Skip to main content

Enroll a Linux device as Read-only (BYOD)

Updated today

Use a Read-only enrollment to monitor Linux devices you don’t fully manage—such as employee-owned (BYOD) or contractor devices—without granting Swif full control of the machine.

This guide covers:

  • What “read-only” enrollment does

  • How to configure the Read-only Access PIN for Linux BYOD

  • How end users enroll Linux in read-only mode:

    • via the Command Line installer

    • via the Application installer (Open Enrollment / BYOD)

What is a Read-only Linux enrollment?

A Read-only enrollment:

  • Collects inventory and security posture data from the device.

  • Does not allow destructive or high‑impact actions (for example: remote wipe, enforced configuration changes, or privileged remediation), depending on your tenant’s policy set.

  • Is typically used for:

    • Employee-owned (BYOD) Linux laptops

    • Contractor or partner machines

    • Low‑trust / limited‑control environments

Access is protected by a Read-only Access PIN. Only users who know this PIN can enroll their Linux device into read-only mode.

Prerequisites

Before users can enroll a Linux device as read-only:

  1. You must be a Swif admin (or have equivalent permissions) to configure enrollment.

  2. Linux support and BYOD enrollment must be enabled for your tenant.

  3. You should decide:

    • Whether you’ll distribute a Command Line installer script or

    • Use the Application installer (Open Enrollment) flow for BYOD devices.

Configure the Read-only Access PIN for Linux BYOD

You configure the Read-only PIN in the Swif web app, under the Linux enrollment settings for BYOD devices.

1. Open Linux BYOD enrollment settings

  1. Sign in to the Swif admin console.

  2. Go to Devices (or equivalent) → EnrollmentLinux.

  3. Choose the appropriate Linux enrollment flow:

    • Command Line installer (BYOD), and/or

    • Application installer – Linux (Open Enrollment / BYOD).

Depending on your tenant, these may appear under a SecureHive or “Admin Role” installer section.

2. Enable BYOD and show the Read-only PIN field

In both the Command Line and Application installer flows, the Read-only Access PIN is only available when BYOD is enabled.

  1. In the installer configuration panel, locate the BYOD option (checkbox or toggle).

  2. Turn on BYOD.

  3. Confirm that a field labeled similar to Read-only Access PIN for BYOD devices appears in the configuration area.

If BYOD is disabled or you are configuring a corporate / non‑BYOD flow, the PIN field will not be visible.

3. Set the Read-only Access PIN

  1. In the Read-only Access PIN field:

    • Enter a PIN that meets your organization’s requirements (for example: numeric, minimum length, no spaces).

    • Follow any on‑screen help text for allowed characters and length.

  2. If the PIN does not meet the required format, you’ll see an inline validation message and won’t be able to save until it’s corrected.

  3. Save the configuration:

    • For first-time setup, the PIN value is stored on the server.

    • On later edits, if you only change the BYOD code (or other fields) and do not modify the PIN, the existing PIN is preserved.

Note: The UI prevents sending "pin": null in normal updates, so your existing PIN is not accidentally cleared when you only modify BYOD code or other settings.

Enroll Linux as Read-only using the Command Line installer

Use this method if you want to generate a shell script for users (for example, sending via email or internal portal).

1. Configure the Linux Command Line BYOD installer

  1. In the admin console, open the Linux Command Line installer page.

  2. Enable BYOD for this installer configuration.

  3. In the side panel / configuration form:

    • Set your BYOD code (if required).

    • Enter the Read-only Access PIN for BYOD devices.

  4. (Optional) Locate the option Include PIN in generated script:

    • Checked – the script will contain the PIN so the user can run it without manually entering the PIN.

    • Unchecked – the script will not contain the PIN; users will need to enter it interactively or via environment/parameter depending on the agent behavior.

The installer UI validates that a PIN is entered when BYOD is enabled and the PIN is required. You won’t be able to generate the script until a valid PIN is provided.

2. Generate the installation script

  1. Click Generate script (or equivalent action).

  2. Download or copy the generated shell script.

Behavior:

  • If Include PIN in generated script is enabled:

    • The script includes the Read-only PIN in the appropriate argument or configuration block.

    • If you change the PIN and regenerate, the script content updates to reflect the new PIN.

  • If Include PIN in generated script is disabled:

    • The script does not contain the PIN or any derivative of it.

    • Other script content remains unchanged.

    • Toggling the option and regenerating will add or remove the PIN from the script as expected.

3. Provide the script (and PIN) to end users

Share the script and instructions securely with your Linux users. Depending on how you configured the script:

  • If PIN is included in the script
    Users can simply run the script with bash or sh:

    chmod +x swif-linux-enroll.sh ./swif-linux-enroll.sh

    The device will enroll into the read-only BYOD flow automatically.

  • If PIN is not included in the script
    Provide the PIN separately (for example, via a secure message). Users will either:

    • Be prompted to enter the Read-only Access PIN during the script run, or

    • Pass it as an argument or environment variable, depending on your deployment pattern.

After the script completes, the Linux device appears in Swif as a read-only BYOD device.

Enroll Linux as Read-only using the Application installer (Open Enrollment)

Use this method if you want end users to download the Linux agent themselves and enroll with a BYOD code and PIN, without a pre‑generated script.

1. Configure the Linux Application installer for BYOD

  1. In the admin console, go to Download App (or equivalent) → Linux – Application installer / Open Enrollment.

  2. Configure an Open Enrollment or BYOD‑specific flow for Linux.

  3. In the Configurations section:

    • Enable BYOD.

    • Confirm the field Read-only Access PIN for BYOD devices is visible.

    • Enter your desired Read-only Access PIN, following the same format rules as above.

  4. Save the configuration.

When BYOD is not enabled, the Read-only PIN field will not be shown and is not applicable.

2. End-user steps to enroll via Application installer

  1. The user opens your Swif Download App page for Linux.

  2. They select the Linux installer.

  3. If your configuration uses BYOD/Open Enrollment, they will:

    • Enter any required BYOD code.

    • Enter the Read-only Access PIN you provided.

  4. The user downloads and runs the Linux application installer.

  5. The agent installs and registers the device in read-only mode.

Once enrollment completes, the device will appear in your inventory as a BYOD Linux device with read‑only access.

Updating or rotating the Read-only PIN

You may periodically rotate the Read-only PIN for security reasons.

  1. Go back to the relevant Linux BYOD configuration (Command Line or Application installer).

  2. Enable BYOD (if not already enabled) so the Read-only Access PIN field is visible.

  3. Enter a new PIN that meets your organization’s requirements.

  4. Save the configuration.

  5. Regenerate any Command Line scripts that should embed the new PIN and redistribute them.

  6. Communicate the new PIN to users who enroll via:

    • Application installer Open Enrollment, or

    • Command Line scripts without embedded PIN.

Existing enrolled devices normally remain enrolled; the new PIN applies to future enrollments and any flows that validate against the current PIN.

Troubleshooting

“PIN is required” error when saving settings

  • BYOD is enabled, but the Read-only Access PIN field is empty.

  • Enter a valid PIN that meets the length and character constraints shown in the helper text.

“Invalid PIN format” or similar validation errors

  • Ensure the PIN:

    • Meets the minimum and maximum length.

    • Uses only allowed characters (for example, digits or alphanumeric, no spaces).

  • Correct the PIN and try saving again.

Script does not contain the PIN

  • Confirm that Include PIN in generated script is checked when generating the Command Line installer.

  • Regenerate the script after enabling this option and re‑download it.

Existing PIN was unintentionally changed

  • Updating only the BYOD code should not clear or overwrite the existing PIN.

  • If you suspect the PIN changed:

    1. Reopen the Linux BYOD configuration and verify the current PIN (or reset it).

    2. Save and redistribute any installers that depend on the updated configuration.

Related Articles
BYOD Limitation
How to Enroll Linux Devices in Swif
Managing BYOD Enrollment for macOS in Swif
Managing the Swif Admin User on Linux (BYOD and Non-BYOD)
Enrolling Universal Blue (Bluefin) Linux Devices into Swif
Did this answer your question?