Solved

Secure Token Access enabled - still incompatible in console

  • 19 July 2023
  • 5 replies
  • 380 views

Badge

I noticed that this question was brought up in another thread, but was not addressed.

I have a computer that verifies that secure token access is enabled, but in the console it still shows as “not-compatible”, citing missing secure token access. I also try using the Automox provided worklet to update the access, and it indicates that the token access is already enabled. 

I have removed and readded the agent with the same issue. 

Has anyone been able to resolve this?

OS: OS X (13.4.1 (c))

CPU: Apple M1 Pro

RAM 32 GB

Agent 1.42.22

Thank you

icon

Best answer by JohnG-Automox 20 July 2023, 15:36

View original

5 replies

Userlevel 3

Hi @Morgan!

I recommend trying the steps documented in this KB article: https://help.automox.com/hc/en-us/articles/7454299464340-M1-Secure-Token-Issues-on-Agent-39

The most important part is removing the Automox Service account first, uninstalling the agent, reinstalling, and then re-adding the Automox Service account with the Secure Token Access.

Our Solutions Consultant team also put together a script that can help with automating the process. If you decide to use the script, be sure to input your Automox ACCESSKEY in the script variable.

#!/bin/bash

#================================================================
# HEADER
#================================================================
# SYNOPSIS
# Reinstall Automox Agent and Correct Automox Service Account.
#
# DESCRIPTION
# This script will reinstall Automox on MacOS with the latest version (1.42.22 at the time of writing.)
# The purpose of this script it to clear out the Agent and Automox Service Account to correct SecureToken passing.
# Once the agent is reinstalled, the user will get prompted to enter their current password securely.
# If correct, the script will exit 0. If on failure, the script will exit with a code.
#
#
# REQUIREMENTS
# 1. Your Agent Access Key to add to the Variable below.
# 2. A Configuration Profile deployed to Monterey and Ventura devices allowing Full Disk Access to Terminal, so we may remove the Automox Service Account.
# 3. A third-party deployment solution, as the script will attempt to re-install the agent, which is not recommended with an Automox Worklet.
# 4. The current logged in user needs Administrative access to their machine, however you may bypass this by commenting out "checkAdminStatus" at the beginning of the script.
# 4a. Note: If you comment out the line, the Automox Agent will still reinstall but the Secure Token passing will fail.
#
# USAGE
# ./MacOS_Service_Account_Corrrection.sh
#
#================================================================
# IMPLEMENTATION
# version CSE-8483 MacOS - Reinstall Agent and Fix Service Account (www.automox.com) 1.0
# author Kyle Gregg
#
#================================================================
# HISTORY
# 04/26/2023 : Kyle Gregg : Script creation
#
#
#================================================================
# END_OF_HEADER
#================================================================


#================================================================
# Enter your Agent Access Key into the Variable below.
# i.e. ACCESSKEY="12345678-5467-5325-44364275"
ACCESSKEY=""
#================================================================


#================================================================
# Please do not modify these variables.
AutomoxLoc="/usr/local/bin/amagent"
LatestAgentCheck=$("${AutomoxLoc}" --help 2>&1 | grep -o "1.42.22")
AXServiceAccount=$(dscl . list /Users 2>&1 | grep -o _automoxserviceaccount)
CurrentUser=$(stat -f %Su /dev/console)
AdminUser=$(id -Gn $CurrentUser | grep -w -o "admin" | head -1)
#================================================================


#================================================================
# Please do not modify these functions.

# Provides a function to allow Automox to read the Error Message upon an Exit 1.
function errMessage() {
echo "$1" >&2
}
# Function to install latest Automox Agent.
function installLatestAgent() {
curl -sS "https://console.automox.com/downloadInstaller?accesskey=$ACCESSKEY" | sudo bash
}

# Function to remove Automox Agent.
function removeAgent() {
sudo /usr/local/bin/amagent --deregister
sudo launchctl unload /Library/LaunchDaemons/com.automox.agent.plist
sudo rm -f /usr/local/bin/amagent
sudo rm -rf "/Library/Application Support/Automox/"
}

# Function to remove Automox Service Account.
function removeServiceAccount() {
if [[ ! -d "${AXServiceAccount}" ]]; then
echo "Automox Service Acccount found, attempting removal..."
sudo dscl . delete /Users/_automoxserviceaccount
sleep 5
fi
}

# Function to check if current user is Administrator.
function checkAdminStatus() {
if [[ "${AdminUser}" != "admin" ]]; then
errMessage "Current user is not an admin, exiting script as SecureToken passing will not be feasible with this method."
exit 1
fi
}

# Function to Enable Secure Token.
function enableSecureToken () {
sudo /usr/local/bin/amagent --automox-service-account enable
sleep 1
sudo /usr/local/bin/amagent --automox-user-prompt enable
sleep 2
}

# Function to ensure latest Automox agent is installed.
function checkAgentInstall () {
if [[ ! -d "${AutomoxLoc}" ]];
then
echo "Latest Agent Installed successfully, agent version is $LatestAgentCheck."
else
errMessage "Latest agent did not get installed successfully, exiting script."
exit 1
fi
}

# Function to check Secure Token status of Automox Service Account.
function checkSecureTokenStatus () {
AXSecureToken=$(sysadminctl -secureTokenStatus _automoxserviceaccount 2>&1 | grep -o "ENABLED")
if [[ "${AXSecureToken}" == "ENABLED" ]]; then
echo "Secure Token is enabled on the Automox Service Account. Script completed successfully."
exit 0
else
errMessage "Secure Token did not get passed successfully to the Automox Service Account."
exit 1
fi
}

#================================================================





#================================================================
# BEGIN SCRIPT
#================================================================

# Checks to see if current user is admin.
# If you want to ignore this check and reinstall anyway, comment out the line below.
checkAdminStatus

# Uninstalls Automox Agent and Automox Service Account if both are on the device.
if [[ ! -d "${AutomoxLoc}" ]]; then
echo "Automox installed, starting uninstall process."
removeAgent
removeServiceAccount
fi

# Begin installation of latest Automox Agent.
installLatestAgent

# Pass SecureToken from user
enableSecureToken

# Check to see if Automox Agent 1.42.22 got installed properly.
checkAgentInstall

# Check to see if the Automox Agent has SecureToken
checkSecureTokenStatus


Note that both methods (the KB article steps and/or the bash script) will require you to run them locally on the device with an administrator account, or be deployed through an MDM. You will not be able to utilize these methods through a worklet.

If you are continuing to experience issues, please open up a Support ticket with our team so they can further assist:  https://help.automox.com/

Have a great day!

Badge

Thanks for providing a suggestion @JohnG-Automox

I haven’t had a chance to try it out, but when I do, I will let you know if it was successful.

I have the same issue, I’ve tried manually removing this agent and reinstalling this agent does not seem to work, have tried multiple times. Ticket is still sitting with Automox. This seems to be a consistent pattern through out the Apple Sillicon series 

No updates on this yet

Userlevel 3

Hi @jasen ,

 

We have released a new worklet in the Catalog to assist with the provisioning of the Secure Token:

MacOS - Configuration - Enable Apple Silicon Patching

 

This worklet will ensure that the Automox Service account exists on a device and that the secure token is enabled for it. 

 

I hope this helps!

Reply