Enable scripts remotely w/o re-deploying fleetd (#33169)

- @noahtalerman: I think we can merge in this PR before we dogfood the scripts ourselves. Dogfood request is here: https://github.com/fleetdm/fleet/issues/33170 --- - @noahtalerman: `customer-montague` was frustrated that they had to re-deploy fleetd to enable scripts. At organizations that have a third-party tool that can run scripts (other than Fleet), this is avoidable! We want to document how to enable scripts remotely w/o re-deploying fleetd. More context: https://github.com/fleetdm/fleet/issues/29193#issuecomment-3137337041
2026-04-21 13:37:30 +00:00 · 2025-11-12 10:39:48 -05:00 · 2025-11-12 10:39:48 -05:00 · a85a66272d
commit a85a66272d
parent 9a7b42bdb8
4 changed files with 57 additions and 1 deletions
--- a/articles/scripts.md
+++ b/articles/scripts.md
@ -13,12 +13,16 @@ Script execution is disabled by default. Continue reading to learn how to enable

 If you use Fleet's macOS MDM features, scripts are automatically enabled for macOS hosts that have MDM turned on. You're set!

-If you don't use MDM features, to enable scripts, we'll [deploy a fleetd agent](https://fleetdm.com/guides/enroll-hosts) with scripts enabled:
+If you don't use MDM features, to enable scripts, we'll [deploy Fleet's agent (fleetd)](https://fleetdm.com/guides/enroll-hosts) with scripts enabled:

 1. Generate a new fleetd agent for macOS, Windows, or Linux using the `fleetctl package` command with the `--enable-scripts` flag. 

 2. Deploy fleetd to your hosts. If your hosts already have fleetd installed, you can deploy the new fleetd on-top of the old installation.

+If you already deployed fleetd, instead of re-deploying it, you can update fleetd's configuration remotely to enable scripts. This requires a third-party tool (ex. [Chef](https://www.chef.io/)), other than Fleet, that can run scripts. 
+
+Using your separate third-party tool, run the enable scripts script for [macOS](https://github.com/fleetdm/fleet/blob/main/assets/scripts/enable-scripts-macos.sh), [Windows](https://github.com/fleetdm/fleet/blob/main/assets/windows/scripts/enable-scripts-windows.ps1), or [Linux](https://github.com/fleetdm/fleet/blob/main/assets/scripts/enable-scripts-linux.sh).
+
 ## Manually run scripts

 You can run a script in the Fleet UI, with Fleet API, or with the fleetctl command-line interface (CLI).
--- a/assets/scripts/enable-scripts-linux.sh
+++ b/assets/scripts/enable-scripts-linux.sh
@ -0,0 +1,16 @@
+#!/bin/bash
+# Please don't delete. This script is used in the guide here: https://fleetdm.com/guides/scripts
+
+if [ "$EUID" -ne 0 ]; then
+  echo "This script requires administrator privileges. Please run with sudo."
+  exit 1
+fi
+# Enable scripts in Orbit environment variables
+if grep -q "^ORBIT_ENABLE_SCRIPTS=" /etc/default/orbit; then
+  sed -i 's/^ORBIT_ENABLE_SCRIPTS=.*/ORBIT_ENABLE_SCRIPTS=true/' /etc/default/orbit
+else
+  echo "ORBIT_ENABLE_SCRIPTS=true" >> /etc/default/orbit
+fi
+# Reload and restart Orbit
+systemctl daemon-reload
+systemctl restart orbit
--- a/assets/scripts/enable-scripts-macos.sh
+++ b/assets/scripts/enable-scripts-macos.sh
@ -0,0 +1,14 @@
+#!/bin/bash
+# Please don't delete. This script is used in the guide here: https://fleetdm.com/guides/scripts
+
+if [ "$EUID" -ne 0 ]; then
+  echo "This script requires administrator privileges. Please run with sudo."
+  exit 1
+fi
+# Enable scrippts in Orbit environment variables (plist)
+/usr/libexec/PlistBuddy -c "set EnvironmentVariables:ORBIT_ENABLE_SCRIPTS true" "/Library/LaunchDaemons/com.fleetdm.orbit.plist"
+# Stop Orbit, wait for stop to complete, and then restart.
+launchctl bootout system/com.fleetdm.orbit
+while pgrep orbit > /dev/null; do sleep 1 ; done
+launchctl bootstrap system $plist_path
+echo "Fleet script execution has been enabled and Orbit restarted."
--- a/assets/scripts/enable-scripts-windows.ps1
+++ b/assets/scripts/enable-scripts-windows.ps1
@ -0,0 +1,22 @@
+# Please don't delete. This script is used in the guide here: https://fleetdm.com/guides/scripts
+
+# Error if not run as admin
+if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
+    Write-Error "This script must be run as an administrator."
+    exit 1
+}   
+# Get the BinaryPathName using Get-WmiObject
+$service = Get-WmiObject -Class Win32_Service -Filter "Name='Fleet osquery'"
+if (-not $service) {
+    Write-Error "Service '$serviceName' not found."
+    exit 1
+}
+$binaryPath = $service.PathName
+# Replace any existing --enable-scripts flag with --enable-scripts="True"
+$modifiedPath = $binaryPath -replace '--enable-scripts(=".*?")?', '--enable-scripts="True"'
+# Update the service configuration
+$setServiceCmd = "sc.exe config `"$serviceName`" binPath= `"$modifiedPath`""
+Invoke-Expression $setServiceCmd
+# Restart the service
+Restart-Service -Name $serviceName
+Write-Host "Fleet Desktop feature enabled and service restarted."