Parallels Desktop is one of the most popular solutions for running virtual machines (VMs) on macOS, offering seamless integration between macOS and other operating systems like Windows or Linux. However, Mac users occasionally encounter an error after a macOS update stating that a “kernel extension was blocked.” This error often leads to confusion and frustration, especially when users try to launch their virtual machines, only to find they’re unable to do so. So what exactly causes this problem, and how can it be resolved?
TL;DR (Too Long; Didn’t Read)
When macOS updates, it reinforces system security by disabling or blocking unsigned or unapproved kernel extensions that apps like Parallels Desktop rely on. These kernel extensions (also known as KEXTs) require manual approval from the user under System Preferences > Security & Privacy. Without enabling these extensions, Parallels Desktop may not function properly, leading to issues such as failed VM startups. The good news is that following a simple sequence of security approvals allows users to get their virtual machines up and running again.
Understanding Kernel Extensions and macOS Security
To understand why Parallels Desktop reports a blocked kernel extension, we first need to look at how macOS treats third-party kernel extensions. Kernel extensions are modules that extend the capabilities of the macOS kernel—essentially, the core of the operating system. They operate at a low level and have the potential to affect system stability and security, which is why Apple has placed increasingly tight controls on them in recent macOS versions.
Starting with macOS High Sierra (10.13), Apple introduced a feature called User-Approved Kernel Extension Loading. This requires users to explicitly approve kernel extensions installed by third-party developers. Any software attempting to load a new kernel extension will only be permitted to do so after user authorization, even if the developer is recognized and identified by Apple.
Why Does Parallels Desktop Trigger This Warning After a macOS Update?
Parallels Desktop uses kernel extensions to manage virtualization—particularly for intercepting low-level instructions, managing CPU virtualization hooks, and controlling virtual hardware interfaces. During a macOS system update, the OS checks and removes or disables unapproved or outdated kernel extensions to maintain system integrity. When this happens, users might see a message like:
“System Extension Blocked. A program tried to load a new system extension signed by ‘Parallels International GmbH’ which needs to be approved by you.”
This is part of macOS’s security protocol. It doesn’t mean Parallels Desktop is malicious—it simply means macOS wants you, the user, to make a conscious decision to allow this extension to run on your system.
Security Preferences: Where the Key Decision Is Made
Once the kernel extension is blocked, the next step involves manual intervention through System Preferences. Here’s the step-by-step sequence you need to follow:
- Open System Preferences from the Apple menu.
- Go to Security & Privacy.
- Under the General tab, you’ll see a message stating that software from “Parallels International GmbH” was blocked from loading.
- Click the Allow button next to the message.
- You may need to restart your Mac or relaunch Parallels Desktop for the changes to take effect.
This approval process is only required once, and it’s critical for allowing the Parallels KEXT to load into the kernel safely. Until this approval is granted, the Parallels hypervisor cannot communicate effectively with macOS, leaving the virtual machines inoperable.
Why the Process Seems Inconsistent
One common complaint among users is that the approval message doesn’t always appear immediately, or sometimes doesn’t show up at all. This can happen for several reasons:
- Timing Issues: The approval prompt in System Preferences is only available for 30 minutes after the installation attempt. If the user waits too long, the prompt disappears and must be triggered again by reinstalling or relaunching Parallels Desktop.
- Remote Access: Approval of kernel extensions must be done physically at the machine—it cannot be done over screen sharing or remote login for security reasons.
- System Integrity Protection (SIP): While SIP typically doesn’t prevent approval itself, it blocks modifications to certain system locations, which can affect kernel extension behavior.
Therefore, it’s crucial to complete this approval sequence promptly after a Parallels update or macOS upgrade. Even missing this window by a few minutes can result in confusion and the need to troubleshoot system settings or reinstall software.
Apple’s Vision: A Future Without Kernel Extensions
Apple has been gradually moving toward deprecating kernel extensions in favor of newer APIs like System Extensions and DriverKit. These systems provide similar low-level access but operate in user space rather than inserting code directly into the kernel, making the OS more secure and stable.
Parallels has begun adapting to these new frameworks, especially in newer versions of the software, but some functionality still relies on traditional kernel extensions. Until a full transition is complete, Parallels Desktop users will likely continue encountering the blocked KEXT error after system upgrades.
What to Do if Approval Doesn’t Work
If your VM still won’t start even after approving the KEXT, try the following:
- Reboot your Mac after clicking “Allow” to ensure the kernel extension loads.
- Reinstall Parallels Desktop to trigger a fresh extension load request.
- Check security settings: Ensure SIP is active but not overly restrictive using
csrutil status. - Update to the latest version: An outdated version of Parallels might not be compatible with the current macOS security model.
Tips to Prevent This Error in the Future
To avoid surprises with blocked kernel extensions after macOS updates, here are a few proactive tips:
- Keep Parallels Desktop updated to the latest version before upgrading macOS. Developers often release patches to anticipate OS changes.
- Review the release notes of both macOS and Parallels updates to understand system extension requirements and known issues.
- Disable automatic macOS updates until you confirm compatibility with key software like Parallels.
- Create a Time Machine backup so you can roll back in the rare event of catastrophic VM failures or system instability.
Conclusion: A Small Hurdle for Greater Security
While the message “Parallels Desktop reported kernel extension blocked” can be alarming at first, it’s actually part of Apple’s broader initiative to strengthen user security and system integrity. Although it requires manual approval, the process is straightforward once understood, and it ensures a safer, more controlled environment for extensions that interact with critical system functions.
By familiarizing yourself with the security preference approval sequence and the reasons behind it, you can minimize downtime, avoid frustration, and ensure smooth operation of your virtual machines—even in the wake of macOS updates. In the grand scheme, it’s a small price to pay for keeping your virtual workspace both functional and secure.