Hi all - I would like to see about rotating our Fl...
# fleetm
Mike S.
02/10/2025, 4:17 PMHi all - I would like to see about rotating our FleetDM (community edition) enrollment key - what would be the best way to go about that?
k
Kathy Satterlee
02/10/2025, 4:57 PMHi @Mike S.! You can add your new enrollment secret, then deploy a new version of fleetd (or update your osquery flags if using plain osquery) with the new secret. Once all hosts have the new secret in place, delete the existing one.
m
Mike S.
02/10/2025, 5:11 PMHi @Kathy Satterlee! Just to make sure I've got the process right in my head here:
1. Add a new secret in the FleetDM web UI
2. Create new MSI/DEB/PKG installers using FleetCTL
3. Deploy the packages to the workstations using the method I've been using (script using Workspace One)
4. Once that's good, delete the old enroll secret.
Would I need to uninstall the existing packages, or can I just install over them?
k
Kathy Satterlee
02/10/2025, 5:53 PMThat looks spot on, @Mike S.. You should be fine to install over the existing package.
m
Mike S.
02/10/2025, 5:54 PMAwesome, thank you!
Mike S.
02/10/2025, 7:36 PMOne more question: Is there a way to verify which users are using which enrollment key?
k
Kathy Satterlee
02/10/2025, 8:19 PMBy default, the enroll secret is moved to keychain on Mac or the Credential store on Windows, which is not able to be queried. With Linux, it's written in
/opt/orbit/secret.txtf
f487hf
02/19/2025, 2:40 AMIf you are using Fleet as an MDM for Apple devices, and you rotate the enrolment token how does it effect subsequent SCEP renewals, since it looks like the enrolment token is used as the challenge password?
k
Kathy Satterlee
02/21/2025, 1:31 AMI don't believe that's the case @f487hf, taking a look at that.
10 Views