PR 8773 and PR 677 resulted in removing the ability to obtain the "secret" required for remotely launching agents.  The secret was previously passed via the jnlpUrl.  Currently the only method of obtaining the secret is from the agent launch page jenkinsci remoting inbound-agent.md) or programmatically as an administrator.  There is no other mechanism for the agent to authenticate when using websockets.

The secret can now only be obtained by running a script, but only administrators can run scripts through a rest api. There needs to be a mechanism where the secret can be obtained programmatically (via the rest api) by a user with Agent Create or Agent Connect permissions.
 
jenkins.model.Jenkins.getInstance().getComputer("{node.name}").getJnlpMac()