Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
Angelo
07/10/2022, 10:49 PMHello, we want to use Fleet Teams to segregate our customers. After we create a Fleet Team by API, how can we distribute the
team's enroll_secretfleetctl packageteam's enroll_secretm
Mystery Incorporated
07/11/2022, 12:34 AMYou can just save it as a text file named secret.txt and save it in the same location as the flags file
a
Angelo
07/11/2022, 4:32 AMSo when a person run the universal installer, how do we serve that person’s specific flag file to him? If the flag file is the same link, that means everyone who uses the installer will get the same enroll_secret?
k
Kathy Satterlee
07/11/2022, 3:33 PMLet me look into a couple of options for you on this. Can you fill me in a little on the “why” behind not wanting to create a unique installer for each team?
a
Angelo
07/11/2022, 5:05 PM@Kathy Satterlee Thanks! We can create a unique installer per team. But this will requires manually create installer by our team and upload to our S3 server. I want the user experience great so when a new team is created, we want to show up the installer for them to download right away.
We plan to use Fleet Team to serve our customers who are different companies. And our system is a SaaS app.
k
Kathy Satterlee
07/11/2022, 6:01 PMThat makes complete sense to me! My immediate thought is to:
1. Set up a database to track new devices that will be added to fleet and map them to the team they belong to.
2. Upload an installer with the generic enrollment secret for the Fleet instance.
3. Set up a script that periodically uses the REST API to see if there are hosts that have not yet been assigned to a team and then transfer them to the correct team using the database set up in step 1.
I'm reaching out to the team to see if there's a more streamlined solution.
Slight addendum to 2 up there: You'll need multiple installers if you're supporting multiple operating systems.
a
Angelo
07/11/2022, 6:27 PM1. Upload an installer with the generic enrollment secret for the Fleet instance.But how do we know a Fleet instance belongs to which team? The device information is only retrieved when the Orbit agent is installed so we can not know beforehand which device belongs to which team.
k
Kathy Satterlee
07/11/2022, 6:40 PMWith this option, you'd definitely need the client to provide you with the UUID or another identifier so that you could track which team a device should be added to after enrolling.
a
Angelo
07/11/2022, 6:41 PMI see. Please help to consult the Fleet team to see if there are better approaches. I feel Fleet Team enroll secret can be retrieved by API is the best option.
Then the installer can be configured to ask the Backend server what secret to use.
k
Kathy Satterlee
07/11/2022, 6:49 PMChatting with engineering now.
Another option could be to set up a script to:
1. Create the new team using the REST API
2. Get the team's enroll secret using the REST API
3. Generate the installer(s)
4. Upload it to S3
Then your clients would just need the link to their installer(s) on S3
a
Angelo
07/13/2022, 7:33 PM@Kathy Satterlee Yes, that’s what we’re looking for. Are those APIs ready?