diff --git a/cmd/orbit/orbit.go b/cmd/orbit/orbit.go
index eb31e759ba..d9f39eb693 100644
--- a/cmd/orbit/orbit.go
+++ b/cmd/orbit/orbit.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/fleetdm/orbit/pkg/constant"
@@ -24,7 +25,7 @@ import (
 const (
 	tufURL         = "https://tuf.fleetctl.com"
 	certPath       = "/tmp/fleet.pem"
-	defaultRootDir = "/var/lib/fleet/orbit"
+	defaultRootDir = "/var/lib/orbit"
 )
 
 func main() {
@@ -67,6 +68,11 @@ func main() {
 			Usage:   "Enroll secret for authenticating to Fleet server",
 			EnvVars: []string{"ORBIT_ENROLL_SECRET"},
 		},
+		&cli.StringFlag{
+			Name:    "enroll-secret-path",
+			Usage:   "Path to file containing enroll secret",
+			EnvVars: []string{"ORBIT_ENROLL_SECRET_PATH"},
+		},
 		&cli.StringFlag{
 			Name:    "osquery-version",
 			Usage:   "Version of osquery to use",
@@ -84,6 +90,19 @@ func main() {
 			zerolog.SetGlobalLevel(zerolog.DebugLevel)
 		}
 
+		if c.String("enroll-secret-path") != "" {
+			if c.String("enroll-secret") != "" {
+				return errors.New("enroll-secret and enroll-secret-path may not be specified together")
+			}
+
+			b, err := ioutil.ReadFile(c.String("enroll-secret-path"))
+			if err != nil {
+				return errors.Wrap(err, "read enroll secret file")
+			}
+
+			c.Set("enroll-secret", strings.TrimSpace(string(b)))
+		}
+
 		if err := os.MkdirAll(c.String("root-dir"), constant.DefaultDirMode); err != nil {
 			return errors.Wrap(err, "initialize root dir")
 		}
@@ -164,7 +183,8 @@ func main() {
 			)
 		}
 
-		if enrollSecret := c.String("enroll-secret"); enrollSecret != "" {
+		enrollSecret := c.String("enroll-secret")
+		if enrollSecret != "" {
 			options = append(options,
 				osquery.WithEnv([]string{"ENROLL_SECRET=" + enrollSecret}),
 				osquery.WithFlags([]string{"--enroll_secret_env", "ENROLL_SECRET"}),
@@ -172,6 +192,10 @@ func main() {
 		}
 
 		if fleetURL != "" {
+			if enrollSecret == "" {
+				return errors.New("enroll secret must be specified to connect to Fleet server")
+			}
+
 			options = append(options,
 				osquery.WithFlags(osquery.FleetFlags(fleetURL)),
 			)
diff --git a/go.mod b/go.mod
index 18e032ced4..27bad1d963 100644
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,6 @@ require (
 	github.com/rs/zerolog v1.20.0
 	github.com/stretchr/testify v1.6.1
 	github.com/theupdateframework/go-tuf v0.0.0-20201230183259-aee6270feb55
-	github.com/urfave/cli v1.22.5
 	github.com/urfave/cli/v2 v2.3.0
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad // indirect
 )
diff --git a/pkg/packaging/deb.go b/pkg/packaging/deb.go
index 13b09bc0c5..d2b600cf6e 100644
--- a/pkg/packaging/deb.go
+++ b/pkg/packaging/deb.go
@@ -31,7 +31,7 @@ func BuildDeb(opt Options) error {
 	if err := os.MkdirAll(filesystemRoot, constant.DefaultDirMode); err != nil {
 		return errors.Wrap(err, "create root dir")
 	}
-	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "fleet", "orbit")
+	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "orbit")
 	if err := os.MkdirAll(orbitRoot, constant.DefaultDirMode); err != nil {
 		return errors.Wrap(err, "create orbit dir")
 	}
@@ -85,13 +85,13 @@ func BuildDeb(opt Options) error {
 		},
 		&files.Content{
 			Source:      "orbit",
-			Destination: "/var/lib/fleet/orbit/orbit",
+			Destination: "/var/lib/orbit/orbit",
 			FileInfo: &files.ContentFileInfo{
 				Mode: constant.DefaultExecutableMode,
 			},
 		},
 		&files.Content{
-			Source:      "/var/lib/fleet/orbit/orbit",
+			Source:      "/var/lib/orbit/orbit",
 			Destination: "/usr/local/bin/orbit",
 			Type:        "symlink",
 			FileInfo: &files.ContentFileInfo{
@@ -122,7 +122,7 @@ func BuildDeb(opt Options) error {
 			Contents: contents,
 			EmptyFolders: []string{
 				"/var/log/osquery",
-				"/var/log/fleet/orbit",
+				"/var/log/orbit",
 			},
 			Scripts: nfpm.Scripts{
 				PostInstall: postInstallPath,
diff --git a/pkg/packaging/macos.go b/pkg/packaging/macos.go
index 59dcebb532..2481d55a0b 100644
--- a/pkg/packaging/macos.go
+++ b/pkg/packaging/macos.go
@@ -34,7 +34,7 @@ func BuildPkg(opt Options) error {
 	if err := os.MkdirAll(filesystemRoot, constant.DefaultDirMode); err != nil {
 		return errors.Wrap(err, "create root dir")
 	}
-	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "fleet", "orbit")
+	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "orbit")
 	if err := os.MkdirAll(orbitRoot, constant.DefaultDirMode); err != nil {
 		return errors.Wrap(err, "create orbit dir")
 	}
@@ -75,16 +75,15 @@ func BuildPkg(opt Options) error {
 	if err := writeScripts(opt, tmpDir); err != nil {
 		return errors.Wrap(err, "write postinstall")
 	}
+	if err := writeSecret(opt, orbitRoot); err != nil {
+		return errors.Wrap(err, "write enroll secret")
+	}
 	if opt.StartService {
 		if err := writeLaunchd(opt, filesystemRoot); err != nil {
 			return errors.Wrap(err, "write launchd")
 		}
 	}
-	if err := copyFile(
-		"./orbit",
-		filepath.Join(filesystemRoot, "var", "lib", "fleet", "orbit", "orbit"),
-		0755,
-	); err != nil {
+	if err := copyFile("./orbit", filepath.Join(orbitRoot, "orbit"), 0755); err != nil {
 		return errors.Wrap(err, "write orbit")
 	}
 
@@ -155,6 +154,20 @@ func writeScripts(opt Options, rootPath string) error {
 	return nil
 }
 
+func writeSecret(opt Options, orbitRoot string) error {
+	// Enroll secret
+	path := filepath.Join(orbitRoot, "secret")
+	if err := os.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil {
+		return errors.Wrap(err, "mkdir")
+	}
+
+	if err := ioutil.WriteFile(path, []byte(opt.EnrollSecret), 0600); err != nil {
+		return errors.Wrap(err, "write file")
+	}
+
+	return nil
+}
+
 func writeLaunchd(opt Options, rootPath string) error {
 	// launchd is the service mechanism on macOS
 	path := filepath.Join(rootPath, "Library", "LaunchDaemons", "com.fleetdm.orbit.plist")
diff --git a/pkg/packaging/macos_templates.go b/pkg/packaging/macos_templates.go
index c70b7fe8f3..8f656b4959 100644
--- a/pkg/packaging/macos_templates.go
+++ b/pkg/packaging/macos_templates.go
@@ -33,7 +33,7 @@ var macosDistributionTemplate = template.Must(template.New("").Option("missingke
 var macosPostinstallTemplate = template.Must(template.New("").Option("missingkey=error").Parse(
 	`#!/bin/bash
 
-ln -sf /var/lib/fleet/orbit/orbit /usr/local/bin/orbit
+ln -sf /var/lib/orbit/orbit /usr/local/bin/orbit
 
 {{ if .StartService -}}
 launchctl stop com.fleetdm.orbit
@@ -55,7 +55,7 @@ var macosLaunchdTemplate = template.Must(template.New("").Option("missingkey=err
     <string>com.fleetdm.orbit</string>
     <key>ProgramArguments</key>
     <array>
-       <string>/var/lib/fleet/orbit/orbit</string>
+       <string>/var/lib/orbit/orbit</string>
     </array>
     <key>StandardOutPath</key>
     <string>/var/log/orbit/orbit.stdout.log</string>
@@ -65,7 +65,7 @@ var macosLaunchdTemplate = template.Must(template.New("").Option("missingkey=err
     <dict>
       {{ if .Insecure }}<key>ORBIT_INSECURE</key><string>true</string>{{ end }}
       {{ if .FleetURL }}<key>ORBIT_FLEET_URL</key><string>{{.FleetURL}}</string>{{ end }}
-      {{ if .EnrollSecret }}<key>ORBIT_ENROLL_SECRET</key><string>{{.EnrollSecret}}</string>{{ end }}
+      {{ if .EnrollSecret }}<key>ORBIT_ENROLL_SECRET_PATH</key><string>/var/lib/orbit/secret</string>{{ end }}
     </dict>
     <key>KeepAlive</key><true/>
     <key>RunAtLoad</key><true/>
diff --git a/pkg/update/update.go b/pkg/update/update.go
index f27c008464..c8e5ad216b 100644
--- a/pkg/update/update.go
+++ b/pkg/update/update.go
@@ -52,7 +52,7 @@ var (
 	// DefaultOptions are the default options to use when creating an update
 	// client.
 	DefaultOptions = Options{
-		RootDirectory:     "/var/fleet",
+		RootDirectory:     "/var/lib/orbit",
 		ServerURL:         "https://tuf.fleetctl.com",
 		LocalStore:        client.MemoryLocalStore(),
 		InsecureTransport: false,