Title
#fleet
Angelo

Angelo

07/10/2022, 10:49 PM
Hello, we want to use Fleet Teams to segregate our customers. After we create a Fleet Team by API, how can we distribute the
team's enroll_secret
to installer? I’m looking for a way that can be done automatically without manually running again
fleetctl package
with the
team's enroll_secret
. I thought about having a universal installer WITHOUT enroll_secret. During the installation, it will ask Fleet server or one of our servers for the device’s actual team enroll_secret. Will that work? Any other better approaches?
Mystery Incorporated

Mystery Incorporated

07/11/2022, 12:34 AM
You can just save it as a text file named secret.txt and save it in the same location as the flags file
Angelo

Angelo

07/11/2022, 4:32 AM
So when a person run the universal installer, how do we serve that person’s specific flag file to him? If the flag file is the same link, that means everyone who uses the installer will get the same enroll_secret?
Kathy Satterlee

Kathy Satterlee

07/11/2022, 3:33 PM
Let me look into a couple of options for you on this. Can you fill me in a little on the “why” behind not wanting to create a unique installer for each team?
Angelo

Angelo

07/11/2022, 5:05 PM
@Kathy Satterlee Thanks! We can create a unique installer per team. But this will requires manually create installer by our team and upload to our S3 server. I want the user experience great so when a new team is created, we want to show up the installer for them to download right away. We plan to use Fleet Team to serve our customers who are different companies. And our system is a SaaS app.
Kathy Satterlee

Kathy Satterlee

07/11/2022, 6:01 PM
That makes complete sense to me! My immediate thought is to: 1. Set up a database to track new devices that will be added to fleet and map them to the team they belong to. 2. Upload an installer with the generic enrollment secret for the Fleet instance. 3. Set up a script that periodically uses the REST API to see if there are hosts that have not yet been assigned to a team and then transfer them to the correct team using the database set up in step 1. I'm reaching out to the team to see if there's a more streamlined solution.
6:25 PM
Slight addendum to 2 up there: You'll need multiple installers if you're supporting multiple operating systems.
Angelo

Angelo

07/11/2022, 6:27 PM
1. Upload an installer with the generic enrollment secret for the Fleet instance.
But how do we know a Fleet instance belongs to which team? The device information is only retrieved when the Orbit agent is installed so we can not know beforehand which device belongs to which team.
Kathy Satterlee

Kathy Satterlee

07/11/2022, 6:40 PM
With this option, you'd definitely need the client to provide you with the UUID or another identifier so that you could track which team a device should be added to after enrolling.
Angelo

Angelo

07/11/2022, 6:41 PM
I see. Please help to consult the Fleet team to see if there are better approaches. I feel Fleet Team enroll secret can be retrieved by API is the best option.
6:42 PM
Then the installer can be configured to ask the Backend server what secret to use.
Kathy Satterlee

Kathy Satterlee

07/11/2022, 6:49 PM
Chatting with engineering now.
6:51 PM
Another option could be to set up a script to: 1. Create the new team using the REST API 2. Get the team's enroll secret using the REST API 3. Generate the installer(s) 4. Upload it to S3
6:51 PM
Then your clients would just need the link to their installer(s) on S3
Angelo

Angelo

07/13/2022, 7:33 PM
@Kathy Satterlee Yes, that’s what we’re looking for. Are those APIs ready?