This guide walks through enrolling a Clawdstrike Desktop Agent with your enterprise infrastructure. Enrollment binds a standalone agent to your organization's tenant, provisioning it with NATS credentials for policy sync, telemetry, and fleet management.
After enrollment, the agent transitions from standalone to connected mode automatically. For background on deployment modes, see Adaptive Architecture.
Before starting, confirm you have the following:
| Requirement | Details |
|---|---|
| Desktop Agent installed | Running in standalone mode on the target machine |
| Enterprise infrastructure | NATS cluster, hushd, Control API, and external NATS provisioner service deployed and accessible |
| Enrollment token | A single-use token generated by your enterprise administrator |
| Network access | HTTPS access from the agent machine to the Control API endpoint |
Tip: The agent does not need direct access to NATS before enrollment. Enrollment is performed over HTTPS to the Control API. NATS credentials are provisioned as part of the enrollment response.
Enterprise administrators generate enrollment tokens via the Control API or Control Console. Each token is single-use and expires after 24 hours by default (configurable at creation time).
Via the Control API:
TENANT_ID="00000000-0000-0000-0000-000000000000"
TOKEN="control-api-admin-token"
curl -fsS -X POST \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-d '{"expires_in_hours":24}' \
"https://api.acme.clawdstrike.cloud/api/v1/tenants/${TENANT_ID}/enrollment-tokens" | jq .Example response:
{
"enrollment_token": "cset_...",
"expires_at": "2026-02-28T15:04:05Z"
}Via the Control Console (if enabled in your deployment):
- Navigate to Fleet Management > Agents in the Control Console.
- Select Generate Enrollment Token.
- Copy the token (format:
cset_...). - Deliver the token to the agent operator via a secure channel (email, internal messaging, etc.).
Warning: Enrollment tokens are sensitive credentials. They are single-use, but an attacker with a valid token could enroll an unauthorized agent. Deliver tokens through secure, authenticated channels.
If the Desktop Agent is not already installed, follow the Desktop Agent Deployment Guide to install and verify it is running in standalone mode.
Confirm the agent is running:
curl -fsS http://127.0.0.1:9878/api/v1/agent/health | jq .Expected output should show daemon.state as running.
Use the agent's local API to initiate enrollment:
CONFIG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/clawdstrike"
AGENT_TOKEN="$(tr -d '[:space:]' < "${CONFIG_DIR}/agent-local-token")"
curl -fsS -X POST \
-H "Authorization: Bearer ${AGENT_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"enrollment_token": "cset_...",
"control_api_url": "https://api.acme.clawdstrike.cloud"
}' \
http://127.0.0.1:9878/api/v1/enroll | jq .The enrollment process performs the following steps automatically:
- Generates a fresh Ed25519 keypair for the agent (stored at
${XDG_CONFIG_HOME:-$HOME/.config}/clawdstrike/agent.key). - Sends the public key and enrollment token to the Control API.
- The Control API validates the token, registers the agent, and provisions NATS credentials.
- The agent persists NATS settings (
nats_url,subject_prefix,token,agent_id,nats_account) inagent.json. - The agent marks enrollment state (
enrolled,agent_uuid,tenant_id) inagent.json. - The API returns
restart_required: trueso enterprise features initialize on restart.
A successful response looks like:
{
"status": "enrolled",
"agent_uuid": "a1b2c3d4-...",
"tenant_id": "2f9f15f9-...",
"restart_required": true,
"message": "Restart the agent to activate enterprise features (policy sync, telemetry, posture commands)"
}Check the enrollment status:
curl -fsS \
-H "Authorization: Bearer ${AGENT_TOKEN}" \
http://127.0.0.1:9878/api/v1/enrollment-status | jq .Expected output:
{
"enrolled": true,
"agent_uuid": "a1b2c3d4-...",
"tenant_id": "2f9f15f9-...",
"enrollment_in_progress": false
}Confirm the agent health endpoint is healthy:
curl -fsS http://127.0.0.1:9878/api/v1/agent/health | jq .The response should show status: "ok" and a live daemon/session block.
Verify that the agent is receiving policies from the enterprise:
- Check the current policy version in the agent health response (
last_policy_versionfield). - Ask your enterprise administrator to publish a policy update.
- Within a few seconds, the agent should reflect the updated policy version.
You can also inspect the local policy cache:
cat "${XDG_CONFIG_HOME:-$HOME/.config}/clawdstrike/policy-cache.yaml"This file stores the most recently synced policy payload from hushd.
Symptom: Enrollment returns an error indicating the token has expired.
Cause: Enrollment tokens expire after 24 hours by default. The token was generated too long ago.
Resolution: Request a new enrollment token from your enterprise administrator. Tokens cannot be renewed; a fresh token must be generated.
Symptom: Enrollment fails with a connection error to the Control API.
Cause: The agent cannot reach the enterprise Control API endpoint over HTTPS.
Resolution:
- Verify network connectivity:
curl -fsS https://api.acme.clawdstrike.cloud/health - Check for firewall rules blocking outbound HTTPS (port 443).
- If behind a proxy, configure the
HTTPS_PROXYenvironment variable before enrollment. - Verify the Control API URL is correct (check with your administrator).
Symptom: The enrollment command returns an error after partially completing. The agent may be in an inconsistent state.
Cause: A network interruption or crash occurred between credential provisioning and configuration update.
Resolution: Restart the agent. On startup, the agent performs a consistency check:
- If NATS credentials exist but the mode is still
standalone, the agent attempts to connect with the stored credentials. If successful, it completes the transition to connected mode automatically. - If NATS connection fails with an authentication/authorization error (for example revoked or invalid credentials), the agent clears enrollment/NATS state and remains in standalone mode. You can then retry enrollment with a new token.
- If the failure is a transient network/connectivity error, the agent keeps enrollment settings and retries on next startup.
Symptom: The enterprise Control Console shows the agent as stale or dead even though it was recently enrolled.
Cause: Heartbeats are not reaching the enterprise. Possible reasons include:
- NATS connectivity issues (firewall, DNS, or credential problems)
- The agent process is not running
- The NATS credentials were revoked
Resolution:
- Check agent health:
curl -fsS http://127.0.0.1:9878/api/v1/agent/health | jq . - Verify enrollment state remains
enrolled: truevia/api/v1/enrollment-status. - Check for NATS connectivity errors in the agent logs.
- If credentials were revoked, the agent transitions back to standalone mode. Re-enroll with a new token.
To re-enroll an agent (e.g., after moving to a different tenant or after revocation):
-
The agent must be in standalone mode. If it is still in connected mode, the enterprise administrator should revoke the agent first, or you can manually reset the configuration:
# Remove persisted enrollment/NATS fields from the local settings file. CONFIG_JSON="${XDG_CONFIG_HOME:-$HOME/.config}/clawdstrike/agent.json" jq '.enrollment = {} | .nats = {}' "${CONFIG_JSON}" > "${CONFIG_JSON}.tmp" && mv "${CONFIG_JSON}.tmp" "${CONFIG_JSON}"
Then restart the agent -- it will detect the missing credentials and revert to standalone mode.
-
Obtain a new enrollment token from the target tenant's administrator.
-
Run the enrollment command again (Step 3 above).
- Adaptive Architecture -- Architecture overview and mode selection
- Adaptive Deployment Guide -- Configuration details for all deployment modes
- Desktop Agent Deployment -- Base desktop agent setup