Not tested it here, but my copy of that command starts at the echo. The su command switches the user account that is running the rest of the command, in this case to a user called ladmin.

If they’re apple silicon, I’m not surprised by this. Those require a password. Take a look at the DDM Software updates with the schedule feature. Your mileage my vary but it may work for you.

This was my thought.  The predefining command with the user defined and password shows that it’s for intel devices.  M devices won’t work like that.

Also, just use the software update commands via jamf and done and done.  Use MDM for what it’s meant for 😊

For reference though I’ve used and continue to use this policy on Apple Silicon devices that aren’t MacBooks and it works absolutely fine. I’ve only experienced this on the MacBook Pros I’ve tried it on.

​@Fwatson Do you have FileVault active? That was an issue for us. The Bootstrap Token was not escrowed correctly and the Admin was not allowed to do Updates.

Open Terminal and switch to your Admin User.

sudo profiles status -type bootstraptoken

If the Answer looks like this, you might run some additional commands.

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: NO

I would then recommend running those commands:

sudo profiles install -type bootstraptoken 
sudo profiles status -type bootstraptoken

After that Boostrap Token escrowed to server should be yes.

That’s worked for us.