Enroll secrets can change over time but currently I don't think there is a mechanism in Fleet that would do so automatically.
05/22/2019, 4:29 PM
fascinating... would a restart of the fleet service induce that perhaps? I guess I can experiment and report back here
well, a restart did not change it... I'll go back a look over previous enroll_secret's from past hosts I've installed.
05/22/2019, 5:03 PM
The enroll secret is stored in the DB and shouldn’t change
05/22/2019, 5:30 PM
crazy town, but i have an enroll secret for the fleet server itself and my mac that are quite different... i don't think it's worth a witch hunt over, I'm a very new user to fleet and osquery itself, so I'm going to err on the side of I did something wrong.
I'll continue to keep an eye for it though now that I know the intended behavior
05/22/2019, 6:07 PM
It's possible you enrolled the mac with the Fleet enroll secret and subsequently changed the enroll secret on the mac. The changed secret wouldn't be used unless the mac was deleted in Fleet and had to re-enroll.
Because the individual node provides the enroll secret to Fleet which returns a node key that is used for further authentication.