A bit of background in case I should be doing something different:
I was going to change the MSI file using Orca or any other editor but I don’t think is a good practice from my side. Also thought that building from source and packaging the flags/cert/secret on each release is not scalable either.
At my former employer we used launcher so we didn’t have this issue. We also had Puppet to manage the config files independently of the installers so we could ensure the config was enforced at all times.
Right now we deploy the “official installer” and the rest of our config via a separate package on our MDM. The problem is that we can’t enforce these to be installed in a specific order and if I update the osquery client the flags file gets deleted. As I can see during the install, the upgrade is done by removing the old files and installing the new ones.
Taking into account that the flags file of the installer is empty maybe this can be either set to no overwrite or just to not be created or managed via the installer and leave it to the user to create/deploy their own.