Subscribe to Help Center RSS FeedBinding a custom MDM configuration profile policy to an Apple Silicon device results in error:
"detail": "[\"error_code\":10, \"error_domain\":\"SPErrorDomain\", \"localized_description\":\"The current system configuration does not allow the requested operation\",\"us_english_description\":\"\"}]",
"The current system configuration does not allow the requested operation\" indicates that the policy contains a kernel extension, deprecated by Apple starting with macOS 10.15. As a result, configuration profiles containing a payload for kernel extensions that are bound to Apple Silicon devices will fail to deploy.
To resolve this issue, remove the kernel extensions from the .mobileconfig file before re-deploying the MDM command.
If your .mobileconfig file is signed, you will need to unsign it to convert it to an editable text file in XML format. Software such as the is useful for signing & unsigning configuration profiles.
To edit the .mobileconfig file:
- Open the unsigned .mobileconfig profile using any plain text editing application such as BBEdit, VSCode, vi, emacs. Do not use Microsoft Word, TextEdit, or other rich text editing applications.
- Locate and remove the sections of the .mobileconfig file that reference kernel extensions.
- Search for the XML element
<key>AllowedKernelExtensions</key>- Note that the key will be nested within a
<dict> ... </dict>structure. The entire dictionary element must be removed.
- Note that the key will be nested within a
- Select the opening
<dict>element through the closing</dict>element and delete.
- Search for the XML element
- Save the edited file as a new plaintext document with the .mobileconfig file extension.
- Upload the updated profile to the custom MDM policy in ̽»¨´óÉñ. See Create a Mac or iOS MDM Custom Configuration Profile Policy.
- Bind the new policy to the device.