On Amazon Web Services (AWS) or Google Cloud Platform (GCP), when a new server is booted, it is automatically enrolled even when AutoEnroll is set to false in the sftd.yaml file.
- Advanced Server Access (ASA)
- Okta Privileged Access (OPA)
- AutoEnroll
The token file enrollment.token was present. This will take precedence over AutoEnroll settings, and the server will try to enroll by itself.
The Disable Autostart feature is useful for situations where enrollment.token is available since it will help avoid performing an auto-enroll. Please see below for the corresponding excerpt from the Configure and use the Advanced Server Access server agent documentation.
Disable Autostart
/etc/sftd/disable-autostart
By default, the scaleft-server-tools packages on Red Hat- and Debian-derived distributions will automatically start sftd after installation. In most circumstances, if the enrollment token is already present on the server, this causes the agent to automatically enroll in Advanced Server Access, create local users, and remove the enrollment token from the disk.
If a disable-autostart file exists at the time of installation, the packages will not automatically start the agent. This can be useful when building OS images using a tool like Packer. Under these circumstances, it is typically preferable to remove the disable-autostart file once the package has been installed.
Therefore, in the AMIs where enrollment.token is available, and an empty file /etc/sftd/disable-autostart needs to be added. When the AMI needs to be enrolled, remove this file and restart the sftd service.
See below for the set of steps that are recommended for creating AMIs:
- Create a disable-autostart file /etc/sftd/disable-autostart on the server.
- Install the ASA server agent.
- Configure the required settings in
sftd.yaml. - Add
enrollment.tokenif needed.
After launching the AMIs, when the server needs to be enrolled:
- Remove the disable-autostart file.
- Reboot the server or restart the sftd service.
