High Sierra blocking kernel extensions?

So, if I read the updated technote correctly, the solution for enterprise deployments is to manually boot each computer into recovery mode to issue commands to allow kernel extensions on a per-machine basis?

One of our customers has over 10,000 Macs in deployment. How is their IT team supposed to walk around and do this individually on 10,000 Macs? Similarly, if they don’t do this, then when IT pushes our software package out to the endpoints, every user is going to be left with the decision to allow our kernel extension? For a security package that the end users aren’t even supposed to really know about? That has no GUI whatsoever?

I get completely what you’re trying to do here, and the effort is a noble one, but while it works brilliantly in a single-owner environment, it becomes absolutely unusable in a large enterprise environment under the current technote definitions. Ask yourselves how an enterprise user with 10,000 Macs is supposed to push mission critical security software that the end-users are not supposed to be able to defeat, and please understand that an IT team manually booting 10,000 Macs into recovery mode to change settings isn’t going to work.

You can't disable only some protection: "csrutil enable --without fs --no-internal" . See "csrutil status" afterwards.

Like this you can alter "/private/var/db/SystemPolicyConfiguration/KextPolicy" outside of the recovery mode and still have "Secure kernel extension loading" policy protection.

FWIW, I found that non-Apple products -- minimally my Logitech G502 mouse -- cannot be used to click on the "Approve" button from the Security & Privacy pane. Instead, use of an Apple trackpad or mouse, was required.

In console, I found:

com.apple.preference.security.remoteservice Dropping mouse down event because sender's PID (112) isn't 0 or self (423)

https://discussions.apple.com/message/32992230?ac_cid=op123456