Hello, we want to use Fleet Teams to segregate our customers. After we create a Fleet Team by API, how can we distribute the

team's enroll_secret

to installer? I’m looking for a way that can be done automatically without manually running again

fleetctl package

with the

team's enroll_secret

. I thought about having a universal installer WITHOUT enroll_secret. During the installation, it will ask Fleet server or one of our servers for the device’s actual team enroll_secret. Will that work? Any other better approaches?

You can just save it as a text file named secret.txt and save it in the same location as the flags file

So when a person run the universal installer, how do we serve that person’s specific flag file to him? If the flag file is the same link, that means everyone who uses the installer will get the same enroll_secret?

Let me look into a couple of options for you on this. Can you fill me in a little on the “why” behind not wanting to create a unique installer for each team?

@Kathy Satterlee Thanks! We can create a unique installer per team. But this will requires manually create installer by our team and upload to our S3 server. I want the user experience great so when a new team is created, we want to show up the installer for them to download right away. We plan to use Fleet Team to serve our customers who are different companies. And our system is a SaaS app.

That makes complete sense to me! My immediate thought is to: 1. Set up a database to track new devices that will be added to fleet and map them to the team they belong to. 2. Upload an installer with the generic enrollment secret for the Fleet instance. 3. Set up a script that periodically uses the REST API to see if there are hosts that have not yet been assigned to a team and then transfer them to the correct team using the database set up in step 1. I'm reaching out to the team to see if there's a more streamlined solution.

1. Upload an installer with the generic enrollment secret for the Fleet instance.

But how do we know a Fleet instance belongs to which team? The device information is only retrieved when the Orbit agent is installed so we can not know beforehand which device belongs to which team.

With this option, you'd definitely need the client to provide you with the UUID or another identifier so that you could track which team a device should be added to after enrolling.

I see. Please help to consult the Fleet team to see if there are better approaches. I feel Fleet Team enroll secret can be retrieved by API is the best option.

Chatting with engineering now.

@Kathy Satterlee Yes, that’s what we’re looking for. Are those APIs ready?