We are deploying the Automox Agent to Windows endpoints, our plan being to embed our Automox Agent Access Key as part of the distributed .msi file (see https://support.automox.com/help/embedding-your-access-key-into-the-automox-msi). My concern is that this process may leave stray copies of the installer on endpoints post-deployment, each including its copy of our Agent Access Key, by which unintended additions to our account might occur.
More generally, my research to date indicates our Agent Access Key has no privileges beside allowing a machine to add itself to our Automox account, but OTOH we seem to have no way of expiring or rotating this key. If so, it seems we may be open to unintended additions to our Automox account should our .msi file be discovered by a “bad actor” at some point. Put plainly, if we were to deploy private information to our endpoints via Automox, perhaps a “bad actor” could use his registered agent to accumulate this information.
If the foregoing is true, I wonder how to protect ourselves against this risk. Along these lines, a few questions:
Doe the Automox agent use our Agent Access Key post-install, or does it authenticate in a different way thereafter?
Can we revoke or rotate our Agent Access Key, and if so does our endpoint agent software continue to function afterward?
Do you know of any other means of protecting agains this risk?