Linux - Maintenance Tasks - Upgrade Automox Agent

What the Automox Agent upgrade Worklet does

This Automox Worklet™ performs a complete upgrade of the Automox Agent on Linux endpoints by uninstalling the existing version and installing the latest available release. The Worklet automates the entire process, checking the current installed version against the latest version available in the Automox console.

The Worklet retrieves the latest available agent version from https://console.automox.com/api/info by querying the agent_version field. It compares this version to the currently installed version by running /opt/amagent/amagent version on your endpoint. If versions match, the Worklet exits without making changes. If they differ, the Worklet schedules three sequential cron jobs: one to uninstall the old agent, another to install the new version, and a cleanup job to remove temporary files and cron entries.

By using cron for the actual upgrade operations, the Worklet avoids interrupting the Automox Agent's process while it performs upgrades. The evaluation phase (version comparison) happens immediately, while remediation (install and uninstall) is scheduled for one to five minutes in the future, allowing proper timing for the agent lifecycle.

Why keep the Automox Agent current

Running outdated Automox agents creates management blind spots and security vulnerabilities. When your fleet runs mixed agent versions, some endpoints may not support new platform features or may fail to report status correctly. Automox Agent updates deliver security patches, performance improvements, and access to new Automox features. Outdated agent versions may lack critical security fixes or support for new Automox platform capabilities. Keeping your fleet on the latest agent version ensures your endpoints receive the most current threat protection and operational improvements.

Automated agent upgrades reduce your operations team's manual workload. Rather than coordinating version updates across your Linux estate manually, the Worklet handles detection and deployment automatically. This approach eliminates version drift across your fleet and maintains consistent agent functionality across all Linux endpoints.

Regular agent updates maintain compatibility with Automox console APIs and backend services. As the Automox platform evolves, agents must be updated to maintain full compatibility. Using this Worklet ensures your endpoints stay in sync with your Automox subscription features and console updates.

How the agent upgrade process works

1. Evaluation phase: The Worklet queries https://console.automox.com/api/info to retrieve the latest available Automox Agent version. It then runs /opt/amagent/amagent version on your endpoint with a five-second timeout to retrieve the currently installed version. The Worklet compares both versions. If they match, the evaluation exits with code 0 (no remediation needed) and logs "This system is already using the latest version of the Automox Agent." If versions differ or the current version cannot be determined (old verification methods), the evaluation exits with code 1, signaling that remediation should proceed.

2. Remediation phase: The Worklet first re-confirms the installed and latest versions match the evaluation results. If confirmed for upgrade, it detects your endpoint's package manager (yum for RPM-based systems like Red Hat and CentOS, apt for Debian-based systems like Ubuntu, or zypper for SUSE). It then creates three shell scripts in /var/tmp: uninstall_automox_agent.sh (which runs systemctl stop amagent, /opt/amagent/amagent --deregister, and the appropriate package manager erase command), install_automox_agent.sh (which downloads and executes the installer using your Automox access key from https://console.automox.com/downloadInstaller), and automox_reinstall_worklet_cleanup.sh (which removes temporary files and associated cron entries). The Worklet creates a temporary crontab file, appends these three jobs to run at one, three, and five minutes in the future, and installs the modified crontab for the root user. The Worklet then exits, allowing cron to execute the upgrade operations automatically.

Agent upgrade requirements

• Linux endpoint running Automox Agent version 1.40.0 or higher (older versions use outdated verification methods that the Worklet detects and handles)

• Supported package managers: yum (Red Hat, CentOS, Fedora), apt (Ubuntu, Debian), or zypper (SUSE Linux Enterprise)

• Outbound internet connectivity to https://console.automox.com/api/info and https://console.automox.com/downloadInstaller

• Root or sudo access to manage cron jobs, stop the amagent service, and run package manager commands

• Automox access key configured as a secret input (required for the installer to register the upgraded agent with your Automox zone)

• Available storage space in /var/tmp for temporary script files (less than 1MB required)

• Working cron daemon (cron service running and properly configured for root user)

Expected agent state after upgrade

After the upgrade completes, your Linux endpoint will be running the latest available version of the Automox Agent and will reconnect to the Automox console with the updated version number. The Worklet creates a two-line status message in the Automox Activity Log indicating the old version and the new version that was installed. Verification in the Automox console will show the updated agent version for your endpoint within five minutes after the cron jobs complete, assuming all three scheduled operations execute successfully.

You can verify the upgrade by checking the agent version on your endpoint using the command /opt/amagent/amagent version. The Worklet's temporary files and cron entries are automatically removed after five minutes, leaving no residual configuration changes on your system. If any operation fails (for example, if the Automox access key is missing or incorrect), the cron job that fails will log an error, but subsequent cron jobs will still execute as scheduled. Review your endpoint's Activity Log and cron job output (if logging is configured) to troubleshoot any failed upgrade operations.

How to validate upgrade automox agent changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for upgrade automox agent.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as function, /opt/amagent/amagent, break.

4. Validate remediation effects from script operations such as source, function, elif, then rerun evaluation for compliance.