macOS - Software Lifecycle - Intune Deploy macOS Automox Agent

What the Intune macOS agent deployment Worklet does

This Automox Worklet™ deploys the Automox Agent to macOS endpoints by using Microsoft Intune as the delivery channel. Intune is already the MDM that reaches every enrolled Mac in your tenant. The Worklet uses that reach to install the amagent PKG on each endpoint and register the agent with your Automox organization. The Mac lands in the Automox console without an admin sitting in front of the laptop.

The Worklet calls the WDK command-line tool at /usr/local/bin/wdk with the subcommand mdm intune deploy. WDK authenticates against both the Automox API and the Microsoft Graph API in the same run. It matches macOS endpoints between the two consoles by serial number and creates or updates an Intune macOS line-of-business app named in the DEPLOYMENT_NAME parameter (default: AUTOMOX MANAGED - Automox Agent Deployment). The app is assigned to the Azure AD group named in the AAD_GROUP_NAME parameter, and the amagent PKG is bundled with your AX_AUTOMOX_ACCESS_KEY so the installer registers each endpoint with the correct Automox organization on first launch.

Macs in the target Azure AD group download the PKG on their next Intune sync and install it under the Intune Management Agent. The amagent launch daemon then registers with the Automox tenant using the embedded access key and reports as a managed endpoint within minutes. The Worklet keeps the Automox source group and the Azure AD target group in sync on every run, so endpoint membership stays accurate as Macs are added or retired. The end user never sees a prompt, never opens a browser, and never has to copy a script.

Why deploy the Automox Agent through Intune

Most macOS fleets already have Intune as the MDM of record. Adding a second deployment channel just to install one binary is extra operational work. This Worklet treats Intune as the bridge and Automox as the patch and configuration runtime that lives behind it. The amagent PKG ships through the same Intune line-of-business app workflow your team uses for every other Mac app. The AX_AUTOMOX_ACCESS_KEY embedded in the package authenticates the registration, and the Mac shows up under the correct Automox group on the next agent check-in.

Without that bridge, a freshly enrolled Mac sits in Intune-only mode until someone opens the Automox console and runs the install command as a local admin. This Worklet rides the Intune channel you already pay for and turns Intune enrollment into Automox enrollment. The next CVE patch or configuration baseline you publish in Automox lands on every Mac the same day the Mac joins the tenant.

How Intune-driven agent deployment works

1. Evaluation phase: The Worklet runs wdk mdm intune deploy --evaluate with the configured --schedule, --name, --aad-group-name, and --platform macos arguments. WDK authenticates to Microsoft Graph with AX_INTUNE_TENANT_ID, AX_INTUNE_CLIENT_ID, and AX_INTUNE_CLIENT_SECRET, then compares the Automox source group membership against the Azure AD target group named in AAD_GROUP_NAME. WDK exits 10 when the two groups are out of sync or the Intune deployment policy is missing, which the script translates to exit 1 so the policy queues remediation. Any other exit code, including 0, is treated as compliant.

2. Remediation phase: The script runs wdk mdm intune deploy --remediate with the same arguments. WDK creates or updates the Intune macOS line-of-business app for the amagent PKG, packaging it with AX_AUTOMOX_ACCESS_KEY so the installer registers each Mac with your tenant. It creates the Azure AD group named in AAD_GROUP_NAME if it does not exist, then adds the matched Azure AD device objects to that group so Intune assigns the app on the next sync. Output is captured in OUTPUT and printed to stdout on success or stderr on failure by the cleanup trap, and the script exits with the WDK exit code.

Automox and Intune integration requirements

• macOS endpoint enrolled in Microsoft Intune; Intune must be the macOS MDM so the line-of-business app assignment can reach the target Macs

• Azure AD App Registration with Microsoft Graph API Application permissions: Device.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementApps.ReadWrite.All, DeviceManagementScripts.ReadWrite.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, and User.Read (Delegated)

• Admin consent granted for the Application permissions in the Azure portal so WDK can call Microsoft Graph unattended

• Organization secrets defined in the Automox console and added as policy inputs with exact names: AX_AUTOMOX_API_KEY, AX_AUTOMOX_ORG_UUID, AX_AUTOMOX_ACCESS_KEY, AX_INTUNE_TENANT_ID, AX_INTUNE_CLIENT_ID, and AX_INTUNE_CLIENT_SECRET

• WDK command-line tool installed at /usr/local/bin/wdk on the endpoint running the policy

• AAD_GROUP_NAME parameter set on the policy to the Azure AD group that will receive the Intune assignment; the group will be created if it does not exist

• Optional AUTOMOX_GROUP parameter set to the Automox source group whose membership should be mirrored into the AAD group; leave blank to skip group-based filtering

• Policy scoped to a single endpoint, as required by the script header; the WDK run performs tenant-wide sync work and scoping to multiple endpoints may produce unintended behavior

• Outbound HTTPS access from the endpoint running the policy to console.automox.com and graph.microsoft.com so WDK can reach the Automox API and the Microsoft Graph API

Expected Automox and Intune enrollment state after deployment

After remediation, the Intune macOS line-of-business app named by DEPLOYMENT_NAME exists in your Intune tenant, packages the amagent PKG with your AX_AUTOMOX_ACCESS_KEY, and is assigned to the Azure AD group named in AAD_GROUP_NAME. Macs in that group install the package on their next Intune sync, and the amagent launch daemon registers with the Automox tenant using the embedded access key. The next Worklet evaluation finds the Automox source group and the Azure AD target group in sync, WDK exits 0, and the script exits compliant until a new Mac enrolls or the source group membership changes.

Validate from three sides. In the Automox console, new Macs appear under the configured Automox group within minutes of the agent registering. In the Intune admin center, the line-of-business app named by DEPLOYMENT_NAME shows the AAD group assignment and reports per-endpoint installation status. On the Mac itself, the install timestamp appears in /var/log/install.log for the amagent package identifier, and the running amagent process confirms the agent is active. The Intune install log and the Automox console check-in together prove the agent landed in band through the Intune bridge.