Apple has changed how System Updates for devices on M1 and Big Sur are preformed and they will now require manual interaction by an admin end-user with a Secure Token to input their password in order to perform the update for the following update use cases:
- The end-user going to the System Preferences > Software Updates and clicking Update themselves. This will require admin credentials.
- Using the Policies page > Updates tab which will leverage the softwareupdate native tool
Note: Using the Policies page to update will only prompt the user to install using System Preferences. This is due to Apple restricting the functionality of their softwareupdate CLI tool. - Using the GoLive page > Updates tab on a device without MDM and:
A.) bootstrap token escrowed (This will be done after enrolling via MDM, to verify this, check out How to Verify the macOS Bootstrap Token Was Escrowed)
B.) (Devices not enrolled via Automated Device Enrollment) Allowing remote management of kernel extensions and automatic software updates
Note: The only use case that would not require end-user interaction would be using the GoLive page method mentioned above which uses MDM when meeting the criteria of A and B
If you see the following warning on your device, check out our How to fix the Kernel Extensions and Software Updates Warning on Apple Silicon