Automatic Updates¶
Keeping Enclave up to date ensures you receive the latest security fixes, connectivity improvements and new features. We recommend enabling automatic updates wherever possible, particularly on headless endpoints and infrastructure that may not receive regular manual attention.
On macOS and Linux, we recommend using native package managers to handle Enclave updates. Package managers like Homebrew, apt and dnf already provide well-established mechanisms for keeping software up to date, and Enclave integrates with each of them. On Windows, we expect most managed environments will use existing RMM tooling to schedule the Enclave PowerShell deployment script as part of routine endpoint maintenance.
Enclave upgrades are non-destructive. Existing enrolments, configuration and private keys are preserved. The agent restarts as part of the upgrade process, which briefly interrupts tunnel connectivity (typically under 30 seconds).
Early access testing
Enclave offers multiple release tracks. Automatic updates follow the stable (GA) track by default. If you'd like to test new features and fixes before they reach General Availability, you can opt specific endpoints into the Release Candidate (RC) track. This is a good way to validate upcoming changes against your environment before rolling them out to your wider fleet. We recommend choosing a small number of representative endpoints, covering a mix of roles such as gateways, workstations and servers, to get early visibility of each release.
Windows¶
For managed endpoints, we recommend creating a scheduled task in your RMM platform to run the Enclave PowerShell deployment script on a regular cadence. The deployment script will install or update Enclave as needed, so re-running it periodically is all that's required.
The deployment script can be run as often as required. It is idempotent, meaning it will only perform an upgrade when a new version is available. If Enclave is already at the latest version, the deployment script exits cleanly without making changes.
The deployment script will also install Enclave on any endpoint where it is not already present. If your scheduled task targets an entire tenant and not all endpoints should be running Enclave, apply a device filter or group so the task only runs against the intended endpoints.
Schedule the task to run daily, weekly, or on whatever cadence fits your maintenance windows. When managing multiple tenants, consider staggering rollouts per tenant or site rather than updating all endpoints simultaneously, so technicians can verify each rollout before moving on to the next. Scheduling during maintenance windows when your service desk is staffed ensures technicians are available to handle any support tickets that coincide with the update.
Store enrolment keys using the secrets or custom fields capability of your RMM platform rather than in plain text. Substitute the secret into $YourEnrolmentKey at runtime.
macOS¶
If Enclave was installed via Homebrew, schedule brew upgrade enclave using launchd or as a script task in your RMM platform. For deployments using the .pkg installer, re-run the unattended install script on a regular cadence. See the macOS setup guide for more details.
Linux¶
Most Linux distributions provide native mechanisms for automatic package updates, and Enclave integrates with each of them. For step-by-step instructions on configuring automatic updates for Ubuntu, Debian, Fedora, CentOS, RHEL and other distributions, see the Automatic Updates section of the Linux setup guide.
Container deployments¶
For container deployments, automatic updates are handled by pulling the latest image. Use a tool like Watchtower to automatically update running containers, or re-deploy with the latest tag as part of your CI/CD pipeline. See the Docker setup guide for more details.
Last updated March 16, 2026