Once a user grants macOS permission to run a third-party's kernel extensions, all extensions signed by that developer's key are allowed to run. Even if the extension is erased and reinstalled, permission remains.
How does one subsequently revoke permission to run one or all third-party kernel extensions?
This is not a request for how to unload kernel extensions. Assume, for example, that a developer wishes repeatable QA around the process of installing and prompting a user to authorize a kernel extension.
Best Answer
According to TN2459
This database (at least until Mojave) is /var/db/SystemPolicyConfiguration/KextPolicy and you can update it with sqlite3 after disabling SIP.
It contains 4 tables of which only kext_policy and kext_load_history_v3 are interesting (unless you use mdm presumably). For example these are my authorised kext:
If you wanted to delete all of them you could use
delete from kext_policy;
then to be tidydelete from kext_load_history_v3;
Alternatively you can delete a specific one by comparing one of the fields shown by the
.schema
command. For example to delete LittleSnitch based on the second field bundle_id;I notice that this answer on stackoverflow suggests it may be necessary also to reset PRAM. Resetting PRAM automatically reenables SIP and as it is easier than booting into recovery is worth doing.
It is possible to do this using a GUI if preferred. After disabling SIP:
sudo /Applications/DB\ Browser\ for\ SQLite.app/Contents/MacOS/DB\ Browser\ for\ SQLite