Skip to main content

Hi Team,

Is there any way to enable below through script/policy on mac rather than going and executing command individually on each system

https://docs.automox.com/product/Product_Documentation/Agents/Agent_Installation/Install_and_Configure_Automox_Agent_for_Apple_Silicon_Devices.htm

Hi sac548,

Yes, you can absolutely automate this process without having to execute the commands you linked one at a time!

You can find the MacOS - Configuration - Enable Apple Silicon Patching Worklet in our Worklet Catalog to deploy this automatically to any Apple Silicon Macs that have the Automox Agent deployed.

I recommend you read the description on the Evaluation & Remediation Code before deployment. However, a brief summary on how this Worklet functions:

Evaluation Code:

  • Checks the target macOS Device if it is Apple Silicon. If the Device does not have the Automox Service Account & Secure Token, the Remediation Code is queued based on the schedule you set.

Remediation Code:

  • This code block will create the Automox Service Account on the Device. Once created, the logged in user will get a prompt to enter their password. Assuming that the user is an administrator, this will pass the Secure Token to the Automox Service Account.
  • If the Device has an admin account with a password known to you, you may be able to leverage that account instead. The Worklet’s description has the process to set this up.

If you have any questions, or do not have access to the Worklet Catalog please let me know!

Thank you!


Hi - We do not want standard/logged in user to enter password also in mac we do not have administrator access for logged in user.

If the Device has an admin account with a password known to you, you may be able to leverage that account instead. The Worklet’s description has the process to set this up. - are you referring to admin account or automax sevrice account?


Hi sac548,

 

We do not want standard/logged in user to enter password also in mac we do not have administrator access for logged in user.

Understandable! I will note that if you cannot leverage the Service Account Token route below, this is the only other way to complete this. The MacOS - System Preferences - Temporarily Elevate Permissions Worklet can grant a user admin access for 10 minutes, allowing them to grant the token and then automatically remove admin rights.
 

are you referring to admin account or automax sevrice account?

I am referencing a local admin account set up by your company in this case. If you have a local admin account deployed to your devices when provisioning them, and you know the password you may be able to leverage this account to pass the Secure Token silently to Automox’s Service Account.

 

Apple has a hard requirement where only users with Secure Token can update and restart MacOS devices, therefore we require an Automox Service Account with Secure Token to be provisioned on a device to update OS level software (noting this is not required for Third-Party software, such as Google Chrome.)

You can find more information about this process here.


Well I got below error when using local admin account

Secure Token Enabled Bootstrap Token is supported for this device Bootstrap Token has been escrowed Automox Recommended Solution: Grant Secure Token to the _automoxserviceaccount through your MDM provider
 


Secure Token Enabled Bootstrap Token is supported for this device Bootstrap Token has been escrowed Automox Recommended Solution: Grant Secure Token to the _automoxserviceaccount through your MDM provider


I am getting this when using worklet with local admin account deployed. 


Hi sac548,

If you’re experiencing an error deploying the Worklet using an admin account, I recommend the next step for you to submit a support case to help.automox.com. Our Support Team can look into your configuration and provide you next steps on how to resolve this.

Thank you!


Reply