Request: end asking for admin credentials on first launch

I’d be quite interested in deploying zerotier for a small business’ remote access to a server. However, most users are not admins, so a first launch of ZeroTier will either require a complete change to their privileges, or I can ask if whatever admin-requiring action that is being done at first launch could be done by the installer itself.

Is there any way to make zerotier run without access to admin credentials?

No. Admin credentials are required to manage ZeroTier. The tray app does NOT need to be running for ZeroTier to work, however. It’s a system daemon that runs in the background. The Tray app is totally separate and just controls it.

Impressively quick response- thank you.

I see that TailScale can launch without requiring an administrative account. Is this a privilege of being distributed via the App Store?

TailScale uses Apple’s NetworkExtension framework in order to be distributed on the App Store. ZeroTier cannot use the NetworkExtension framework at this time as it would reduce performance and limit some of our core features due to the nature of the framework.

As I said before, the ZeroTier.app application is not required to be running for ZeroTier to work. The actual zerotier-one daemon is running in the background via launchd when it is installed. You, as the administrator, can configure the end user machine either via the command line (sudo zerotier-cli) or via the ZeroTier.app UI with your administrator enabled account. The end users of the machine then don’t need to know about, or use the ZeroTier tray app at all.

Right- this makes sense. A quick join script to follow the install action gets me where I’m trying to be better than access to the admin interface.

+1 question this inspires- it it possible for a join action to specify the requested short-name?

No. Joins must be done by network ID. There’s no way to enforce a unique network name across all of ZeroTier and that would be required if you were to join by a name rather than ID.

I wasn’t looking to name the network, but to identify the client waiting approval.

As the admin, following the install with a script to /usr/local/bin/zerotier-cli join <networkID> works, but it leaves the admin without knowledge of who the pending approval is. If the join could include a clientID, I’d push that as the device serial, and use it as a checksum to have higher confidence a machine being approved belongs on the network.
It would also be relevant for long term lifecycle- someday records will need to be maintained over the lifespan of a device.