macOS - Software Lifecycle - Intune Deploy macOS Automox Agent

What the Intune macOS Agent Deployment Worklet does

This Automox Worklet™ deploys the Automox Agent to macOS endpoints enrolled in Microsoft Intune. The Worklet uses the WDK (Worklet Deployment Kit) command-line tool to interact with the Automox console API and Microsoft Graph API, synchronizing endpoint membership between Automox groups and Azure AD groups.

The Worklet matches endpoints between Automox and Intune by serial number, creating or updating the deployment policy as needed. Endpoints are added to a specified Azure AD group, which receives the Automox Agent installation package through Intune. The Worklet supports optional filtering by Automox group name to target specific endpoint sets.

This integration enables organizations to manage macOS endpoints through both Intune and Automox simultaneously, avoiding duplicate management tools while verifying consistent patching and security compliance across the fleet.

Why deploy agents through Intune

Manual Automox Agent installation across large macOS fleets creates operational bottlenecks and inconsistent security posture. When IT teams manually install agents on hundreds of endpoints, they face prolonged deployment cycles that leave endpoints unprotected during the installation window. Endpoints without the Automox Agent cannot receive critical security patches, creating compliance gaps and exposing the organization to known vulnerabilities that automated patch management would otherwise address immediately.

Automox Agent deployment through Intune also maintains compliance with your existing MDM policies. Endpoints install the agent as part of their standard Intune policy compliance, and administrators can audit installation status directly in the Automox console. This dual visibility reduces security gaps and accelerates incident response.

Also, this approach simplifies endpoint onboarding. New macOS endpoints enrolled in Intune automatically receive the Automox Agent if they match the target Azure AD group, eliminating the need for separate provisioning steps or manual registration.

How Intune agent deployment works

1. Evaluation phase: The Worklet invokes the WDK command with the --evaluate flag to check whether the current endpoint needs the Automox Agent deployed. It compares the endpoint's serial number against the target Azure AD group membership and determines if deployment is required.

2. Remediation phase: The Worklet calls WDK with the --remediate flag, which creates or updates the Intune deployment policy, adds the endpoint to the Azure AD group (creating it if necessary), and assigns the Automox Agent package for installation.

Intune agent deployment requirements

• macOS endpoints enrolled in Microsoft Intune

• Azure AD App Registration with Microsoft Graph API permissions: Endpoint.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementApps.ReadWrite.All, DeviceManagementScripts.ReadWrite.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, and User.Read (delegated)

• Admin consent granted for all Application permissions in Azure Portal

• Organization secrets configured in Automox console: AX_AUTOMOX_API_KEY, AX_AUTOMOX_ORG_UUID, AX_AUTOMOX_ACCESS_KEY, AX_INTUNE_TENANT_ID, AX_INTUNE_CLIENT_ID, and AX_INTUNE_CLIENT_SECRET

• WDK command-line tool installed at /usr/local/bin/wdk on the endpoint

• Azure AD group name specified in the AAD_GROUP_NAME parameter (required)

• Policy scoped to a single endpoint or carefully managed to avoid duplicate deployments across multiple endpoints

Expected Intune agent deployment state

After remediation completes, the Automox Agent installation package is assigned to the specified Azure AD group through Intune. Endpoints in that group receive the agent as part of their next Intune policy refresh. The WDK command synchronizes endpoint membership between Automox and Azure AD, verifying that endpoints remain in sync as new endpoints are added to the source Automox group.

Once the agent installs successfully, the endpoint appears in the Automox console under the specified Automox group and becomes eligible for Automox-managed patching, vulnerability remediation, and compliance checks. You can verify installation by checking both the Automox console (under Endpoint Status) and Intune (under Application Status) to confirm the deployment succeeded on all targeted endpoints.

How to validate intune deploy macos automox agent changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for intune deploy macos automox agent.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as WDK, return, exit.

4. Validate remediation effects from script operations such as WDK, return, cleanup, then rerun evaluation for compliance.