Appearance
Updating
The Enclave agent is designed with three different components that auto-update based on the manifest version in the EMC. These are the Enclave service, any plugins installed (i.e. networking, asset management), and optionally a GUI interface. Below we will go through our approach to releasing new versions and how you should manage updates of the Enclave agent across your fleet.
Our approach
All of our releases follow Semantic versioning. In summary, MAJOR.MINOR.PATCH versions are how we tag our releases. Currently all our deployments are on the 1.x.x channel so backwards compatability is ensured.
Any MINOR versions will be released on Tuesday between 12:00-14:00 CST (18:00-20:00 UTC). We aim to release PATCH versions at the same time but reserve the right to deploy them out of band in case critical updates need to be made. MAJOR versions will be on an opt in basis and communication will be made if a MAJOR version is going to be released.
Example agent version
| Component | Version |
|---|---|
| Agent (service) | 1.12.0 |
| Agent (GUI) | 1.13.0 |
| Networking (plugin) | 1.12.1 |
Managing the manifest version
The Enclave agent works by running a series of plugins that are pulled down from a manifest delivered from the EMC. This allows different functionality to be deployed based on the needs of the organization or type of agent that is running. For example, if an organization has access to asset management, our inventory plugin will be downloaded and run by the agent service. This process is dynamic and managed from the Enclave management console (EMC).
For best practices we recommend that you always pin your manifest version in live mode, verify new versions in test mode, then once verified, update your live mode version to the verified version. This will ensure that you are deploying updates to your fleet in update windows of your choice. The image below shows how you can manage manifest versions from the EMC:
Agent auto-updates
The manifest version also contains versions of the Enclave agent service and GUI application. These components are completely backwards compatible with older manifest versions and will only be updated when a newer version if specified in the manifest. If you're working with multiple organizations or teams, this allows you to only use one version of the Enclave agent across your fleet while different teams can work with different manifest versions.
When a new version of the agent service or GUI application is specified in the manifest, the agent will automatically download and install the new version in the background. No user interaction is required. The agent service will restart automatically to apply the new version. The same applies to the GUI application if it is enabled on the platform in question.
Since the agent and GUI version are managed from the manifest, you can control when updates are applied to your fleet by managing the manifest version as described above.