With the release of Apple silicon (M1) devices, Apple has modified MDM permissions when enrolling a device outside of Apple Business Manager or Apple School Manager. When a device is enrolled via Enrollment Profile or BYOD, there will be a warning message posted within the Profiles pane of System Preferences.
Note: If a device is enrolled via Automated Device Enrollment, the warning box below will not appear as the device has a trusted chain of ownership.
More information about this change can be found in Apple's Support documentation: Change startup disk security settings on a Mac with Apple silicon
The warning message below will only show on devices that meet the following criteria:
- Big Sur 11.0 or newer
- Apple Silicon-based Mac
- Enrolled via Device Enrollment (.mobileconfig) or User Enrollment (BYOD)
Note: The "This MDM server requests the ability to manage" warning message only affects kernel extensions and software updates. All other management functions continue to work as expected as of the date this document was posted.
Allowing MDM to Manage Kernel Extensions and Software Updates
These instructions have been directly pulled from Apple's support article: Change startup disk security settings on a Mac with Apple silicon. As of the publishing of the document, there is no way to remotely enable this functionality.
- On a Mac with Apple silicon, choose Apple menu > Shut Down.
- Press and hold the power button until "Loading startup options" appears on the screen.
- Click Options, then click Continue. If requested, enter the password for an administrator account. Your Mac will open in Recovery mode.
- In macOS Recovery, choose Utilities > Startup Security Utility.
- Select the startup disk you want to use to set the security policy. If the disk is encrypted with FileVault, click Unlock, enter the password, then click Unlock.
- Click Security Policy.
- Review the following security options:
- Full Security: Ensures that only your current OS, or signed operating system software currently trusted by Apple, can run. This mode requires a network connection at software installation time.
- Reduced Security: Allows any version of signed operating system software ever trusted by Apple to run.
- Select Reduced Security, enter your administrator user name and password, then complete the following:
- Select the Allow user management of kernel extensions from identified developers checkbox to allow the installation of software that uses legacy kernel extensions.
- Select the Allow remote management of kernel extensions and automatic software updates checkbox to authorize remote management of legacy kernel extensions and software updates using an MDM solution.
- Click OK.
- Restart your Mac for the changes to take effect.
Your device should now no longer have the warning message.
FAQ:
Q: How can I remotely view if a device is in Reduced Security?
A: The "Secure Boot Level" device fact will reflect either "full" or "medium" depending on the level of security configured.
Q: A device has Reduced Security but I still cannot deploy KEXTs/leverage managed software updates via MDM
A: If you are still not able to perform the actions allowed via Reduced Security, please submit a ticket by emailing support@addigy.com or using this link: https://addigy.zendesk.com/agent/