Am I correct in thinking that adding MacOS host to Fleet requires a TLS Cert trusted by the Mac, regardless of if it’s build with the launcher or otherwise?

No, you can use any cert as long as the CN or SAN matches with

--server_tls_certs

in osquery.

Yeah, new to fleet, so it’s still using the in-box *.your-server.de cert, which obviously doesn’t have the server name in the CN or SAN

Yeah, typically it makes sense to generate a self-signed cert with the matching CN/SAN and then use the

--server_tls_certs

option.

The --insecure flag didn’t seem to make a difference, fwiw.

--insecure_transport

maybe? I can't remember why those are separate nor which is the correct to use in this scenario

Probably easier just to make the self-signed certificate, then.