What is the issue?

In some case, a video device is not seen even though it seems to be working fine and drivers are installed. The issue is most probably related to a security in macOS that require you to allow system extensions (kernel extensions or DriverKit) to load. And in some cases something goes wrong with this verification.

The issue and resolution will be different if you are using a driver using DriverKit or a Kernel Extension (kext).

• If you are using drivers from AJA or Deltacast, or if you are using older Blackmagic-Design drivers (12.1 and earlier), read below. 
• If you are using a recent version of the Blackmagic-Design drivers (12.2 or later), the troubleshooting is explained in another article.

 

What is this security?

This means that when you install your AJA, Blackmagic-Design or Deltacast drivers for the first time on a macOS 10.13 or later, you should have seen a warning saying:

 

When you see this warning, do NOT click on OK, but click on "Open Security Preferences", it will open the following window:

Click on "Allow". That's it, you should be good to use your AJA or Blackmagic-Design device.

Note that you may have to enter an admin password to allow the kernel extension to load.

 

What have I missed - why don't I see the card?

The problem is that this warning window (the one saying "System Extension Blocked") will be shown only once the first time you install, and you won't be able to use the card until you have "allowed" the extension to run.

The approval is done in "System Preferences > Security & Privacy > General". See the following screenshot:

 

This message in the System Preference pane is also displayed only 30 minutes. So in case you did not see the warning message, and it has been more than 30 minutes and you don't see it in system preferences pane, check the troubleshooting below.

 

 

 

TROUBLESHOOTING

Clear the staged extensions

The first easy thing you can try is to clear the staged extensions. To do that, open the "Terminal" application and type the following:

sudo kextcache --clear-staging

You will need to enter your admin password. Restart your computer, and see if the extensions load.

 

Check if the extension can load

The first thing would be to confirm that the issue is indeed an issue with the extension not loading, and not an issue with the card itself or with a cable, PCI slot, or something else.

But it is not that easy. You can check in Terminal with a command line that will ask the macOS to load the kext.

For example AJA:

~ admin$ sudo kextutil /Library/Extensions/AJANTV2.kext 

For Blackmagic-Design it will be:

~ admin$ sudo kextutil /Library/Extensions/BlackmagicIO.kext

For the Deltacast cards it will be:

 ~ admin$ sudo kextutil /Library/Extensions/DELTA-X300.kext
 ~ admin$ sudo kextutil /Library/Extensions/DELTA-hd.kext

You will be required to enter the admin password. Either the load will succeed or fail. See below what's next.

 

If the extension can NOT be loaded

If the extension can not be loaded it will return something like this:

Kext rejected due to system policy: <OSKext 0x7fb95472b540 [0x7fff97b7e5b0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/AJANTV2.kext/", ID = "com.aja.iokit.ntv2" }
Kext rejected due to system policy: <OSKext 0x7fb95472b540 [0x7fff97b7e5b0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/AJANTV2.kext/", ID = "com.aja.iokit.ntv2" }
Diagnostics for /Library/Extensions/AJANTV2.kext:

In this case, either there is an issue with the extension, and you should contact the manufacturer, or you can try the "more advanced" procedure.

 

If the extension CAN be loaded

If the extension can load using the command line, try to restart the computer and to confirm the card can be seen after a reboot.  If not, then it probably is an issue that we have seen for some users with macOS 11.3 or 11.4 where the database for kext approvals has been corrupted, and thus the macOS refuses to load it at startup.

It's a macOS issue, and we hope that Apple will fix this in future releases. But you can force to clear that database, and allow again the extensions to load. Here is the procedure :

• Restart your computer in recovery mode
• When the macOS Utilities window shows up, select the menu "Utilities > Terminal" to open the Terminal application
• Type the following command line in Terminal (replace Macintosh HD by the name of your boot drive):

  kmutil trigger-panic-medic --volume-root /Volumes/Macintosh HD

• Restart the computer 
• Open "System Preferences > Security & Privacy > General", and click on the button to allow the required extensions to load. If your card extension does not show up, you may need to reinstall the drivers of the card and make sure to allow the extension to load BEFORE rebooting your computer.

 

 

Get the macOS to show you the message

So if you think it's the extension not loaded issue, the thing is now to get the macOS to show you the message again. First, try this:

• make sure that the card is connected to the Mac (the extension only loads if a card is connected)
• then reboot the computer
• check if the message is shown in "System Preferences > Security & Privacy > General"

If the message is not displayed, try to do the terminal requests below (with kextutil), this will force the extension to load.

And if still you can't see the card, try to

• run the driver uninstaller (from AJA or Blackmagic-Design),
• delete the preferences of the card (in ~/Library/Preferences/ , search for the files starting with com.AJA or com.Blackmagic)
• once you  sure the drivers are properly uninstalled, restart the computer,
• reinstall the drivers.

 

You are controlling the computer remotely and can not click

For security reasons again, if you are controlling the computer with a screen sharing service (VNC, Screen Sharing, TeamViewer, etc...), you won't be able to click on the "Allow" button. This can also happen if the mouse or trackpad are emulated by a 3rd party application  such as MagicPrefs, BetterTouchTool, Synergy, etc.

There are 2 solutions:

• (Recommended but not always possible). Have a user that has a physical access to the Mac to click on the button.
• A workaround (not sure it will always work), that is a bit tricky is to run an AppleScript which would do the click: tell application "System Events" to click at {890, 460}

 

Even more advanced. 

Disclaimer: the following info is for experienced admin users and Softron can not be liable to any consequences of the modifications done.

There is also a way to allow the kext to load. But that's even more complicated, and do this only if none of the above solution worked for you, it's only at last resort. 

 

Get the TeamID of the kext

First you need to get the TeamID of the Kext you want to allow to run. To do that, first make sure that you have installed the driver of the card you want to run, then start the application "Terminal" and type:

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

enter your admin password, and it should now show this:

SQLite version 3.24.0 2018-06-04 14:10:15
Enter ".help" for usage hints.
sqlite>

Now type:

SELECT * FROM kext_policy;

It should now return the list of kext that are installed. If you have installed drivers for the AJA cards, it should show something like this (probably a bit more):

The first characters (before the "|")show you the TeamID of the kernel extension. Here are the ones of the different cards manufacturers that Softron uses:

• AJA: 9VB857J7CD
• Blackmagic-Design: 9ZGFBWLSYP
• Deltacast: R3YAN7X7P2

 

Allow kext to load in recovery mode

Now that you have the TeamID of the kernel extension:

• restart your Mac in recovery mode (hold the keys cmd+R when restarting your Mac)
• When the computer has restarted, go to the menu "Utilities" and select "Terminal"
• Then in Terminal, type the following (just replace TEAMID with the characters of the Kext's TeamID):

• /usr/sbin/spctl kext-consent add TEAMID

• Then use carriage return, and then type "reboot" to restart the computer

 

 

In macOS 10.14.5 and later

As you can read in the macOS 10.14.5 release notes, "Kernel extensions signed after April 7, 2019 must be notarized in order to load on macOS 10.14.5."

If the kernel was signed after April 7, 2019, but not notarized it will not load on macOS 10.14.15. This warning will show up:

The only solutions in that case are:

• Revert to a macOS version prior to 10.14.5
• Downgrade the drivers to one released before April 7, 2019
• Upgrade the drivers to a version that has been properly notarized

 

 

A few more info

If the drivers were installed before an upgrade to High Sierra then there won't be any issue. But if they are installed afterwards, the user will need to approve them. 

 

What is a "Kext"?

"A kernel extension (or kext) is a dynamically loaded bundle of executable code that runs in kernel space. You can create a kext to perform low-level tasks that cannot be performed in user space."

So this is what the video cards manufacturers use for their drivers. If their driver is not loaded, it means that the card can not be seen...

You can read more about kext on Apple's website. 

 

What is "User-Approved Kernel Extension Loading" ?

"To improve security on the Mac, user consent is required to load kernel extensions installed with or after installing macOS High Sierra or later. Any user can approve a kernel extension, even if they don’t have administrator privileges."

 

More links

More info on this can be found here: https://developer.apple.com/library/content/technotes/tn2459/_index.html

Disclaimer: Some of the text here comes from the following document: https://www.apple.com/business/resources/docs/macOS_Security_Overview.pdf