With the release of Apple silicon (M1) devices, Apple has modified MDM permissions when enrolling a device outside of Apple Business Manager or Apple School Manager. When a device is enrolled via Enrollment Profile (manual) or BYOD, there will be a warning message posted within the Profiles section of System Settings.
Note: If a device is enrolled via Automated Device Enrollment, the warning box below will not appear as the device has a trusted chain of ownership.
More information about this change can be found in Apple's Support documentation: Change startup disk security settings on a Mac with Apple silicon
The warning message below will only show on devices that meet the following criteria:
- Big Sur 11.0 or newer
- Apple Silicon-based Mac
- Enrolled via Device Enrollment (.mobileconfig) or User Enrollment (BYOD)
Note: The "This MDM server requests the ability to manage" warning message only affects kernel extensions and software updates. All other management functions continue to work as expected as of the date this document was posted.
Option 1: Unchecking the "Allow Bootstrap For Authentication" Setting
Within Policies > (Policy) > Integrations & Settings > MDM Enrollment Profile, there is a setting that will help hide the setting. To note, this will not place the device in reduced security and allow the referenced settings (more info on this in option 2).
With the box unchecked, the warning message will not show up under the enrollment profile.
With the box checked, the warning message will appear under the enrollment profile.
If you are looking to hide this warning retroactively, this can be accomplished via 2 methods.
1: Install MDM
On the Devices page, you can use the Install MDM tool to update the status of the aforementioned setting.
2: Scripting option
If you have multiple devices that you need to resolve this warning on, the below script will help retrieve this information. It will require you to create an API key.
This API key can be retrieved by simply generating a new API v2 key within the Account > Integrations page of your Addigy portal. Additional steps on how to create this API token can be found here: API Documentation (v2)
The script is as follows (make sure to provide the apiKey):
#!/bin/bash
### Expected to be run on each device as a Script from Addigy.
####################################### Variables #######################################
# Get the hardware UUID of the Mac
udid=$(ioreg -ad2 -c IOPlatformExpertDevice | plutil -extract IORegistryEntryChildren.0.IOPlatformUUID raw -)
addigyOrgID=$(/Library/Addigy/go-agent agent orgid)
# Enter the API key between the single quotes API V2
apiKey=''
####################################### /Variables #######################################
# Use the Addigy API to reinstall the Addigy MDM enrollment profile
curl -X POST "https://api.addigy.com/api/v2/o/$addigyOrgID/mdm/enrollment/profile/install" -H "accept: */*" -H "x-api-key: $apiKey" -H "Content-Type: application/json" -d "{\"udid\":\"$udid\"}"
Once you have the script ready, go ahead and run it on your devices. For steps on how to execute scripts on devices, follow this article: Creating and Running Scripts on Your Devices
Note: At the moment, there is no way to view the status of this warning on the device outside of manually checking System Settings > Profiles. Should a method become available, we will do our best to update this article with this information.
Option 2: Allowing MDM to Manage Kernel Extensions and Software Updates (Reduced Security)
These instructions have been directly pulled from Apple's support article: Change startup disk security settings on a Mac with Apple silicon. As of the publishing of the document, there is no way to remotely enable this functionality.
- On a Mac with Apple silicon, choose Apple menu > Shut Down.
- Press and hold the power button until "Loading startup options" appears on the screen.
- Click Options, then click Continue. If requested, enter the password for an administrator account. Your Mac will open in Recovery mode.
- In macOS Recovery, choose Utilities > Startup Security Utility.
- Select the startup disk you want to use to set the security policy. If the disk is encrypted with FileVault, click Unlock, enter the password, then click Unlock.
- Click Security Policy.
- Review the following security options:
- Full Security: Ensures that only your current OS, or signed operating system software currently trusted by Apple, can run. This mode requires a network connection at software installation time.
- Reduced Security: Allows any version of signed operating system software ever trusted by Apple to run.
- Select Reduced Security, enter your administrator user name and password, then complete the following:
- Select the Allow user management of kernel extensions from identified developers checkbox to allow the installation of software that uses legacy kernel extensions.
- Select the Allow remote management of kernel extensions and automatic software updates checkbox to authorize remote management of legacy kernel extensions and software updates using an MDM solution.
- Click OK.
- Restart your Mac for the changes to take effect.
Your device should now no longer have the warning message.
FAQ:
Q: How can I remotely view if a device is in Reduced Security?
A: The "Secure Boot Level" device fact will reflect either "full" or "medium" depending on the level of security configured.
Q: A device has Reduced Security but I still cannot deploy KEXTs/leverage managed software updates via MDM
A: If you are still not able to perform the actions allowed via Reduced Security, please submit a ticket by emailing support@addigy.com or using this link: https://addigy.zendesk.com/agent/