diff --git a/agent/agent.go b/agent/agent.go
index 0ca25e28..8e78a047 100644
--- a/agent/agent.go
+++ b/agent/agent.go
@@ -172,9 +172,9 @@ func (a *Agent) remoteAgent() {
 		return
 	}
 
-	logrus.Infof("listening for remote agent at '%v'", enrollment.ServiceName)
+	logrus.Infof("listening for remote agent at '%v'", enrollment.Token)
 
-	l, err := sdk.NewListener(enrollment.ServiceName, a.root)
+	l, err := sdk.NewListener(enrollment.Token, a.root)
 	if err != nil {
 		logrus.Errorf("error listening for remote agent: %v", err)
 		return
diff --git a/agent/enrollment.go b/agent/enrollment.go
index 040a1aa4..28002612 100644
--- a/agent/enrollment.go
+++ b/agent/enrollment.go
@@ -9,8 +9,12 @@ import (
 const EnrollmentV = "1"
 
 type Enrollment struct {
-	V           string `json:"v"`
-	ServiceName string `json:"service_name"`
+	V     string `json:"v"`
+	Token string `json:"token"`
+}
+
+func NewEnrollment(token string) *Enrollment {
+	return &Enrollment{Token: token}
 }
 
 func LoadEnrollment(path string) (*Enrollment, error) {
diff --git a/cmd/zrok/agentEnroll.go b/cmd/zrok/agentEnroll.go
new file mode 100644
index 00000000..996ae661
--- /dev/null
+++ b/cmd/zrok/agentEnroll.go
@@ -0,0 +1,67 @@
+package main
+
+import (
+	"fmt"
+	httptransport "github.com/go-openapi/runtime/client"
+	"github.com/openziti/zrok/agent"
+	"github.com/openziti/zrok/environment"
+	agent2 "github.com/openziti/zrok/rest_client_zrok/agent"
+	"github.com/openziti/zrok/tui"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	agentCmd.AddCommand(newAgentEnrollCommand().cmd)
+}
+
+type agentEnrollCommand struct {
+	cmd *cobra.Command
+}
+
+func newAgentEnrollCommand() *agentEnrollCommand {
+	cmd := &cobra.Command{
+		Use:   "enroll",
+		Short: "Enroll the agent in remote control",
+		Args:  cobra.NoArgs,
+	}
+	command := &agentEnrollCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *agentEnrollCommand) run(_ *cobra.Command, _ []string) {
+	root, err := environment.LoadRoot()
+	if err != nil {
+		tui.Error("error loading zrokdir", err)
+	}
+
+	enrlPath, err := root.AgentEnrollment()
+	if err != nil {
+		tui.Error("error getting agent enrollment path", err)
+	}
+
+	_, err = agent.LoadEnrollment(enrlPath)
+	if err == nil {
+		tui.Error("agent already enrolled; 'zrok agent unenroll' first", nil)
+	}
+
+	zrok, err := root.Client()
+	if err != nil {
+		tui.Error("error creating zrok api client", err)
+	}
+
+	req := agent2.NewEnrollParams()
+	req.Body.EnvZID = root.Environment().ZitiIdentity
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
+	resp, err := zrok.Agent.Enroll(req, auth)
+	if err != nil {
+		tui.Error("error enrolling agent", err)
+	}
+
+	enrl := agent.NewEnrollment(resp.Payload.Token)
+	if err := enrl.Save(enrlPath); err != nil {
+		tui.Error("error saving agent enrollment", err)
+	}
+
+	fmt.Printf("agent enrolled with token '%v'\n", enrl.Token)
+}
diff --git a/cmd/zrok/agentUnenroll.go b/cmd/zrok/agentUnenroll.go
new file mode 100644
index 00000000..13c282d3
--- /dev/null
+++ b/cmd/zrok/agentUnenroll.go
@@ -0,0 +1,64 @@
+package main
+
+import (
+	httptransport "github.com/go-openapi/runtime/client"
+	"github.com/openziti/zrok/agent"
+	"github.com/openziti/zrok/environment"
+	agent2 "github.com/openziti/zrok/rest_client_zrok/agent"
+	"github.com/openziti/zrok/tui"
+	"github.com/spf13/cobra"
+	"os"
+)
+
+func init() {
+	agentCmd.AddCommand(newAgentUnenrollCommand().cmd)
+}
+
+type agentUnenrollCommand struct {
+	cmd *cobra.Command
+}
+
+func newAgentUnenrollCommand() *agentUnenrollCommand {
+	cmd := &cobra.Command{
+		Use:   "unenroll",
+		Short: "Unenroll the agent from remote management",
+		Args:  cobra.NoArgs,
+	}
+	command := &agentUnenrollCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *agentUnenrollCommand) run(_ *cobra.Command, _ []string) {
+	root, err := environment.LoadRoot()
+	if err != nil {
+		tui.Error("error loading zrokdir", err)
+	}
+
+	enrlPath, err := root.AgentEnrollment()
+	if err != nil {
+		tui.Error("error getting agent enrollment path", err)
+	}
+
+	_, err = agent.LoadEnrollment(enrlPath)
+	if err != nil {
+		tui.Warning("error loading agent enrollment; use 'zrok agent enroll' to enroll", err)
+	}
+
+	zrok, err := root.Client()
+	if err != nil {
+		tui.Error("error creating zrok api client", err)
+	}
+
+	req := agent2.NewUnenrollParams()
+	req.Body.EnvZID = root.Environment().ZitiIdentity
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
+	_, err = zrok.Agent.Unenroll(req, auth)
+	if err != nil {
+		tui.Error("error unenrolling agent", err)
+	}
+
+	if err := os.Remove(enrlPath); err != nil {
+		tui.Error("error removing agent enrollment", err)
+	}
+}