diff --git a/cmd/zrok/agentEnroll.go b/cmd/zrok/agentEnroll.go
index 9aad7b10..687738ae 100644
--- a/cmd/zrok/agentEnroll.go
+++ b/cmd/zrok/agentEnroll.go
@@ -39,6 +39,10 @@ func (cmd *agentEnrollCommand) run(_ *cobra.Command, _ []string) {
 		tui.Error("error loading zrokdir", err)
 	}
 
+	if !root.IsEnabled() {
+		tui.Error("unable to load environment; did you 'zrok enable'?", nil)
+	}
+
 	enrlPath, err := root.AgentEnrollment()
 	if err != nil {
 		tui.Error("error getting agent enrollment path", err)
diff --git a/cmd/zrok/agentUnenroll.go b/cmd/zrok/agentUnenroll.go
index 13c282d3..aeae758c 100644
--- a/cmd/zrok/agentUnenroll.go
+++ b/cmd/zrok/agentUnenroll.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"fmt"
 	httptransport "github.com/go-openapi/runtime/client"
 	"github.com/openziti/zrok/agent"
 	"github.com/openziti/zrok/environment"
@@ -35,11 +36,19 @@ func (cmd *agentUnenrollCommand) run(_ *cobra.Command, _ []string) {
 		tui.Error("error loading zrokdir", err)
 	}
 
+	if !root.IsEnabled() {
+		tui.Error("unable to load environment; did you 'zrok enable'?", nil)
+	}
+
 	enrlPath, err := root.AgentEnrollment()
 	if err != nil {
 		tui.Error("error getting agent enrollment path", err)
 	}
 
+	if _, err := os.Stat(enrlPath); os.IsNotExist(err) {
+		tui.Error("agent not enrolled; use 'zrok agent enroll' to enroll", nil)
+	}
+
 	_, err = agent.LoadEnrollment(enrlPath)
 	if err != nil {
 		tui.Warning("error loading agent enrollment; use 'zrok agent enroll' to enroll", err)
@@ -55,10 +64,14 @@ func (cmd *agentUnenrollCommand) run(_ *cobra.Command, _ []string) {
 	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 	_, err = zrok.Agent.Unenroll(req, auth)
 	if err != nil {
-		tui.Error("error unenrolling agent", err)
+		tui.Warning("error unenrolling agent from service (ignoring)", err)
+	} else {
+		fmt.Printf("%v: unenrolled agent from '%v'\n", tui.Attention.Render("SUCCESS"), root.Environment().ApiEndpoint)
 	}
 
 	if err := os.Remove(enrlPath); err != nil {
 		tui.Error("error removing agent enrollment", err)
+	} else {
+		fmt.Printf("%v: removed agent-enrollment.json\n", tui.Attention.Render("SUCCESS"))
 	}
 }
diff --git a/controller/agentEnroll.go b/controller/agentEnroll.go
index 54e0db82..9c05d814 100644
--- a/controller/agentEnroll.go
+++ b/controller/agentEnroll.go
@@ -63,7 +63,7 @@ func (h *agentEnrollHandler) Handle(params agent.EnrollParams, principal *rest_m
 		return agent.NewEnrollInternalServerError()
 	}
 
-	if err := zrokEdgeSdk.CreateShareServiceEdgeRouterPolicy(env.ZId, token, zId, client); err != nil {
+	if err := zrokEdgeSdk.CreateAgentRemoteServiceEdgeRouterPolicy(env.ZId, token, zId, client); err != nil {
 		logrus.Errorf("error creating agent remoting serp for '%v' (%v): %v", env.ZId, principal.Email, err)
 		return agent.NewEnrollInternalServerError()
 	}
diff --git a/controller/disable.go b/controller/disable.go
index 7144765b..fceb2c4a 100644
--- a/controller/disable.go
+++ b/controller/disable.go
@@ -144,7 +144,12 @@ func (h *disableHandler) removeAgentRemoteForEnvironment(env *store.Environment,
 		if err != nil {
 			return err
 		}
-		aeZId := *(listResp.Payload.Data[0].ID)
+		aeZId := ""
+		if len(listResp.Payload.Data) > 0 {
+			aeZId = *(listResp.Payload.Data[0].ID)
+		} else {
+			return errors.New("no agent remoting identity found")
+		}
 		if err := zrokEdgeSdk.DeleteService(env.ZId, aeZId, edge); err != nil {
 			return err
 		}
diff --git a/controller/store/agentEnrollment.go b/controller/store/agentEnrollment.go
index 34b9f5fa..490047b8 100644
--- a/controller/store/agentEnrollment.go
+++ b/controller/store/agentEnrollment.go
@@ -28,7 +28,7 @@ func (str *Store) IsAgentEnrolledForEnvironment(envId int, trx *sqlx.Tx) (bool,
 	if err := trx.QueryRowx("select count(0) from agent_enrollments where environment_id = $1 and not deleted", envId).Scan(&count); err != nil {
 		return false, err
 	}
-	return count == 0, nil
+	return count > 0, nil
 }
 
 func (str *Store) FindAgentEnrollmentForEnvironment(envId int, trx *sqlx.Tx) (*AgentEnrollment, error) {
diff --git a/controller/zrokEdgeSdk/serp.go b/controller/zrokEdgeSdk/serp.go
index d3f12584..d05f0e06 100644
--- a/controller/zrokEdgeSdk/serp.go
+++ b/controller/zrokEdgeSdk/serp.go
@@ -11,6 +11,15 @@ import (
 	"time"
 )
 
+func CreateAgentRemoteServiceEdgeRouterPolicy(envZId, enrollmentToken, zId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
+	serpZId, err := CreateServiceEdgeRouterPolicy(enrollmentToken, zId, ZrokAgentRemoteTags(enrollmentToken, envZId).SubTags, edge)
+	if err != nil {
+		return err
+	}
+	logrus.Infof("created service edge router policy '%v' for service '%v' (%v) for environment '%v'", serpZId, zId, enrollmentToken, envZId)
+	return nil
+}
+
 func CreateShareServiceEdgeRouterPolicy(envZId, shrToken, shrZId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
 	serpZId, err := CreateServiceEdgeRouterPolicy(shrToken, shrZId, ZrokShareTags(shrToken).SubTags, edge)
 	if err != nil {