diff --git a/etc/taskcluster/macos/README.md b/etc/taskcluster/macos/README.md
index 54252cc2f9e..0e5b1633701 100644
--- a/etc/taskcluster/macos/README.md
+++ b/etc/taskcluster/macos/README.md
@@ -1,7 +1,7 @@
 # macOS
 
-Servo’s macOS workers for Taskcluster are configured with
-SaltStack in [agentless] mode.
+This is the configuration for the `proj-servo/macos` worker type.
+These macOS workers are configured with SaltStack in [agentless] mode.
 
 [agentless]: https://docs.saltstack.com/en/getstarted/ssh/index.html
 
@@ -15,6 +15,25 @@ cd etc/taskcluster/macos
 ./salt-ssh '*' state.apply test=True
 ```
 
+## Servers
+
+Servers are provisioned manually from MacStadium.
+The `config/roster` file lists them by DNS name.
+
+
+## Taskcluster secrets
+
+This SaltStack configuration has a custom module that uses Taskcluster’s
+[secrets service](https://tools.taskcluster.net/secrets/).
+These secrets include an [authentication token](
+You’ll need to authenticate with a Taskcluster client ID
+that has scope `secrets:get:project/servo/*`.
+This should be the case if you’re a Servo project administrator (the `project-admin:servo` role).
+
+
 ## Worker’s client ID
 
-`project/servo/worker/macos/1`
\ No newline at end of file
+Workers are configured to authenticate with client ID
+[`project/servo/worker/macos/1`](
+https://tools.taskcluster.net/auth/clients/project%2Fservo%2Fworker%macos%2F1).
+This client has the scopes required to run tasks for this worker type.
\ No newline at end of file
diff --git a/etc/taskcluster/macos/Saltfile b/etc/taskcluster/macos/Saltfile
index ee77404e3dc..7298fc32ef7 100644
--- a/etc/taskcluster/macos/Saltfile
+++ b/etc/taskcluster/macos/Saltfile
@@ -1,3 +1,3 @@
 salt-ssh:
   config_dir: ./config
-  state_verbose: False
\ No newline at end of file
+  state_verbose: False
diff --git a/etc/taskcluster/macos/config/master b/etc/taskcluster/macos/config/master
index cf59c94f2a9..50c5179d539 100644
--- a/etc/taskcluster/macos/config/master
+++ b/etc/taskcluster/macos/config/master
@@ -1,4 +1,7 @@
 root_dir: .salt
 file_roots:
   base:
-    - states
\ No newline at end of file
+    - states
+extension_modules: ../modules
+ext_pillar:
+  - taskcluster_secrets:
diff --git a/etc/taskcluster/macos/config/roster b/etc/taskcluster/macos/config/roster
index ddfe7089497..ed11c2b8530 100644
--- a/etc/taskcluster/macos/config/roster
+++ b/etc/taskcluster/macos/config/roster
@@ -1,2 +1,7 @@
 mac1:
-    host: servo-tc-mac1.servo.org
\ No newline at end of file
+    host: servo-tc-mac1.servo.org
+
+    # https://github.com/saltstack/salt/issues/50477
+    minion_opts:
+        providers:
+            user: mac_user
diff --git a/etc/taskcluster/macos/modules/pillar/taskcluster_secrets.py b/etc/taskcluster/macos/modules/pillar/taskcluster_secrets.py
new file mode 100644
index 00000000000..49229f73a4d
--- /dev/null
+++ b/etc/taskcluster/macos/modules/pillar/taskcluster_secrets.py
@@ -0,0 +1,16 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import os
+import sys
+sys.path.append(os.path.join(os.path.dirname(__file__), "..", "..", "..", "packet.net"))
+import tc
+
+
+def ext_pillar(_minion_id, _pillar, *_args):
+    tc.check()
+    data = {}
+    data.update(tc.secret("project/servo/tc-client/worker/macos/1"))
+    data.update(tc.secret("project/servo/livelog-secret/1"))
+    return data
diff --git a/etc/taskcluster/macos/salt-ssh b/etc/taskcluster/macos/salt-ssh
index 5a6439a18e2..b68cdf92c7f 100755
--- a/etc/taskcluster/macos/salt-ssh
+++ b/etc/taskcluster/macos/salt-ssh
@@ -11,4 +11,4 @@ set -o pipefail
 cd "$(dirname $0)"
 VENV_BIN="../../../python/_virtualenv/bin"
 [ -x "${VENV_BIN}/salt-ssh" ] || "${VENV_BIN}/pip" install salt-ssh
-"${VENV_BIN}/salt-ssh" "${@}"
\ No newline at end of file
+"${VENV_BIN}/salt-ssh" "${@}"
diff --git a/etc/taskcluster/macos/states/generic-worker.sls b/etc/taskcluster/macos/states/generic-worker.sls
index a832d949596..c7d628dc1d8 100644
--- a/etc/taskcluster/macos/states/generic-worker.sls
+++ b/etc/taskcluster/macos/states/generic-worker.sls
@@ -1,5 +1,6 @@
 {% set bin = "/usr/local/bin" %}
-{% set keyfile = "/etc/generic-worker/key" %}
+{% set user = "worker" %}
+{% set home = "/Users/" + user %}
 
 {{ bin }}/generic-worker:
   file.managed:
@@ -16,21 +17,76 @@
     - mode: 755
     - makedirs: True
 
-/etc/generic-worker/config.json:
+{{ user }}:
+  user.present:
+    - home: {{ home }}
+
+# `user.present`’s `createhome` is apparently not supported on macOS
+{{ home }}:
+  file.directory:
+    - user: {{ user }}
+
+{{ home }}/config.json:
   file.serialize:
     - makedirs: True
+    - user: {{ user }}
     - mode: 600
     - show_changes: False
     - formatter: json
     - dataset:
         provisionerId: proj-servo
         workerType: macos
-        workerId: servo-macos-1
-        clientId: project/servo/worker/macos/1
+        workerGroup: servo-macos
+        workerId: mac1
+        tasksDir: {{ home }}/tasks
         publicIP: {{ salt.network.ip_addrs()[0] }}
-        signingKeyLocation: {{ keyfile }}
+        signingKeyLocation: {{ home }}/key
+        clientId: {{ pillar["client_id"] }}
+        accessToken: {{ pillar["access_token"] }}
+        livelogSecret: {{ pillar["livelog_secret"] }}
 
-generic-worker new-openpgp-keypair --file {{ keyfile }}:
+{{ bin }}/generic-worker new-openpgp-keypair --file {{ home }}/key:
   cmd.run:
-    - creates: {{ keyfile }}
-    - prepend_path: {{ bin }}
+    - creates: {{ home }}/key
+    - runas: worker
+
+/Library/LaunchAgents/net.generic.worker.plist:
+  file.managed:
+    - mode: 644
+    - template: jinja
+    - contents: >-
+        <?xml version="1.0" encoding="UTF-8"?>
+        <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+        <plist version="1.0">
+        <dict>
+          <key>Label</key>
+          <string>net.generic.worker</string>
+
+          <key>ProgramArguments</key>
+          <array>
+            <string>{{ bin }}/generic-worker</string>
+            <string>run</string>
+            <string>--config</string>
+            <string>config.json</string>
+          </array>
+
+          <key>KeepAlive</key>
+          <true/>
+
+          <key>WorkingDirectory</key>
+          <string>{{ home }}</string>
+
+          <key>UserName</key>
+          <string>{{ user }}</string>
+
+          <key>StandardOutPath</key>
+          <string>stdout.log</string>
+
+          <key>StandardErrorPath</key>
+          <string>stderr.log</string>
+        </dict>
+        </plist>
+
+net.generic.worker:
+  service.running:
+    - enable: True
diff --git a/etc/taskcluster/packet.net/README.md b/etc/taskcluster/packet.net/README.md
index edbb5897833..408a28ba329 100644
--- a/etc/taskcluster/packet.net/README.md
+++ b/etc/taskcluster/packet.net/README.md
@@ -39,7 +39,7 @@ This should be the case if you’re a Servo project administrator (the `project-
 ## Worker’s client ID
 
 Workers are configured to authenticate with client ID
-[project/servo/worker/docker-worker-kvm/1](
+[`project/servo/worker/docker-worker-kvm/1`](
 https://tools.taskcluster.net/auth/clients/project%2Fservo%2Fworker%2Fdocker-worker-kvm%2F1).
 This client has the scopes required to run docker-worker
 as well as for tasks that we run on this worker type.
\ No newline at end of file