Solved

Secure Token Access enabled - still incompatible in console

  • 19 July 2023
  • 5 replies
  • 435 views
M
Badge

I noticed that this question was brought up in another thread, but was not addressed.

I have a computer that verifies that secure token access is enabled, but in the console it still shows as “not-compatible”, citing missing secure token access. I also try using the Automox provided worklet to update the access, and it indicates that the token access is already enabled. 

I have removed and readded the agent with the same issue. 

Has anyone been able to resolve this?

OS: OS X (13.4.1 (c))

CPU: Apple M1 Pro

RAM 32 GB

Agent 1.42.22

Thank you

icon

Best answer by JohnG-Automox 20 July 2023, 15:36

View original

5 replies

J
Userlevel 3

Hi @Morgan!

I recommend trying the steps documented in this KB article: https://help.automox.com/hc/en-us/articles/7454299464340-M1-Secure-Token-Issues-on-Agent-39

The most important part is removing the Automox Service account first, uninstalling the agent, reinstalling, and then re-adding the Automox Service account with the Secure Token Access.

Our Solutions Consultant team also put together a script that can help with automating the process. If you decide to use the script, be sure to input your Automox ACCESSKEY in the script variable.

#!/bin/bash

#================================================================
# HEADER
#================================================================
#  SYNOPSIS
#    Reinstall Automox Agent and Correct Automox Service Account.
#
#  DESCRIPTION
#    This script will reinstall Automox on MacOS with the latest version (1.42.22 at the time of writing.)
#    The purpose of this script it to clear out the Agent and Automox Service Account to correct SecureToken passing.
#	 Once the agent is reinstalled, the user will get prompted to enter their current password securely.
#    If correct, the script will exit 0. If on failure, the script will exit with a code.
#
#
#  REQUIREMENTS
#	1. Your Agent Access Key to add to the Variable below.
#	2. A Configuration Profile deployed to Monterey and Ventura devices allowing Full Disk Access to Terminal, so we may remove the Automox Service Account.
#	3. A third-party deployment solution, as the script will attempt to re-install the agent, which is not recommended with an Automox Worklet.
#   4. The current logged in user needs Administrative access to their machine, however you may bypass this by commenting out "checkAdminStatus" at the beginning of the script.
#		4a. Note: If you comment out the line, the Automox Agent will still reinstall but the Secure Token passing will fail.
#
#  USAGE
#    ./MacOS_Service_Account_Corrrection.sh
#
#================================================================
#  IMPLEMENTATION
#    version         CSE-8483 MacOS - Reinstall Agent and Fix Service Account  (www.automox.com) 1.0
#    author          Kyle Gregg
#
#================================================================
#  HISTORY
#     04/26/2023 : Kyle Gregg : Script creation
#     
# 
#================================================================
# END_OF_HEADER
#================================================================


#================================================================
# Enter your Agent Access Key into the Variable below.
# i.e. ACCESSKEY="12345678-5467-5325-44364275"
ACCESSKEY=""
#================================================================


#================================================================
 # Please do not modify these variables.
AutomoxLoc="/usr/local/bin/amagent"
LatestAgentCheck=$("${AutomoxLoc}" --help 2>&1 | grep -o "1.42.22")
AXServiceAccount=$(dscl . list /Users 2>&1 | grep -o _automoxserviceaccount)
CurrentUser=$(stat -f %Su /dev/console)
AdminUser=$(id -Gn $CurrentUser | grep -w -o "admin" | head -1)
#================================================================


#================================================================
# Please do not modify these functions.

# Provides a function to allow Automox to read the Error Message upon an Exit 1.
function errMessage() {
	echo "$1" >&2
}
# Function to install latest Automox Agent.
function installLatestAgent() {
	curl -sS "https://console.automox.com/downloadInstaller?accesskey=$ACCESSKEY" | sudo bash
}

# Function to remove Automox Agent.
function removeAgent() {
	sudo /usr/local/bin/amagent --deregister
	sudo launchctl unload /Library/LaunchDaemons/com.automox.agent.plist 
	sudo rm -f /usr/local/bin/amagent 
	sudo rm -rf "/Library/Application Support/Automox/"
}

# Function to remove Automox Service Account.
function removeServiceAccount() {
	if [[ ! -d "${AXServiceAccount}" ]]; then
	echo "Automox Service Acccount found, attempting removal..."
	sudo dscl . delete /Users/_automoxserviceaccount
	sleep 5
fi
}

# Function to check if current user is Administrator.
function checkAdminStatus() {
	if [[ "${AdminUser}" != "admin" ]]; then
	errMessage "Current user is not an admin, exiting script as SecureToken passing will not be feasible with this method."
	exit 1
fi
}

# Function to Enable Secure Token.
function enableSecureToken () {
	sudo /usr/local/bin/amagent --automox-service-account enable 
	sleep 1
	sudo /usr/local/bin/amagent --automox-user-prompt enable
	sleep 2
}

# Function to ensure latest Automox agent is installed.
function checkAgentInstall () {
	if [[ ! -d "${AutomoxLoc}" ]];
	then
		echo "Latest Agent Installed successfully, agent version is $LatestAgentCheck."
	else
		errMessage "Latest agent did not get installed successfully, exiting script."
		exit 1
fi
}

# Function to check Secure Token status of Automox Service Account.
function checkSecureTokenStatus () {
	AXSecureToken=$(sysadminctl -secureTokenStatus _automoxserviceaccount 2>&1 | grep -o "ENABLED")
	if [[ "${AXSecureToken}" == "ENABLED" ]]; then
		echo "Secure Token is enabled on the Automox Service Account. Script completed successfully."
		exit 0
	else
		errMessage "Secure Token did not get passed successfully to the Automox Service Account."
		exit 1
	fi
}

#================================================================





#================================================================
# BEGIN SCRIPT
#================================================================

# Checks to see if current user is admin.
# If you want to ignore this check and reinstall anyway, comment out the line below.
checkAdminStatus

# Uninstalls Automox Agent and Automox Service Account if both are on the device.
if [[ ! -d "${AutomoxLoc}" ]]; then
	echo "Automox installed, starting uninstall process."
	removeAgent
	removeServiceAccount
fi

# Begin installation of latest Automox Agent.
installLatestAgent

# Pass SecureToken from user
enableSecureToken

# Check to see if Automox Agent 1.42.22 got installed properly.
checkAgentInstall

# Check to see if the Automox Agent has SecureToken
checkSecureTokenStatus


Note that both methods (the KB article steps and/or the bash script) will require you to run them locally on the device with an administrator account, or be deployed through an MDM. You will not be able to utilize these methods through a worklet.

If you are continuing to experience issues, please open up a Support ticket with our team so they can further assist:  https://help.automox.com/

Have a great day!

M
Badge

Thanks for providing a suggestion @JohnG-Automox

I haven’t had a chance to try it out, but when I do, I will let you know if it was successful.

J

I have the same issue, I’ve tried manually removing this agent and reinstalling this agent does not seem to work, have tried multiple times. Ticket is still sitting with Automox. This seems to be a consistent pattern through out the Apple Sillicon series 

J

No updates on this yet

J
Userlevel 3

Hi @jasen ,

 

We have released a new worklet in the Catalog to assist with the provisioning of the Secure Token:

MacOS - Configuration - Enable Apple Silicon Patching

 

This worklet will ensure that the Automox Service account exists on a device and that the secure token is enabled for it. 

 

I hope this helps!

Reply


Terms & ConditionsCookie settings