If this constraint remains we cannot use agent updater anymore or at least we cannot use the TLS encryption which would be very welcome as the current symmetric encryption is also not save.
I didnt had a closer look to this new feature because I am still fully busy with 2.0 upgrade, so please apologize in case writing nonsense.
Could it maybe an option that the agent do some kind of pre-registration and finally a user with sufficient rights is doing the final step in GUI Setup? There could be a view with a list of all pre-registered agents filtered by access rights of the user. Its not fully automatic anymore but anyway the user who is responsible for the host needs to do some configuration stuff on the host. So the effort would be acceptable.
regards
Michael