Mac – Symantec – System Extension Blocked

email me


When installing an Endpoint Protection agent (SEP client) on a Mac with macOS High Sierra 10.13 (or newer), you receive the notification System Extension Blocked.



This is due to a change in macOS High Sierra. Kernel Extensions (KEXT) that are not signed by Apple are no longer automatically installed by default. As a security measure, macOS now asks the User to allow the installation of third-party KEXTs.


* none are great


If you use NetBoot, NetInstall, or NetRestore, use the following command while preparing disk images for deployment:

spctl kext-consent add 9PTGMPNXZ2

Recovery Mode

spctl kext-consent disable

Manually Allow

System Preferences > Security & Privacy > Click the Allow button

Build and Administer MDM

Create an MDM to manage extensions




Also see:

About authorizing kernel extensions for Symantec Endpoint Protection for macOS 10.13 or later

Managing kernel extension authorization when deploying the Symantec Endpoint Protection client for Mac

Remote Assistance

When remoted into computer, create a script to click OK on the dialog box (you cannot remotely click OK, so the setup will not continue)

Remote Controltell application “System Events”
click at {123,456}
end tell