Add Linux agent package distribution to Fleet DM integration docs

Linux hosts don't support MDM profiles, so instead of SCEP enrollment
the agent registers directly via TPM attestation. Adds .deb and .rpm
package links, a post-install script for agent configuration, GitOps
YAML examples with label-based targeting, and Linux confirmation steps.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

tutorials/connect-fleet-dm-to-smallstep.mdx

@@ -34,6 +34,7 @@ Supported platforms:
 
 - macOS, iOS, iPadOS (via `.mobileconfig` profiles)
 - Windows (via `.xml` SyncML profiles)
+- Linux (via agent software deployment)
 
 ## Step 1. Get a Fleet API token
 
@@ -432,10 +433,45 @@ You can deploy the agent using Fleet's [software deployment](https://fleetdm.com
    - macOS: [step-agent-plugin_latest.pkg](https://packages.smallstep.com/stable/darwin/step-agent-plugin_latest.pkg)
    - Windows (x64): [step-agent-plugin_latest_amd64.msi](https://packages.smallstep.com/stable/windows/step-agent-plugin_latest_amd64.msi)
    - Windows (ARM64): [step-agent-plugin_latest_arm64.msi](https://packages.smallstep.com/stable/windows/step-agent-plugin_latest_arm64.msi)
+   - Linux (Debian/Ubuntu x64): [step-agent-plugin_amd64_latest.deb](https://packages.smallstep.com/stable/linux/step-agent-plugin_amd64_latest.deb)
+   - Linux (Debian/Ubuntu ARM64): [step-agent-plugin_arm64_latest.deb](https://packages.smallstep.com/stable/linux/step-agent-plugin_arm64_latest.deb)
+   - Linux (RHEL/Fedora x64): [step-agent-plugin_x86_64_latest.rpm](https://packages.smallstep.com/stable/linux/step-agent-plugin_x86_64_latest.rpm)
+   - Linux (RHEL/Fedora ARM64): [step-agent-plugin_aarch64_latest.rpm](https://packages.smallstep.com/stable/linux/step-agent-plugin_aarch64_latest.rpm)
 2. In Fleet, go to **Software**, choose **Custom Package**, and add the package for distribution
 
 Alternatively, you can use a separate software management system such as [Munki](https://github.com/munki/munki) to deploy the agent. See the [Smallstep Agent manual installation guide](../platform/smallstep-agent.mdx#macos-installation) for detailed instructions.
 
+### Linux agent configuration
+
+Linux does not support MDM configuration profiles, so the SCEP enrollment flow used for macOS and Windows does not apply. Instead, the Smallstep agent on Linux registers directly using TPM attestation. After installing the agent package, you must configure it with your Smallstep team slug and CA fingerprint.
+
+When adding a Linux agent package in Fleet, add the following **post-install script** to configure and start the agent:
+
+```bash
+#!/bin/bash
+
+# Configure the Smallstep agent
+mkdir -p /etc/step-agent
+cat > /etc/step-agent/agent.yaml << EOF
+team: "<your-team-slug>"
+fingerprint: "<your-agents-ca-fingerprint>"
+EOF
+
+# Enable and start the agent service
+systemctl daemon-reload
+systemctl enable --now step-agent
+```
+
+Replace `<your-team-slug>` with your Smallstep team slug (found in [**Settings → Team**](https://smallstep.com/app/?next=/settings/team)), and `<your-agents-ca-fingerprint>` with the SHA-256 root fingerprint of your Smallstep Agents authority (found in [**Certificate Manager → Authorities**](https://smallstep.com/app/?next=/cm/authorities) under the Agents authority).
+
+<Alert severity="info">
+<div>
+If your fleet includes multiple Linux distributions or architectures, create separate software entries for each package variant. Use [Fleet labels](https://fleetdm.com/docs/using-fleet/hosts#labels) to target `.deb` packages to Debian/Ubuntu hosts and `.rpm` packages to RHEL/Fedora hosts. See the [GitOps section](#gitops-configure-fleet-with-fleetctl) for a complete example with label targeting.
+</div>
+</Alert>
+
+After deployment, Linux devices will self-register with your Smallstep team via TPM attestation. By default, new devices require admin approval in the [Smallstep console](https://smallstep.com/app/?next=/devices). To automate approval, you can [pre-register devices via API](../platform/smallstep-agent.mdx#pre-registration-via-api).
+
 ## GitOps: Configure Fleet with `fleetctl`
 
 As an alternative to Steps 3 through 5, you can manage your entire Fleet configuration with YAML files and the `fleetctl gitops` command. This approach is ideal for version-controlled, repeatable deployments.
@@ -452,12 +488,13 @@ fleet-gitops/
 └── lib/
     ├── smallstep-agent.mobileconfig
     ├── smallstep-scep.xml
-    └── smallstep-root-ca.xml
+    ├── smallstep-root-ca.xml
+    └── smallstep-agent-setup.sh
 ```
 
 - `default.yml` — Organization-wide settings, including certificate authorities
 - `teams/team.yml` — Per-team configuration for profiles and software
-- `lib/` — Configuration profile files created in [Step 4](#step-4-create-scep-configuration-profiles)
+- `lib/` — Configuration profile files created in [Step 4](#step-4-create-scep-configuration-profiles) and Linux agent setup script
 
 ### Add the Smallstep CA
 
@@ -505,8 +542,41 @@ software:
   packages:
     - url: https://packages.smallstep.com/stable/darwin/step-agent-plugin_latest.pkg
     - url: https://packages.smallstep.com/stable/windows/step-agent-plugin_latest_amd64.msi
+    - url: https://packages.smallstep.com/stable/linux/step-agent-plugin_amd64_latest.deb
+      post_install_script:
+        path: ../lib/smallstep-agent-setup.sh
+    - url: https://packages.smallstep.com/stable/linux/step-agent-plugin_x86_64_latest.rpm
+      post_install_script:
+        path: ../lib/smallstep-agent-setup.sh
 ```
 
+If your Linux fleet includes multiple architectures, add entries for each variant and use `labels_include_any` to target the correct package to each host:
+
+```yaml
+    - url: https://packages.smallstep.com/stable/linux/step-agent-plugin_amd64_latest.deb
+      post_install_script:
+        path: ../lib/smallstep-agent-setup.sh
+      labels_include_any:
+        - Ubuntu Linux
+    - url: https://packages.smallstep.com/stable/linux/step-agent-plugin_arm64_latest.deb
+      post_install_script:
+        path: ../lib/smallstep-agent-setup.sh
+      labels_include_any:
+        - Ubuntu Linux
+    - url: https://packages.smallstep.com/stable/linux/step-agent-plugin_x86_64_latest.rpm
+      post_install_script:
+        path: ../lib/smallstep-agent-setup.sh
+      labels_include_any:
+        - Red Hat Linux
+    - url: https://packages.smallstep.com/stable/linux/step-agent-plugin_aarch64_latest.rpm
+      post_install_script:
+        path: ../lib/smallstep-agent-setup.sh
+      labels_include_any:
+        - Red Hat Linux
+```
+
+Adapt the label names to match your Fleet label configuration. Fleet includes built-in labels for common Linux distributions. For architecture-specific targeting, you can create [custom labels](https://fleetdm.com/docs/using-fleet/hosts#custom-labels) using osquery queries (for example, `SELECT 1 FROM system_info WHERE cpu_type = 'x86_64'`).
+
 ### Apply the configuration
 
 Run `fleetctl gitops` to apply the configuration:
@@ -540,3 +610,4 @@ On the device itself:
 - **macOS**: Open **Keychain Access** and look for a certificate issued by your Smallstep authority
 - **iOS/iPadOS**: Go to **Settings → General → VPN & Device Management** to view installed profiles
 - **Windows**: Open **certmgr.msc** and check the Personal certificates store
+- **Linux**: Run `sudo systemctl status step-agent` to verify the agent is running, and check `/var/lib/step-agent` for certificate files