Is distributing my Agent Access Key as part of an installer a security risk?

Greetings.

We are deploying the Automox Agent to Windows endpoints, our plan being to embed our Automox Agent Access Key as part of the distributed .msi file (see https://support.automox.com/help/embedding-your-access-key-into-the-automox-msi). My concern is that this process may leave stray copies of the installer on endpoints post-deployment, each including its copy of our Agent Access Key, by which unintended additions to our account might occur.

More generally, my research to date indicates our Agent Access Key has no privileges beside allowing a machine to add itself to our Automox account, but OTOH we seem to have no way of expiring or rotating this key. If so, it seems we may be open to unintended additions to our Automox account should our .msi file be discovered by a “bad actor” at some point. Put plainly, if we were to deploy private information to our endpoints via Automox, perhaps a “bad actor” could use his registered agent to accumulate this information.

If the foregoing is true, I wonder how to protect ourselves against this risk. Along these lines, a few questions:

  • Doe the Automox agent use our Agent Access Key post-install, or does it authenticate in a different way thereafter?

  • Can we revoke or rotate our Agent Access Key, and if so does our endpoint agent software continue to function afterward?

  • Do you know of any other means of protecting agains this risk?

Thank you!

3 Likes

You are correct that the key only lets a machine connect itself to the agent. If someone were to get a hold of your key the most they’d be able to do is install the agent on a machine and have it be part of your organization. I don’t know of any way of expiring that key, other than creating a completely new organization. I’ll ping support to see if they know of any additional risks that I’m not aware of.

Thank you, @Nic. I did notice the following, but have not found documentation on what --setkey does. It seems the agent can set a key. Does that mean it can be changed for our organization as well? If not can we make that a feature request?

C:\Program Files (x86)\Automox
$ amagent --help
amagent 1.0-31 (go1.12.17) Copyright (c) 2021 Automox, Inc.
usage:
        [--setkey <accesskey>] Sets the access key
        [--setgrp <groupname>] Sets the initial group name
        [--setexecdir <directory>] Sets the temporary directory to execute scripts from
        [--deregister] Deregisters this server from Automox
        [--checkcompat] Checks the compatibility and connectivity with Automox server
        [-c] Runs the agent in the current console. Logging is piped to stdout. (It is recommend to disable the agent service before running with this command)
        [-h | --help] Displays this message

That’s just the flag to specify the key for the agent. For instance if you want to move an endpoint from one org to another. To actually have the ability to change the key, like you now can your API keys, that would be a new feature request that you can submit here: