Frequently Asked Question
Removing Troublesome Kernel Extensions (PulseSecureFirewall for example)
Last Updated 5 years ago
Installing PulseSecure is easily done on Mac but removing it can be a struggle, and the things it leaves behind cause endless problems. This isn't specific to PulseSecure, but its a good example for this FAQ.
The troublesome part is the kernel extension. Kernel extensions are loaded at boot time and allow low level access to drives, networking etc. You'll see kernel extensions for serial->usb drivers, disk drivers, printer drivers, and so on. Let's see what you have currently loaded....
Open a console window and type:
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
Now enter SELECT * FROM kext_policy;
You will see lines like
EG7KH642X6|com.vmware.kext.vmioplug.18.1.0|1|VMware, Inc.|1
EG7KH642X6|com.vmware.kext.vmioplug.18.1.2|1|VMware, Inc.|1
3T5GSNBU6W|com.github.osxfuse.filesystems.osxfuse|1|Benjamin Fleischer|1
The first part before the | symbol is the Team_ID and the second part after the first | is the Bundle_ID. Select your troublesome extension using the Budle_ID, which in the example lines about would be "com.vmware.kext.vmioplug.18.1.0" and for Pulse Secure would be "PulseSecureFirewall".
Now removing it is a little harder. Make a clear note of this Bundle_ID because your not going to have access to see it on-screen. You won't have access to these instructions either so print this page off, write on it your Bundle_ID and then proceed to the next steps.
Reboot your Mac, and as soon as the screen goes blank hold CMD+R on the keyboard. If your using a bluetooth keyboard then this won't work so go find a usb keyboard and mouse.
After some time and loading you will be shown the recovery console with a selection of options in the middle of the screen.
IF you have encryption enabled on your Macintosh HD drive then you will need to follow these next steps otherwise skip forward to Open the Console.
Open Disk Utility. Locate Macintish HD, select it then click Mount (in the buttons). Enter your password when asked to do so and when mounting is complete you can quit the Disk Utility by using CMD+Q.
Open a Console (from the Utilities Menu at the top of the screen) and enter.
cd "/volumes/Macintosh HD/usr/bin"
sqlite3 "/volumes/Macintosh HD/var/db/SystemPolicyConfiguration/KextPolicy"
Now check we're in the right place by issuing the command...
SELECT * from kext_policy;
You should see the same list you had before, but this time we're able to modify it. Remember, modifying the Kernel Extensions table isn't a good idea unless you know what you're doing and make sure your Time Machine backup is up to date. You should have already written down the Bundle_ID so now we remove the entry using...
DELETE FROM kext_policy where Bundle_ID='Your bundle ID';
In our example above this would be 'com.vmware.kext.vmioplug.18.1.0'.
Assuming you don't get an error its done, and you can quite sqlite using .exit.
Now close the terminal and reboot the machine using the apple icon top left.
If you've got this far then its done, extension removed and will no longer cause you any issues.
The troublesome part is the kernel extension. Kernel extensions are loaded at boot time and allow low level access to drives, networking etc. You'll see kernel extensions for serial->usb drivers, disk drivers, printer drivers, and so on. Let's see what you have currently loaded....
Open a console window and type:
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
Now enter SELECT * FROM kext_policy;
You will see lines like
EG7KH642X6|com.vmware.kext.vmioplug.18.1.0|1|VMware, Inc.|1
EG7KH642X6|com.vmware.kext.vmioplug.18.1.2|1|VMware, Inc.|1
3T5GSNBU6W|com.github.osxfuse.filesystems.osxfuse|1|Benjamin Fleischer|1
The first part before the | symbol is the Team_ID and the second part after the first | is the Bundle_ID. Select your troublesome extension using the Budle_ID, which in the example lines about would be "com.vmware.kext.vmioplug.18.1.0" and for Pulse Secure would be "PulseSecureFirewall".
Now removing it is a little harder. Make a clear note of this Bundle_ID because your not going to have access to see it on-screen. You won't have access to these instructions either so print this page off, write on it your Bundle_ID and then proceed to the next steps.
Reboot your Mac, and as soon as the screen goes blank hold CMD+R on the keyboard. If your using a bluetooth keyboard then this won't work so go find a usb keyboard and mouse.
After some time and loading you will be shown the recovery console with a selection of options in the middle of the screen.
IF you have encryption enabled on your Macintosh HD drive then you will need to follow these next steps otherwise skip forward to Open the Console.
Open Disk Utility. Locate Macintish HD, select it then click Mount (in the buttons). Enter your password when asked to do so and when mounting is complete you can quit the Disk Utility by using CMD+Q.
Open a Console (from the Utilities Menu at the top of the screen) and enter.
cd "/volumes/Macintosh HD/usr/bin"
sqlite3 "/volumes/Macintosh HD/var/db/SystemPolicyConfiguration/KextPolicy"
Now check we're in the right place by issuing the command...
SELECT * from kext_policy;
You should see the same list you had before, but this time we're able to modify it. Remember, modifying the Kernel Extensions table isn't a good idea unless you know what you're doing and make sure your Time Machine backup is up to date. You should have already written down the Bundle_ID so now we remove the entry using...
DELETE FROM kext_policy where Bundle_ID='Your bundle ID';
In our example above this would be 'com.vmware.kext.vmioplug.18.1.0'.
Assuming you don't get an error its done, and you can quite sqlite using .exit.
Now close the terminal and reboot the machine using the apple icon top left.
If you've got this far then its done, extension removed and will no longer cause you any issues.