If you can’t use MDM to install kernel extension policies or software updates on a Mac with Apple silicon

Learn what to do if kernel extension policies or software updates fail to install on Mac computers managed with MDM.

This article is intended for MDM administrators.

The steps in this article apply to Mac computers with Apple silicon that meet both of the following requirements:

  • Enrolled in MDM with Automated Device Enrollment.
  • Restored with Apple Configurator 2 or erased and reinstalled in macOS Recovery between 2021-07-21 and 2021-08-03.

Devices that meet the above criteria may be unable to install kernel extension policies or software updates using MDM. Software updates using System Preferences may also fail. If a software update fails due to this issue, the mdmclient process logs the following error:

BootPolicy: bootpolicy_mdm_update_dep_mode: exit: OIK/OIC mismatch

To resolve this issue, erase and install macOS, or choose another option below if available for your device configuration. Before you proceed, make sure to back up any user information.

Erase and install macOS

Startup from macOS Recovery, then erase the Mac and reinstall macOS.

You can also use another Mac and Apple Configurator 2 to restore the Mac.

Other resolution options

Depending on device configuration and your institutional policies, you can use one of the following options instead of erasing and reinstalling macOS.

Use the MDM DeviceLock command

On a Mac with macOS 11.4 or earlier, you can use the MDM DeviceLock command if you have the password of a local or mobile secure token enabled administrator.

  1. Use MDM to send the DeviceLock command then the Mac will restart to the Activate Mac screen.
  2. Select a local admin user and click Next.
  3. Enter the user’s password and click Continue.
  4. When activation is compete, click Restart.

Enable or disable Activation Lock

If your institution allows Activation Lock with personal iCloud accounts, the user can enable Find My to resolve the issue. If Find My is already enabled, the user can disable it and optionally re-enable it to resolve the issue.

If Activation Lock with personal iCloud accounts is not currently allowed, use the following steps to allow it to resolve the issue:

  1. Use MDM to get the Bypass Code for Activation Lock.
  2. Use MDM to send the ActivationLockAllowedWhileSupervised = True setting to the device.
  3. If a personal iCloud account is not currently signed in, sign in and enable Find My.
  4. If you want to prevent the user from re-enabling Find My, sign out of the personal iCloud account and use MDM to send ActivationLockAllowedWhileSupervised = False to the device.

Verify the issue is resolved

Run sudo bputil -d on a device before and after performing one of the options above. Locate the values for Local Policy Nonce Hash and Remote Policy Nonce Hash. Verify that the before and after values are different.

To verify the issue is resolved after following either option above, you can do one of the following:

  • Install a kernel extension policy payload using MDM.
  • Install a software update using System Preferences or MDM.

If the issue persists, follow the steps to erase and install macOS.

Leave a comment

Your email address will not be published.