Hi @Morgan!
I recommend trying the steps documented in this KB article: https://help.automox.com/hc/en-us/articles/7454299464340-M1-Secure-Token-Issues-on-Agent-39
The most important part is removing the Automox Service account first, uninstalling the agent, reinstalling, and then re-adding the Automox Service account with the Secure Token Access.
Our Solutions Consultant team also put together a script that can help with automating the process. If you decide to use the script, be sure to input your Automox ACCESSKEY in the script variable.
#!/bin/bash
#================================================================
# HEADER
#================================================================
# SYNOPSIS
# Reinstall Automox Agent and Correct Automox Service Account.
#
# DESCRIPTION
# This script will reinstall Automox on MacOS with the latest version (1.42.22 at the time of writing.)
# The purpose of this script it to clear out the Agent and Automox Service Account to correct SecureToken passing.
# Once the agent is reinstalled, the user will get prompted to enter their current password securely.
# If correct, the script will exit 0. If on failure, the script will exit with a code.
#
#
# REQUIREMENTS
# 1. Your Agent Access Key to add to the Variable below.
# 2. A Configuration Profile deployed to Monterey and Ventura devices allowing Full Disk Access to Terminal, so we may remove the Automox Service Account.
# 3. A third-party deployment solution, as the script will attempt to re-install the agent, which is not recommended with an Automox Worklet.
# 4. The current logged in user needs Administrative access to their machine, however you may bypass this by commenting out "checkAdminStatus" at the beginning of the script.
# 4a. Note: If you comment out the line, the Automox Agent will still reinstall but the Secure Token passing will fail.
#
# USAGE
# ./MacOS_Service_Account_Corrrection.sh
#
#================================================================
# IMPLEMENTATION
# version CSE-8483 MacOS - Reinstall Agent and Fix Service Account (www.automox.com) 1.0
# author Kyle Gregg
#
#================================================================
# HISTORY
# 04/26/2023 : Kyle Gregg : Script creation
#
#
#================================================================
# END_OF_HEADER
#================================================================
#================================================================
# Enter your Agent Access Key into the Variable below.
# i.e. ACCESSKEY="12345678-5467-5325-44364275"
ACCESSKEY=""
#================================================================
#================================================================
# Please do not modify these variables.
AutomoxLoc="/usr/local/bin/amagent"
LatestAgentCheck=$("${AutomoxLoc}" --help 2>&1 | grep -o "1.42.22")
AXServiceAccount=$(dscl . list /Users 2>&1 | grep -o _automoxserviceaccount)
CurrentUser=$(stat -f %Su /dev/console)
AdminUser=$(id -Gn $CurrentUser | grep -w -o "admin" | head -1)
#================================================================
#================================================================
# Please do not modify these functions.
# Provides a function to allow Automox to read the Error Message upon an Exit 1.
function errMessage() {
echo "$1" >&2
}
# Function to install latest Automox Agent.
function installLatestAgent() {
curl -sS "https://console.automox.com/downloadInstaller?accesskey=$ACCESSKEY" | sudo bash
}
# Function to remove Automox Agent.
function removeAgent() {
sudo /usr/local/bin/amagent --deregister
sudo launchctl unload /Library/LaunchDaemons/com.automox.agent.plist
sudo rm -f /usr/local/bin/amagent
sudo rm -rf "/Library/Application Support/Automox/"
}
# Function to remove Automox Service Account.
function removeServiceAccount() {
if i ! -d "${AXServiceAccount}" ]]; then
echo "Automox Service Acccount found, attempting removal..."
sudo dscl . delete /Users/_automoxserviceaccount
sleep 5
fi
}
# Function to check if current user is Administrator.
function checkAdminStatus() {
if i "${AdminUser}" != "admin" ]]; then
errMessage "Current user is not an admin, exiting script as SecureToken passing will not be feasible with this method."
exit 1
fi
}
# Function to Enable Secure Token.
function enableSecureToken () {
sudo /usr/local/bin/amagent --automox-service-account enable
sleep 1
sudo /usr/local/bin/amagent --automox-user-prompt enable
sleep 2
}
# Function to ensure latest Automox agent is installed.
function checkAgentInstall () {
if i ! -d "${AutomoxLoc}" ]];
then
echo "Latest Agent Installed successfully, agent version is $LatestAgentCheck."
else
errMessage "Latest agent did not get installed successfully, exiting script."
exit 1
fi
}
# Function to check Secure Token status of Automox Service Account.
function checkSecureTokenStatus () {
AXSecureToken=$(sysadminctl -secureTokenStatus _automoxserviceaccount 2>&1 | grep -o "ENABLED")
if i "${AXSecureToken}" == "ENABLED" ]]; then
echo "Secure Token is enabled on the Automox Service Account. Script completed successfully."
exit 0
else
errMessage "Secure Token did not get passed successfully to the Automox Service Account."
exit 1
fi
}
#================================================================
#================================================================
# BEGIN SCRIPT
#================================================================
# Checks to see if current user is admin.
# If you want to ignore this check and reinstall anyway, comment out the line below.
checkAdminStatus
# Uninstalls Automox Agent and Automox Service Account if both are on the device.
if >i ! -d "${AutomoxLoc}" ]]; then
echo "Automox installed, starting uninstall process."
removeAgent
removeServiceAccount
fi
# Begin installation of latest Automox Agent.
installLatestAgent
# Pass SecureToken from user
enableSecureToken
# Check to see if Automox Agent 1.42.22 got installed properly.
checkAgentInstall
# Check to see if the Automox Agent has SecureToken
checkSecureTokenStatus
Note that both methods (the KB article steps and/or the bash script) will require you to run them locally on the device with an administrator account, or be deployed through an MDM. You will not be able to utilize these methods through a worklet.
If you are continuing to experience issues, please open up a Support ticket with our team so they can further assist: https://help.automox.com/
Have a great day!
Thanks for providing a suggestion @JohnG-Automox
I haven’t had a chance to try it out, but when I do, I will let you know if it was successful.
I have the same issue, I’ve tried manually removing this agent and reinstalling this agent does not seem to work, have tried multiple times. Ticket is still sitting with Automox. This seems to be a consistent pattern through out the Apple Sillicon series
Hi @jasen ,
We have released a new worklet in the Catalog to assist with the provisioning of the Secure Token:
MacOS - Configuration - Enable Apple Silicon Patching
This worklet will ensure that the Automox Service account exists on a device and that the secure token is enabled for it.
I hope this helps!
@JohnG-Automox , thanks for the Worklet. I have a Mac that hasn’t got a secure token issued for the amagent account. I’ve tried the Terminal command given at the start of the article linked to in the compatibility test window, and it returned “ENABLE Automox service account” but that hasn’t fixed the compatibility check. My guess being that this is because the account already exists?
So I ran your Worklet, but it came back with “ERROR: User xxxx is not an administrator and cannot grant the Automox service account a secure token. Exiting.” We use Automox so that users don’t have to be admins. Am I missing something?
Thanks
I quite clearly am missing something; the statement at the end of your guide! I really wonder how many organisations actually do grant their end users admin rights? And how exposed they are to security risks?
So what’s the solution? Uninstall the agent and start again?
Hi @sparrowhawk
The secure token is minted and issued when the first admin account is provisioned on a macOS device. This is typically the first user to register on the system, but could also be a service account provisioned via an MDM.
That said, if you have a service account through your MDM you can leverage, it is recommend you configure those credentials in the worklet via a shared secret. This will provide the ability to completely automate the passing of the secure token to the Automox service account.
If you do not have an MDM or it is an end user (standard) account that has the secure token, you can either temporarily elevate that account to an admin using this Catalog Worklet, and then rerun the Enable Apple Silicon Patching one. Alternatively, you can prompt the end user to enter their credentials to pass the secure token via a one-time user prompt
Below is a webinar that outlines both recommendations and shows you how to implement each:
https://university.automox.com/best-practices-secure-token-passing-on-macos-devices-1?next=%2Fbest-practices-secure-token-passing-on-macos-devices-1%2F2048482
Hi @JohnG-Automox, that is an excellent explanation, thanks. We use JAMF, but the account user is not an admin. Normally, we authorise the amagent account whilst logged in as the local admin before deployment, but this didn’t happen for this device. So I was hoping there was a way to fix it remotely. You’ve given us a couple of good suggestions here so thanks very much!
