Configuring the Service Account for macOS Patch Management on Apple Silicon

Managing macOS system updates on Apple Silicon devices requires one essential prerequisite: a local service account with Secure Token privileges.

 This is a one-time mandatory configuration that enables the SecOps Agent to apply OS updates, perform rebootable patches, and securely manage the full macOS patching lifecycle.

• Why the service account is required
• How to enable it during installation
• How to configure it for bulk deployments
• How to enable it later if you missed it during install
• How to validate the configuration
• Troubleshooting and best practices

On Apple Silicon devices, macOS restricts system updates to accounts that hold a Secure Token.

To comply with these requirements, the SecOps Agent creates and uses a dedicated local account:

Granting Secure Token to this account is required before macOS OS patches can be deployed.

This setup is performed once per device. After enabling it, you can manage OS patching normally through the SecOps platform.

Apple Silicon introduces stricter security controls for system updates.
Reboot-requiring OS updates can only be executed by:

• A local administrator




• With an active Secure Token

• That can authenticate locally on the device

Since the patching workflow needs to perform these actions programmatically, a dedicated secured service account is required.

The SecOps Agent automates this, but only after you authorize it using an existing Secure Token-enabled admin account.

You must perform this configuration in ANY of the following scenarios:

• During interactive (CLI) installation
  The installer prompts you to enter an administrator username and password.
  This admin must already have Secure Token on the device.
  
  
• During silent bulk deployment
  You provide admin credentials as install parameters.
  
  
• After installation (post-deployment)
  If you installed the agent earlier without enabling the service account,
  you can enable it at any time using a utility command.
  This allows complete flexibility for organizations deploying the agent in phases.

When installing the agent through the interactive CLI installer, the agent will automatically request:

• Admin Username (must have Secure Token)




• Admin Password

This information is used only once to create the SecOpsMacServiceAccount and grant it Secure Token.

After completion, the service account is ready to manage OS updates.

For large-scale deployments using MDM, RMM, or other automation tools, you can configure the service account using the silent installation mode.

Silent Install Usage:/silent <license_key> [base_url] [admin_username] [admin_password]

• license_key → required

• base_url → optional

• admin_username → existing Secure Token-enabled admin

• admin_password → password for the admin

If the agent is already installed but the service account was not configured,
you can enable it anytime without reinstalling the agent.

Example:

This command:

• Creates (or repairs) the SecOpsMacServiceAccount
• Grants it Secure Token
• Prepares the device for OS patching workflows

You can run this through:

• Shell scripts

• MDM commands

• Automation tools

• Remote execution frameworks

After a scan, you can verify the configuration in two ways:

Open the asset → asset Details → Service Account Status.

When successfully configured:

If there is an issue:

Run the Secure Token status command:

Expected output should indicate: