If set to true, users can approve additional kernel extensions not explicitly allowed by the configuration profile.
AllowedTeamIdentifiers Array of Strings Specifies team identifiers that define which validly signed kernel extensions will be allowed to load.
Parallels team identifier is 4C6364ACXT. When set, all possible Parallels kernel extensions will be authorized. Alternatively, you can specify kernel extensions individually (see below).
AllowedKernelExtensions Dictionary A set of kernel extensions that will be allowed to load on a Mac computer. The dictionary maps the team ID to an array of bundle IDs.
The Parallels team ID is 4C6364ACXT. The bundle IDs are as follows:
com.parallels.kext.usbconnect
com.parallels.kext.vnic
com.parallels.kext.netbridge
com.parallels.kext.hypervisor

Note that the AllowedTeamIdentifiers key (described above) does the same thing, but approves all possible Parallels extensions, while here you can specify them individually. You can use either key depending on your requirements.


If your Mac computers are not enrolled in MDM, you can use the spctl command described in the section that follows this one.

Using spctl command

You can disable the user approval requirement for Parallels Desktop kernel extensions using the spctl command on a Mac. This can be done either via booting into macOS Recovery or while preparing NetBoot/NetInstall/NetRestore images. The command is as follows:

spctl kext-consent add 4C6364ACXT

The 4C6364ACXT value in the example above is the Parallels Team ID. The command disables User Approved Kernel Extension Loading for Parallels Desktop, so user consent to load the extensions will not be required.

Please note that if you reset NVRAM after executing the spctl command, the Mac reverts to its default state with User Approved Kernel Extension Loading enabled. To prevent unauthorized changes to NVRAM, you can set a firmware password on the Mac.

Manually approving kernel extensions

If you don't disable User Approved Kernel Extension Loading for Parallels Desktop in advance, Mac users will need to approve them manually.

To manually authorize Parallels Desktop kernel extensions on a Mac:

1. If user consent is required to load the extensions, Parallels Desktop version 13.2.0 or later will guide the user by displaying the dialog shown below.

Note that earlier versions of Parallels Desktop will not display this dialog, so a user will need to open the Security & Privacy window (see the second screenshot below) directly.

2. The user clicks the Open Security Preferences button, which will open the Security & Privacy dialog (the user can also open the dialog by going to System Preferences > Security & Privacy > General):

3. The user then clicks the Allow button located next to the message about the software from "Parallels International GmbH". This will approve Parallels Desktop kernel extensions.

Parallels Desktop will now start normally. This has to be done only once when the user starts Parallels Desktop for the first time.

 

Was this article helpful?

Tell us how we can improve it.