M1 Secure Token Check

What the M1 Secure Token Check Worklet does

This Automox Worklet™ audits secure token status on Apple Silicon Macs, reporting whether the Automox Service Account and the currently logged-in user both have secure tokens enabled. Secure tokens are critical on M1 endpoints because they enable the service account to perform privileged operations and complete elevated remediation tasks.

The Worklet performs three checks in sequence. First, it verifies the endpoint is running ARM64 architecture (M1 or newer). Second, it checks if the current user has a secure token. Third, it validates whether the Automox Service Account (_automoxserviceaccount) exists and has secure token enabled.

Why verify secure tokens on M1 endpoints

Secure tokens are essential for Automox to function properly on M1 Macs. Without a secure token on the service account, the Worklet cannot perform remediation tasks that require elevated privileges. This includes system configurations, security patches, software installations, and other administrative operations.

By regularly auditing secure token status, you can identify endpoints where the service account lacks proper credentials before critical updates need to be deployed. This prevents remediation failures and keeps your IT operations maintain consistent security posture across all Apple Silicon endpoints.

How M1 secure token verification works

1. Evaluation phase: The Worklet verifies the endpoint is an M1 Mac by checking processor architecture (arm64). It then uses sysadminctl to query secure token status for both the current user and the Automox Service Account. The script checks for account existence and reports the current secure token state without making any changes.

2. Remediation phase: This Worklet is informational only and does not perform remediation. It reports findings to the Automox console where IT administrators can review secure token status and take manual action if needed to enable the token on the service account.

M1 secure token check requirements

• M1 Mac or newer Apple Silicon endpoint (ARM64 architecture)

• macOS 11 or later with sysadminctl utility available

• Automox agent installed and running with appropriate permissions

• RunNow capability enabled for manual execution on specific endpoints

Expected secure token verification results

After execution, the Worklet reports one of three outcomes. If the Automox Service Account has secure token enabled, the Worklet completes successfully and reports "The Automox Service account has Secure token enabled. No further action is required." If the service account lacks a secure token, the Worklet exits with an error status and reports "The Automox Service account does not have Secure token enabled." If the Automox Service Account does not exist on the endpoint, the Worklet fails and alerts you to provision the account first.

You can use these results to identify which M1 endpoints require secure token provisioning before deploying other Worklets. Contact your Apple system administrator or IT security team to enable the secure token on the _automoxserviceaccount if needed. The current user's secure token status is also reported for reference, though it is not required for Automox operations.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for m1 secure token check. This supports repeatable system preferences workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as function, errMessage, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.