Reducing Security Policy AND Removing Old System Kexts

1. It depends on what you need. I have them reduced so I can boot my Mac to older versions of macOS, and to allow booting to an external drive. If left at the defaults, you can't do either. Though I do have the check boxes off (image below) since I don't use any software that forces me to turn them on. And as far as I'm concerned, any software nowadays that would require such low level intrusion is one I would never install. Apple has given developers other APIs to use that don't require such low level access to work.
2. 3rd part .kext files are supposed to install to the /Library/Extensions folder. Nowhere else. And they can't be installed to the System folder anyway. That's been 100% locked down since Big Sur.
3. If at some point software you installed put a .kext file into the System folder in Mojave or earlier, it will then be trapped there after upgrading to newer releases of macOS. The System folder in Catalina isn't quite fully off limits, but neither is it easy to modify.

The System folder since Big Sur is a sealed and cryptically signed volume. No one but Apple can touch it. And to note, there's more than just SoftRAID.kext in the /System/Library/Extensions folder. There are 590 items in that folder, of which 551 are .kext files.

I can see why OWC wants that extra software installed. I have one of those hubs. And while it works without installing the driver, the OS does have trouble releasing drives attached to the hub without it. However, mine is now sitting in a box since I don't have so many external devices anymore that I can't get by with the 4 Thunderbolts ports on the mini.

There are two ways to install to an erased volume and restore your data that will work every time. They are very similar. Really, the only difference is which backup method you used. Time Machine, or Carbon Copy Cloner.

First, use a separate drive, or create a hard partition on one large enough to hold your third party apps and personal data, plus at least 20% more room. The backup you make must have its own space and not be part of a shared volume.

1. Use CCC to copy the main drive to the backup drive/volume. Do not have Legacy Bootable Copy Assistant on for the target drive. This will copy only your data and anything else that does not belong to macOS. As far as SafetyNet, I always have it off.
2. Else, use Time Machine to backup your drive to the backup drive/volume.
3. Install Ventura to the erased drive normally. Create a bootable flash drive installer first if you wish, or connect online to Apple's servers.
4. When the installer is almost done and it reaches the point where it asks if you have data to restore, choose yes. Then point it to your CCC or TM backup.

I don't use Time Machine, so can't comment on how the final install/restore works. But with CCC, there is one small but annoying issue. Any entries you had in the System Settings under Privacy & Security will be gone. You'll need to add them again as you launch your third party apps.

i too have CCC. yeah, that inability to create bootable backups like we used to is a bit jarring, but since the Recovery or Internet Recovery is so accessible now, that's ok.

I've had a couple of email conversations with the developer at CCC. He relented to adding the ability make a full backup of Big Sur and later (the Legacy Boot part) only because so many users asked for it. But he very strongly states you shouldn't use it. There isn't a reliable way to be sure the OS was backed up, or can be restored without errors.

You can create as many bootable volumes as you want. On the internal drive or external. But the only good reason for doing that is so you can multi-boot between different versions of macOS. Such as on a 2018 mini I recently sold, I had the latest OS on the main drive so I could run software that required a newer OS, and Mojave on an external drive so I could use the Adobe CS6 Master Collection.

It's either that kind of use, or I will sometimes create a new volume with the same OS on simply because I want to test unknown software without installing it on my day-to-day drive. Install, test, delete the volume when done.

Otherwise, there's no good reason to keep creating extra installs of the same OS. If you want to do a clean install, do your CCC backup, erase the drive, then reinstall the OS and merge in your backup.

so then i really would need to re-install everything i currently use.

No. That's why you create the CCC backup, first. Or, I should say, you don't have to manually reinstall every bit of third party software you have, as if you're setting up a computer fully from scratch.

Make the backup, erase the drive, then reinstall the OS while merging in the CCC backup near the end of the install.

When it's done, your Mac will look exactly like it did before. All of your third party apps and your data will be be back on the drive. Even your desktop will look just as it did.

syberknight wrote:

1) is it really safe to reduce your security policy?

In most cases, that's simply the wrong question. This is extremely unusual. It is safe for someone who has a specific need for it. That's why Apple added the feature. You do not need it. You are digging yourself into a rabbit hole.

2) is there a way to actually remove 3rd-party system kext files?

No. I've already skimmed your question. I can tell already tell you - stop now!

3) does Apple expect us to create new "volumes" & install fresh macOS's as the way to delete old &/or unwanted 3rd-party kext & other files in the system that migrated thru the years with each Mac & macOS upgrade? if so, that would mean for each future app installs that puts files in my system, if i don't want that app anymore, then i would have to start over with a fresh system each time as the way to remove 'all' the files the app installed.

Apple does not expect this. But in some cases, when people have years of old, partially functional 3rd party system modifications, it can be a very good idea to start fresh.

i purchased an OWC Thunderbolt 4 hub. i was having trouble with the audio working correctly thru it. OWC tek support told me this dock required having their "Dock Ejector" app installed, as it has specific drivers for this unit (tho none of the documentation for the hub mentioned this). and to do that, i had to...

change the "Security Policy"

to "Reduced Security"

& "Allow user management of kernel extensions from identified developers".

This is just a failure on OWC's part. No other way to put it. If you can, return the device for non-functionality.

There is absolutely no reason for OWC to be distributing unsigned software or recommending that users reduce their security. This is totally, unqualifiedly, absolutely wrong.

Nothing else that you wrote really matters. This is the problem. All that remains now is to see how bad the damage is and if your system can be repaired.

i'm having a hard time understanding everything i'm finding/reading regarding the specifics around apps & the need (or not) to set the Security Policy as Reduced.

It is because that documentation is designed specifically, and exclusively, for developers and other people doing very specific security work. You should not be anywhere close to it.

it would seem that installing new apps that need to put kext files in the system extensions library require this to happen before installing. but then you can't remove/delete them if you don't want the software anymore(?).

This is a long, long story. You don't want me to start.

so, installing their software did not fix the problem.

It wouldn't. They never should have recommended that to you. I can tell just from the instructions that the only thing you should do with that software is delete it. If the hardware you purchased requires it, then you should return it if you can. Otherwise, recycle it responsibly.

then tek support had me send them a System Profile report. from that they said there was a "SoftRAID" kext that was conflicting with the Dock Ejector app. they advised me to remove that kext. but i couldn't!

Exactly! Nor should you. That advice was 100% wrong.

in researching how, i discovered that "SoftRAID" is another OWC app! not sure how i could have that; i must've "tried" it many many years ago but my memory fails me. SO, i downloaded their trial SoftRAID app (because it has an UNinstaller built-in).

Kinda yes, kinda no. It is a relic from another era.

so then i found various Terminal commands to try & remove the /System/Library/Ext one. but nothing worked. i even tried disabling something called a "SIP" to run those Terminal commands, but that didn't work either (yes, i re-enabled it).

I'm just sobbing now...

then tek support says Apple no longer allows us to remove system extensions so they're now advising i try creating a second/new Mac "volume", install a fresh copy of macOS on it, & see if the audio issue is the same there. but this opened a whole other door of complexity/confusion/reading/learning.

Someone make it stop...

i ended up returning the OWC hub.

Excellent news! Obviously I did just skim ahead. I missed this part.

This one of the odd things I've noticed lately. I read a lot of developer forums. I also read a number of "IT admin" forums. But the general level of knowledge, skill, and competence in these communities is remarkably low, much lower than it used to be. That's why I prefer this forum. End users like you are generally smarter and more competent than most supposed "experts". You made the correct decision.

i would still like to know how this is all supposed to work these days.

Not like that.

I don't have a good answer for you. I used to think OWC was reliable source of Mac-compatible products and support. Can't trust anybody that's not wearing an Apple T-shirt anymore.

i thought some apps have bits & parts in the /System & /Library & ~/Library as well as the /Applications folders.

Anything in the /Library folder that does not belong to the OS (such as Application Support third party items) will also be backed up by CCC. Nothing in the System folder will be since only items belonging to macOS are there. And of course, all user account data will be backed up, along with anything you installed in the Applications folder.

so backing up, wiping, installing OS, then migrating the ccc backup back in, will give me everything including functionable apps, but with a clean OS /System & /Library - do i have that right?

Yes. Well, a clean System folder. But anything that needs to be restored to the /Library folder will be. All of your apps will be functional, other than the rare, but possible following example.

then i suppose i'll know which apps aren't compliant if they don't work after that. then i'd have to choose whether to reinstall them or delete them.

Technically, that would only be older apps that rely on a .kext they may have installed to the System folder back in Catalina or earlier. Those shouldn't be restore, which in turn would break that old software. But if I've read about it correctly, Big Sur and later (and maybe also Catalina), won't allow third party .kext files in the System folder to load anyway.