The knapsack should look for the enrollment secret in multiple locations

[RebeccaMahany]

trafficstars

The knapsack's ReadEnrollSecret function currently expects the enroll secret to be set in one of two places: 1) via the launcher options (i.e. on the command line or in the config file); 2) in a file at the EnrollSecretPath (i.e. /etc/<identifier>/secret).

As we plan for secretless launcher installations, we will want to make it possible for tenants who want to silently enroll their end users to roll out the enrollment secret via MDM. We should define supported locations for the enrollment secret, and update ReadEnrollSecret to look in those locations.

This issue requires further research re: reasonable locations for the enrollment secret. We know right now that we want to support:

1. A well-known registry key (Windows only)
2. App preferences (macOS only)

We should make it easy to add new locations in the future, too.

Please also update the enroll secret checkup to look in these alternate locations, and to note where the secret was found.

[directionless]

note where the secret was found

This is going to matter. One of the things we need to grapple with is when a secret changes or is removed. Probably means we delete the registration?

[RebeccaMahany]

@directionless discussed this further with product, and concluded that we don't need to take action if the secret is removed

[directionless]

Some interesting thoughts.... How does device deletion work?

• If a secret is on disk/registry/preferences
• And the enrollment is remote deleted,
• How do we keep launcher from re-registering?