Starting with macOS Big Sur, Apple has made drastic changes to how Software Updates are performed on devices. More changes are seen on the new M1 (Silicon) Devices, but the new macOS introduces several important changes.
MDM Updates are the primary mechanism that should deliver System Updates.
Software Update CLI now requires authentication from the end-user on M1 Devices to perform.
Disclaimer: Note there are many reports that Software Updates performed via MDM are not working as intended on M1 Devices. There may be notifications prompted to users to perform Software Updates by Apple design. Additionally, there are several other reported issues with Software Updates in macOS Big Sur. Please see the reports section at the end of this article.
Full Software Update Requirements for M1 Devices
M1 Apple Device with Automated Device Enrollment:
During Automated Device Enrollment, a Bootstrap Token is created and escrowed to Addigy to manage Devices.
This should allow you to perform an Installation using Software Updates with MDM. To confirm, you should see as below in System Preferences > Software Updates:
You would also see the MDM Enrollment profile appear without a warning notice:
You can verify the bootstrap token as below:
M1 Apple device without Automated Device Enrollment
During manual Device Enrollment a Bootstrap Token is created and escrowed to Addigy to manage Devices
However, as this was a manual enrollment the device itself in the Security Utility of the RecoveryOS requires manual approval to manage Software Updates.
This should allow you to perform an Installation using Software Updates with MDM.
Follow the steps in the following KB Article: https://support.addigy.com/support/solutions/articles/8000091113-kernel-extensions-and-software-updates-warning-on-apple-silicon.
During these steps you should be met with the following window:
To confirm that the device was manually enrolled you can will still see System Preferences > Profiles with the warning, as below:
Alternatively, you can follow the new Bootstrap Token Devices Facts (https://releases.addigy.com/AM-7924). The new Secure Token Device Facts should read as the following image shows to ensure System Updates functionality:
GoLive Deployment of MDM Software Updates on M1
In GoLive, we can send an available Software Update using MDM to the Apple M1 device if it has met one of the two required methods mentioned above.
Software Update Reports
- In Big Sur, Devices may not see available Software Updates: https://arstechnica.com/gadgets/2020/12/some-big-sur-users-are-unable-to-update-macos-due-to-an-mdm-bug/
- Software Updates prompt for User Authentication now, even when all conditions are met.
- Software Update CLI now always requires User Authentication and does not support Bootstrap Token.
- Install with Forced Restart does not work: https://developer.apple.com/forums/thread/671524
- MDM Updates on macOS are not reliable: https://developer.apple.com/forums/thread/672429
- MacOS 11.2.1 will not download: https://developer.apple.com/forums/thread/673357
- Disk Space is not calculated properly and could potentially cause data loss: https://mrmacintosh.com/big-sur-upgrade-not-enough-hd-space-serious-issue-possible-data-loss/