Overview
This article applies to Apple Silicon Macs. On Apple Silicon, macOS requires credentials from a Secure Token–enabled administrator to authorize macOS system updates. Automox can create _automoxserviceaccount on Apple Silicon devices so the agent can install macOS patches, but if the currently logged-in user is not Secure Token enabled, and _automoxserviceaccount is the Secure Token–enabled account macOS can use for authorization, macOS may prompt for that account’s password during an update.
This does not necessarily mean the device is unhealthy or incompatible in Automox.
Why This Happens
This prompt most often appears during a manual update attempt in System Settings > General > Software Update, not during an Automox patch job. In the support case notes, Automox found no patch jobs running when the prompt appeared, which indicated macOS itself was asking for credentials during manual update authorization.
In practical terms, the prompt appears when _automoxserviceaccount has Secure Token, the currently logged-in user does not, and there is no other Secure Token–enabled admin account being used for the update workflow. Administrator rights alone are not enough; the account authorizing the update must also have Secure Token access.
How to Confirm
Run the following commands on the affected Mac to check Secure Token status for the Automox service account and the currently logged-in user.
sysadminctl -secureTokenStatus _automoxserviceaccount 2>&1
stat -f%Su /dev/console | xargs -I{} sysadminctl -secureTokenStatus "{}" 2>&1If _automoxserviceaccount returns ENABLED and the logged-in user returns DISABLED, that is why macOS is asking for _automoxserviceaccount’s password. Those are the same checks used in the support notes to confirm the issue.
Resolution
To stop the prompt during manual updates, the user who runs Software Update must have Secure Token, or another local admin account used for the update workflow must have Secure Token. If macOS updates are instead installed through Automox patch policies, the Automox service account can be used for patching after it has been granted Secure Token.
About the Password
The _automoxserviceaccount password is randomly generated by the agent, is unique to that device, is stored locally in encrypted form, never leaves the device, and is rotated after every software update and whenever it is used. Because the account is agent-managed, the password is not intended for end-user interactive authentication.
Further reading: