Reading the apple support documentation (https://support.apple.com/en-us/HT211860) It seems in order to support Kernel extensions or software updates on M1 macs you need use ADE or change the security policy in Recovery to allow this. We currently do not have ADE setup. So it looks like we need to change this recovery setting. There is a setting that you can add to the MDM profile, PromptUserToAllowBootstrapTokenForAuthentication , that will prompt the user to do this. I can not find where in Jamf I would add this setting. Anyone know?