Jamf Nation Community

I discovered the device i was running on Apple configurator was the root of the issue. Apparently it was too low on storage.  This caused the "The operation couldn’t be completed. No space left on device [NSPOSIXErrorDomain – 0x1C (28)]" error.

DFU Restore for the win, thank you gentlemen @Tribruin @AJPinto 

That will do it, I'm glad you got things sorted out. Cheers!!!

The device is in a state where the MDM cannot interact with it, and you are needing assistance with reviving the device which has nothing to do with MDM and something Apple will assist with. The [NSPOSIXErrorDomain – 0x1C (28)] error also nothing to do with MDM, I recommend telling apple you want a diagnostics run on the device. They will need to revive it themselves before being able to run the diagnostics, and these diagnostics are free.

DFU mode does not care about available disk space as it formats the disk, and the IPSW is downloaded to the device with Apple Configurator before anything happens. Just to be sure, in Apple Configurator does the device show up with DFU over the icon?

https://support.apple.com/en-us/108900

Yes. The device shows up with DFU over the icon. I begin the restore process and then get hit that error code. Tried reviving as well and get the same error.  Apple phone support said all they would try doing is DFU restore onsite.

Been told multiple times that DFU restore wont work even if it goes through.  I also ran this whole scenario through chatgpt and it came up with this conclusion (would love to prove it wrong).

"DFU restore doesn’t work because the Secure Enclave lock (Remote Lock PIN) persists independently of the operating system or firmware, and blocks all erase or restore attempts until the correct PIN is entered or the logic board is replaced"

Just to confirm, you used the Remote Lock command in Jamf and it is a six digit code that is being requested?

Is this Apple Silicon or Intel?

I can confirm that doing a DFU restore on an Apple Silicon computer is enough. I have done it personally and walked my deskside support team through the process several times. So, like AJPInto says, if DFU is not working, there is something else going on with that Mac. 

Yes, this is for the Remote Lock command in Jamf and it is a six digit code that is being requested. Yes, Apple Silicon. (M2 Macbook Air)

The error code is referring to the storage on the locked macbook.  Here's more info from ChatGPT if you are curious:

The DFU restore failed because the device had a Remote Lock with a 6-digit PIN issued via Jamf Pro (MDM). Here's why that blocks restoration:

1. Remote Lock PIN Is Stored in the Secure Enclave

• When a Remote Lock is issued via Jamf with a PIN, that PIN is stored inside the Secure Enclave on the Mac’s logic board.

• This lock is hardware-enforced and not tied to the operating system, disk, or firmware.

• Once active, the device cannot boot or accept any reinstallation without the correct PIN.

2. DFU Restore Can’t Override Secure Enclave Locks

DFU Restore (Device Firmware Update):

• Wipes and reinstalls macOS, firmware, and recoveryOS

• But does not erase or reset the Secure Enclave

As a result:

• Even after DFU restore, the Secure Enclave enforces the PIN lock

• Any attempt to write to locked system partitions fails

3. Error Code Confirms It

The failure during restore showed this error:

This happens because:

• The Secure Enclave prevents APFS volumes from mounting

• Apple Configurator (or cfgutil) cannot partition or write to system volumes

• It's a low-level access denial, not an actual storage capacity issue

DFU restore doesn’t work because the Secure Enclave lock (Remote Lock PIN) persists independently of the operating system or firmware, and blocks all erase or restore attempts until the correct PIN is entered or the logic board is replaced.

Did ChatGPT cite its sources? ChatGPT is good at many things, but it can be wrong. 

All I can say is that I have done this MANY times, so I will take my personal experience over ChatGPT. 

❌ Why DFU Restore Doesn’t Remove MDM Remote Lock PIN

🔐 1. Remote Lock PIN Is Stored in the Secure Enclave

When a Remote Lock command is issued via MDM (Mobile Device Management), such as Jamf Pro, the six-digit PIN is stored within the device's Secure Enclave. This hardware component is part of the logic board and is designed to securely manage sensitive information. As a result:

• The lock is hardware-enforced and persists independently of the operating system or firmware.

• Standard software-based methods, including DFU restores, cannot remove this lock.

Source: Lock and locate Apple devices – Apple Support

🧱 2. DFU Restore Doesn’t Reset the Secure Enclave

A DFU restore reinstalls the firmware and operating system but does not affect the Secure Enclave. Therefore:

• The Remote Lock PIN remains intact after a DFU restore.

• The device continues to prompt for the PIN upon startup, rendering the restore ineffective in removing the lock.

Source: Revive or restore a Mac with Apple silicon using Apple Configurator – Apple Support

📛 3. Error Code Indicates Secure Enclave Enforcement

During a DFU restore attempt, you might encounter the following error:

This error suggests that the Secure Enclave is preventing access to necessary system partitions, not that the device's storage is full.

Source: M1 mini bricked w code NSPOSIXErrorDomain – Apple Community

✅ Resolution: Logic Board Replacement

Since the Secure Enclave is integral to the logic board, replacing the logic board effectively removes the stored Remote Lock PIN. This process:

• Installs a new Secure Enclave without the previous lock.

• Allows the device to boot normally and be set up anew.

Note: Ensure that the device is unassigned from MDM in Apple Business Manager before service to prevent re-enrollment issues.

Source: Clearing MDM lock on Apple Silicon Macs when passcode has been lost – Der Flounder