Script Signing FAQs

Basics

Question

Answer

Who can opt in to Script Signing?

Global Administrators and Organization Administrators can opt-in to Script Signing.

What plans include Script Signing?

All Automox pricing plans include Script Signing.

Certificate Management, Distribution, and Auditing

Question

Answer

How are the signing certificates managed?

Automox manages certificate creation, history, and roll back (if needed).

What are the specifications of the signing certificates?
  • Certificates are self-signed, with RSA 2048 bit encryption and SHA 256 hash key.
  • The private key is stored encrypted.

How often are the certificates renewed and rotated?

Automox renews and rotates the certificates annually.

How are the certificates distributed to my Automox devices?

Once you have opted-in and set the signing policy for your organizations, the certificates are distributed to the devices via a system script that is triggered by device scan.

Is there an audit trail?

There is internal auditing data, to track who did what, where and when.

What should I do if a certificate has been compromised?

Contact Automox Support if you are having trouble manually installing the certificate, resigning scripts, and removing the old certificate.

What should I do if a certificate has been tampered with or removed?

The certificate can be uninstalled by an end user, script, or other service. If the device is using an elevated execution policy when this happens, scripts might not execute on the compromised device.

  • If the device is in Default (Bypass): No impact to script execution.
    • The certificate will be reinstalled during the next device scan, with no impact to running scripts.
  • If the device is in AllSigned or RemoteSigned: Script execution will be impacted.
    • Manually revert the device to Default (Bypass), wait for the scan to reinstall the certificate, then return device to RemoteSigned or AllSigned execution policy.
    • Or, you can leave the device in an elevated state, copy the certificate from another device, and manually install the certificate on the affected device.

If the Automox certificate is the one that’s removed, using Automox Remote Control is not an option for connecting to a device that is in an AllSigned or RemoteSigned state.