The Problem: Updated
Managing Secure Tokens on macOS has long been a challenge for administrators using JAMF and Automox. In my previous post, Managing the macOS Secure Token with JAMF Pro, I discussed a script-based approach to grant Secure Tokens to additional users. However, this method required administrators to manually pass usernames and passwords into the JAMF configuration—an approach that, while effective, was not ideal from a security or usability perspective.
Today, I’m sharing an updated script that makes the process more secure and efficient by allowing Secure Token creation to be run as the local logged-in user. This eliminates the need for JAMF administrators to manually input credentials while also incorporating updated bootout and non-deprecated launchctl commands for Apple Silicon (M1/M2) Macs.
What’s New in the Updated Script?
The new script, automox_fix_25.sh, improves upon the previous approach in several key ways:
-
Runs as the Logged-In User: No longer requires JAMF administrators to pass the username or password manually.
-
Security Improvement: Avoids storing credentials in JAMF variables, reducing the risk of exposure.
-
Apple Silicon Compatibility: Uses non-deprecated
launchctlcommands, ensuring compatibility with M1/M2 Macs. -
Refined Bootout Process: Improves reliability when unregistering and re-registering the device with Automox.
These updates make it easier to manage Secure Tokens in an automated, scalable, and secure manner.
How the New Script Works
The script follows a similar logic to the previous approach but incorporates key refinements:
-
Identifies the logged-in user dynamically.
-
Runs the Secure Token creation process as that user, eliminating the need for JAMF admin intervention.
-
Uses updated launchctl commands to prevent compatibility issues on modern macOS versions.
-
Ensures smooth re-registration with Automox after Secure Token changes.
Script Comparison
| Feature | Old Script (Automox_re_register_fix.sh) | New Script (automox_fix_25.sh) |
|---|---|---|
| Requires JAMF Admin to Pass Credentials | ✅ Yes | ❌ No |
| Runs as Logged-In User | ❌ No | ✅ Yes |
| Uses Non-Deprecated Launchctl for M1/M2 | ❌ No | ✅ Yes |
| Improved Bootout Process | ❌ No | ✅ Yes |
Setup the script
Next we need to take the script and we need to add it to the JAMF Pro > Settings > Scripts area of your JAMF Pro instance. Lets review the script.
#!/bin/bash
# Remove the computer from Automox if Automox is already installed
sudo launchctl bootout system /Library/LaunchDaemons/com.automox.agent.plist
sudo /usr/local/bin/amagent --deregister
sudo rm -f /usr/local/bin/amagent
sudo rm -rf "/Library/Application Support/Automox/"
sudo /usr/bin/dscl . -delete /Users/_automoxserviceaccount
# Add current user to Admin Group
dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin
# Get logged in user
user=$(stat -f %Su /dev/console)
sleep 1
# Download Automox make sure to update the key in variable $4
curl -sS "https://console.automox.com/downloadInstaller?accesskey=$4" | sudo bash
sleep 1
# Setup the Agents service account and the secure token (if logged in user has an active secure token, step requires admin permission for sysadminctl TCC protocol for disk access)
launchctl asuser "$(id -u "$user")" /usr/local/bin/amagent --automox-service-account enable
launchctl asuser "$(id -u "$user")" /usr/local/bin/amagent --automox-user-prompt enable
# Check the secure token of the _automoxserviceaccount
sysadminctl -secureTokenStatus _automoxserviceaccount
# Start Automox
sudo launchctl bootstrap system /Library/LaunchDaemons/com.automox.agent.plist
sudo launchctl kickstart -k system/com.automox.agentNotice that we need to know some information to pass into the variable fields.
- $4 variable == The Automox Secure Token.
This script is in my Github Repo feel free to comment, contribute and post issues with it there.
Create the Script Policy
Next you will need to create a script policy and add the script. Scope the policy to all computers with an _automoxserviceaccount user that has no secure token. You can do this with a smart group.
Add the script and set the script to run recurring on checkin, and have it run only once per computer.
The script will remove Automox if its installed. Remove the service account. Waits 5 seconds, and the reinstalls Automox. It then authorizes the account to receive the secure token.
BONUS: Create the Automox Smart Group
-
Navigate to Computers > Smart Computer Groups.
-
Click New to create a new Smart Group.
-
Name the group something descriptive, such as:
- “Automox - Secure Token Fix Required”.
Step 3: Define the Criteria
Under the Criteria tab, add the following rules:
| Criteria | Operator | Value |
|---|---|---|
| Username | has | _automoxserviceaccount |
| Secure Token Granted | is | No |
Step 4: Save the Smart Group
-
Click Save to finalize the Smart Group.
-
Confirm that the devices listed in the preview match the expected targets.
Conclusion
This new approach simplifies Secure Token management while enhancing security and compatibility. If you’ve been using the previous script, I highly recommend switching to automox_fix_25.sh to streamline your workflow.
If you found this post useful, Follow me and comment with questions, or feedback. As always here are the sources I referenced throughout this blog post.
Sources
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.28 · Moderate AI Influence
Summary
Automox Secure Token Management Script Updated
Related Posts
Automating JAMF Pro Email Notifications with SendGrid (Smart Group Driven Workflows)
Modern device management isn't just about enforcing policies—it's about communicating effectively with users at the right time. In JAMF Pro, Smart Groups give you powerful visibility into device state, but they don't natively solve the problem of proactive, automated user communication. Whether you're trying to prompt users to restart their machines, complete updates, or take action on compliance issues, bridging that gap requires a flexible and scalable notification system.
The Day I Unmanaged a Mac Into a Corner
There are a few kinds of mistakes you make as a Mac admin. There are the ones that cost you time, the ones that cost you sleep, and then there are the ones that leave you staring at a perfectly good laptop thinking, “How did I possibly make this *less* manageable by touching it?” These mistakes often stem from a lack of understanding or experience with macOS, but they can also be the result of rushing through tasks or not taking the time to properly plan and test.
Updating Safari on macOS with Jamf Pro: Three Practical Strategies
Keeping Safari updated is one of the simplest ways to harden a macOS fleet. Apple ships security fixes for Safari frequently, and those patches often land before a full macOS point release. This means that by keeping Safari up-to-date, you can ensure your users have access to the latest security protections without having to wait for a major operating system update. If Safari is lagging behind, your users are browsing the web with a larger attack surface than necessary.
Hunting Down Jamf Profile Payloads with Python
If you've spent enough time living inside Jamf Pro, you eventually run into the same problem: someone set a configuration somewhere, sometime, and nobody remembers where. It might be something obscure – a certificate payload, a conditional SSO predicate, or that one security preference quietly misbehaving on three machines in accounting. And when you have dozens of configuration profiles, each with multiple payloads, nested keys, and XML-wrapped values, finding that setting can feel like forensic archaeology.
Keeping Jamf Security Cloud Current for Microsoft 365: Updated Routing Policies
When I first wrote about troubleshooting Standard Routing Policies in Jamf Security Cloud, the goal was simple: help admins keep Microsoft Teams and Microsoft 365 traffic flowing smoothly through Jamf Trust + App-Based VPN. This straightforward objective remains unchanged, as the complexities of network configurations can often lead to frustrating issues that hinder productivity.
Cleaning House in Jamf Pro: A Friendly Auditor Script for Real-World Hygiene
There’s a tipping point in every Jamf Pro environment where the policy list begins to feel like a junk drawer. Everyone means well. Nobody deletes anything. And then, months later, you’re trying to answer simple questions like: *Which policies are actually scoped? What’s no longer referenced? Why are there five versions of the same script?* This post covers a small, practical script I wrote to help you **see** what’s stale, **explain** why it’s stale, and (optionally) **park** it safely out of the way—without deleting a thing.
Turn Jamf Compliance Output into Real Audit Evidence
Most teams use Apple’s macOS Security Compliance Project (mSCP) baselines because they scale and they’re repeatable. Jamf’s tooling makes deployment straightforward and the Extension Attribute (EA) output is a convenient place to capture drift. What you don’t automatically get is the artifact an auditor will accept on a specific date—an actual document you can file that shows which endpoints are failing which items, plus a concise roll-up of failure counts you can act on. Smart Groups answer scope; they don’t produce evidence.
The Power of Scripting App Updates Without Deploying Packages
Keeping macOS environments up-to-date in a seamless, efficient, and low-maintenance way has always been a challenge for IT admins. Traditional package deployment workflows can be time-consuming, prone to versioning issues, and require extensive testing and repackaging. This can lead to frustration and wasted resources as IT teams struggle to keep pace with the latest updates and patches. But there's another way—a more elegant, nimble approach: scripting.
Detecting Invalid Characters and Long Paths in OneDrive on macOS
Microsoft OneDrive is widely used for syncing documents across devices, but on macOS, it can silently fail to sync certain files if they violate Windows filesystem rules — like overly long paths or invalid characters. This creates frustrating experiences for end users who don’t know why files aren’t syncing.
