This guide helps address secure token malfunctions on macOS devices if basic troubleshooting steps have failed: Automox Service Account: Secure Token Troubleshooting Guide
Steps to Resolution
Step 1: Delete the Automox Service Account
Run the following command to remove the service account:
sudo /usr/bin/dscl . -delete /Users/_automoxserviceaccountStep 2: Remove the Automox Agent
Remove the Automox Agent using either manual steps or an MDM provider
sudo launchctl bootout system/com.automox.agent || true
sudo /usr/local/bin/amagent --deregister
sudo rm -f /usr/local/bin/amagent*
sudo rm -rf "/Library/Application Support/Automox/"
sudo rm -f /Library/LaunchDaemons/com.automox.agent*
sudo rm -rf /var/tmp/automox/ || true
sudo rm -f /var/tmp/amagent* || true
sudo /usr/bin/dscl . -delete /Users/_automoxserviceaccountIf Automox Tray is still showing after running the previous commands, run this command: sudo launchctl bootout gui/${uid}/com.automox.agent-ui, where uid is the UID of the logged-in user.
Step 3: Reinstall the Automox Agent
Follow the official Automox documentation to install the agent on macOS.
Step 4a: Enablement Worklet method
Automox has created a Worklet to help enable the Automox Service Account if it is not already present on the computer. The Worklet will prompt the currently logged-in user to grant the account a secure token, and there is an option to attach credentials for a local admin account if you do not wish to prompt the end user.
- Locate the MacOS - Configuration - Enable Apple Silicon Patching from the Worklet Catalog and click Create Copy.
- Configure the policy schedule and group targeting as necessary for your organization.
- If you wish to use a local account on the macOS device that has administrative rights and secure token access, use the following steps:
- Utilize the Secrets Management feature to store the target device’s administrator credentials in separate Secrets. The Name can be whatever you would like, but the Value of each should be the username (in one) and the password (in the second).
- Modify the "Enable Apple Silicon" Worklet and use the Input button to add the Secrets from the last step:
- Variable Name: SECURE_TOKEN_ADMIN_USER | Organization Secret: The Secret containing the local admin username.
- Variable Name: SECURE_TOKEN_ADMIN_PASSWORD | Organization Secret: The Secret containing the local admin password.
Step 4b: Command Line method
You can enable the Automox Service Account manually with a local account on the macOS device that has administrative rights and secure token access.
- Execute the commands below to re-enable the service account:
sudo /usr/local/bin/amagent --automox-service-account enable- Replace the admin username and password credentials within the quotes to create a service account and grant token access.
sudo /usr/local/bin/amagent --adminuser '<admin_username>' --adminpass '<admin_password>'Step 4c: User Prompt Method
You can enable the Automox Service Account manually by running a command that prompts the logged-in user for secure token access.
- Execute the commands below to re-enable the service account:
sudo /usr/local/bin/amagent --automox-service-account enable- If the logged-in user must enter the credentials, enter this command to send the user a prompt to enter the device password.
sudo /usr/local/bin/amagent --automox-user-prompt enable- A prompt will appear requesting the end-user to enter the local administrator password in the pop-up box. If entered correctly, the service account is successfully enabled with the secure token. If the end-user entered the password incorrectly or ignored it, the prompt will continue to appear every time the device is scanned.