How To Enable Kernel Extensions On Mac | The Essential Security Change

Enabling kernel extensions on an Apple silicon Mac requires changing the startup disk security policy to Reduced Security through macOS Recovery.

Kernel extensions — also called kexts or legacy system extensions — let hardware and software hook deep into macOS, and on Apple silicon Macs, they are locked down by default. If you are trying to install a driver, a VPN filter, or older peripheral software that has not moved to Apple’s newer System Extensions model, you will hit a wall until you know how to enable kernel extensions on a Mac. The only way is through one specific setting buried in macOS Recovery, and this guide walks through every click.

What Are Kernel Extensions on a Mac?

Kernel extensions are low-level code that runs in the macOS kernel space, giving devices and apps direct access to system functions. Audio interfaces, storage controllers, network tools, and certain VPN clients all relied on kexts for years.

On Intel Macs, kexts worked with fewer restrictions. On Apple silicon (M1, M2, M3, M4), Apple tightened security by turning off legacy kext support by default. The only way to turn it back on is through the Startup Security Utility in macOS Recovery — there is no toggle in System Settings for this.

Enabling Kernel Extensions on Apple Silicon: The Exact Step Sequence

This entire process happens inside macOS Recovery. You cannot change this setting from the normal desktop. Follow these steps in order:

  1. Shut down your Mac completely — a full shutdown, not a restart.
  2. Press and hold the power button until the screen shows “Loading startup options” below the Apple logo.
  3. Click Options, then click Continue.
  4. Select the startup disk you want to change, then click Next.
  5. Choose an administrator account, enter its password, and click Continue.
  6. In the macOS Recovery app menu bar, click Utilities and choose Startup Security Utility.
  7. Select the system volume at the top of the window, then click Security Policy.
  8. If FileVault is on, click Unlock, enter the disk password, and unlock it.
  9. Choose Reduced Security.
  10. Check the box for Allow user management of kernel extensions from identified developers.
  11. Click OK, authenticate if prompted, then choose Apple menu > Restart.

After the restart, kernel extensions from identified developers can install and load. When an app tries to load a kext, you will see a “System Extension Blocked” prompt — approve it from System Settings > Privacy & Security.

Understanding the Three Security Options

The Startup Security Utility offers three security tiers. The table below explains what each one allows and when to use it.

Security Mode What It Allows Best For
Full Security Only the current signed macOS version trusted by Apple can run. Requires a network connection during software installation. Everyday use, maximum integrity, no legacy kexts needed.
Reduced Security (kext box unchecked) Any version of signed macOS ever trusted by Apple can run, but legacy kexts remain blocked. Running older macOS versions without needing kexts.
Reduced Security (kext box checked) Same as above plus kernel extensions from identified developers can load. Installing hardware drivers or software that requires legacy kexts.

Apple’s startup security policy guidelines also include an option for remote management of kernel extensions — that checkbox is meant for organizations using device management (MDM), not for individual users.

Common Mistakes That Break the Process

Most failures happen at one of the points below. The table shows what goes wrong and how to avoid it.

Mistake The Fix
Not entering Recovery mode first This setting is unavailable from the desktop. Always power off and boot into Recovery via the power-button hold.
Choosing Full Security instead of Reduced Security Full Security blocks kexts. You must pick Reduced Security before checking the kext box.
Checking the kext box before selecting Reduced Security The checkbox is grayed out until Reduced Security is chosen. Select it first, then check the box.
Forgetting to unlock the disk when FileVault is enabled The Security Policy button stays inactive until you unlock. Look for the Unlock button at the bottom of the Startup Security Utility window.
Selecting the wrong startup disk If you have multiple macOS volumes, double-check you are changing the disk from which you actually boot.
Skipping the final restart The security change does not apply until you restart. Use Apple menu > Restart from inside Recovery.

What Changes After You Enable Kernel Extensions

Once you restart with Reduced Security and kernel-extension management enabled, your Mac still runs macOS normally — you are not disabling SIP entirely or opening a broad vulnerability. The change only permits identified, signed kernel extensions to load. When you install software that needs a kext, macOS will ask you to approve it in System Settings.

If you stop using the software that requires kernel extensions, you can revert to Full Security at any time by repeating the same Recovery steps and choosing Full Security instead. The kexts will stop loading on the next restart. To finish the revert:

  1. Complete the Recovery steps above and select Full Security.
  2. Restart the Mac.
  3. Remove the kexts from /Library/Extensions or /System/Library/Extensions if the vendor provided a removal tool.

References & Sources

Please use a real email you check. If it's fake or mistyped, your message won't reach us and we can't reply — wrong addresses are rejected automatically.