This guide explains the different status codes you may see related to the Automox service account's Secure Token management. The Secure Token is essential for the Automox Agent to function properly on macOS devices.
Service Account Status Codes
The following codes indicate the health and status of the service account used by the Automox Agent.
| Code | Status Name | Description (What It Means) |
|---|---|---|
| 0 | Healthy | The service account is fully operational. The Secure Token has been granted and is actively managed by Automox. |
| 1 | No Account | The required Automox service account does not exist on the device. |
| 2 | Secure Token Not Granted | The service account exists, but the necessary Secure Token has not been granted. |
| 3 | Invalid Credential | The credentials Automox uses to manage the account are corrupted or no longer valid, causing management failure. |
| 4 | Disabled | The service account has been locked or disabled, preventing the agent from logging in or performing activities. |
| 5 | Not Managed | The service account exists, but the Automox Agent is no longer actively managing it. |
| 6 | Invalid Shell | The account's default shell is incorrectly set (e.g., to /bin/false or /bin/nologon) instead of the required /bin/bash. This prevents commands from executing properly. |
Recommended Troubleshooting Steps
Codes 0, 1, and 2
- Code 0 requires no action.
- For codes 1 and 2, the Automox Agent often attempts to resolve these automatically. If the issue persists, review the device's activity log for recent provisioning attempts.
Codes 3, 4, 5, and 6 (Required Reprovisioning)
Action: Status codes 3 through 6 typically indicate a severe issue with the account structure or management. The most effective resolution is to perform a full deletion and reprovisioning of the Automox Service Account user.
- To remove the Automox Service Account, it is recommended to use these commands from the terminal:
sudo dscl . -delete /Users/_automoxserviceaccount sudo launchctl bootout system/com.automox.agent sudo launchctl bootstrap system /Library/LaunchDaemons/com.automox.agent.plist- Once completed, please scan the device from the Automox Dashboard to ensure that the changes have been picked up.
- Reprovision the account by re-running the specific Automox Catalog Worklet designed to set up the service account: MacOS - Configuration - Enable Apple Silicon Patching
- Upon completing either the worklet or the commands to grant the Secure Token to our service account, please scan the device again to ensure that the changes are picked up in the Automox Console.
Special Case: Code 6 (Invalid Shell Fix)
Action: If you encounter Status Code 6, attempt to resolve the shell setting issue before deleting and reprovisioning the account.
-
Try this command first to attempt to restore the bash terminal access:
sudo chsh -s /bin/bash _automoxserviceaccount - Run an Automox agent scan from the Devices page in the console.
- If this does not resolve the status once the agent scan completes, proceed with the full deletion and reprovisioning step described above.
Additional Issues
- ***MDM policy rotating credentials
- If an MDM policy were to rotate local admin credentials, it's possible that secure token access would be lost because another account would have it.
- MDM could also cause if it performs like a password reset type of action. The secure token is tied to the credential used for the user. Admin resets when issued by a process or even by MDM could cause issues for the token to get reissued to a given user
- ***Automox agent service account created before the first user logs in
- if the Automox Agent were installed and configured before the first user logged in, it could create a situation where the only secure token account is ours.
- ***ax service account shows "disabled"
sudo sysadminctl -secureTokenStatus _automoxserviceaccount- Try enabling:
sudo /usr/local/bin/amagent --automox-service-account enable - If secure token still shows DISABLED afterword:
- Delete the Automox service account with the following command: sudo /usr/bin/dscl . -delete /Users/_automoxserviceaccount
- Remove the current agent install: Removing the Automox Agent
- Re-install the agent: Automox Agent Installation Overview
- Enable secure token once again.
- ***If you are using the "prompt" method to enable Secure Token, the end user on the computer MUST have admin rights and secure token access to issue access to the AC account.
- "If the local user has administrator privileges and secure token access, they will be prompted to enter their password."
-
In the case of Silicon Mac devices with users who are not admin, we would need to go down one of two routes:
- Manually create the account with the local admin credentials.
- Use a Worklet to temporarily raise the user to admin, have them receive the prompt and login, and reduce their permissions again.