macOS - Configuration - Enable Apple Silicon Patching

What the Apple Silicon patching enablement Worklet does

This Automox Worklet™ manages secure tokens on Apple Silicon Macs to enable patch management through Automox. The Worklet verifies that the Automox Service Account has the required secure token that Apple mandates for third-party patch management operations on M1, M2, and M3 processors.

When the secure token is missing, the Worklet attempts to grant it using administrator credentials. If direct token granting fails, the Worklet creates a user prompt for local authorization and provides guidance for alternative secure token configuration methods.

Why enable secure tokens for Apple Silicon patch management

Apple Silicon Macs without properly configured secure tokens block all third-party patch management operations. Apple enforces this security requirement on ARM-based processors, preventing tools like Automox from installing security updates or patches until service accounts receive explicit token authorization.

Manual secure token configuration requires IT teams to access each endpoint individually, enter administrator credentials, and authorize the service account through System Preferences. This process becomes unsustainable across large Mac fleets and delays critical security patching.

Automating secure token verification and enablement reduces configuration errors and accelerates patch deployment. You eliminate the patching bottleneck that occurs when endpoints lack proper service account permissions, meeting compliance requirements for timely security updates.

How secure token enablement works

1. Evaluation phase: The Worklet checks the system architecture using uname to confirm the endpoint runs on Apple Silicon. It then queries the Automox Service Account secure token status and verifies whether the account exists with proper token permissions for patch management operations.

2. Remediation phase: The Worklet attempts to grant the secure token to the Automox Service Account using administrator credentials. If direct granting fails, it displays a user prompt requesting local authorization through the macOS security dialog. When the service account does not exist, the Worklet provides step-by-step instructions for account creation.

Apple Silicon patching requirements

• Apple Silicon Mac (M1, M2, or M3 processor)

• macOS Big Sur 11.0 or later (secure token requirement applies to all ARM-based macOS versions)

• Automox Service Account installed on the endpoint

• Administrator credentials available for token granting, or user available to authorize through security prompt

• Network connectivity to Automox console for patch management operations

Expected patch management capability after token enablement

After successful execution, the Automox Service Account will have the secure token required for patch management operations. You will see the endpoint become eligible for macOS security updates and patches through the Automox console, with successful patch installation appearing in endpoint activity logs.

If user authorization was required, the local user will have completed the security prompt and the service account will show secure token status in System Preferences. Automated patch policies will begin applying to the endpoint according to your configured schedules, eliminating the previous patching blockage.

How to validate enable apple silicon patching changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for enable apple silicon patching.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as function, return, local.

4. Validate remediation effects from script operations such as function, return, local, then rerun evaluation for compliance.