diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in
index 24e8fedb..157385e6 100644
--- a/programs/ziti-edge-tunnel/package/deb/postinst.in
+++ b/programs/ziti-edge-tunnel/package/deb/postinst.in
@@ -39,7 +39,7 @@ if [ "$1" = "configure" ]; then
     fi
   fi
 
-  # update permissions
+  # update permissions in /var/lib/ziti, /opt/openziti/etc/identities
   chown -R ziti:ziti "@ZITI_STATE_DIR@"
   chmod -R u=rwX,g=rwX,o= "@ZITI_STATE_DIR@"
 
diff --git a/programs/ziti-edge-tunnel/package/rpm/post.sh.in b/programs/ziti-edge-tunnel/package/rpm/post.sh.in
index 2ff1f64c..4b80cddd 100644
--- a/programs/ziti-edge-tunnel/package/rpm/post.sh.in
+++ b/programs/ziti-edge-tunnel/package/rpm/post.sh.in
@@ -21,7 +21,7 @@ fi
 
 %systemd_post $SYSTEMD_SERVICE_NAME
 
-# update permissions
+# update permissions in /var/lib/ziti, /opt/openziti/etc/identities
 chown ziti:ziti "@ZITI_STATE_DIR@" || :
 chmod -R u=rwX,g=rwX,o= "@ZITI_STATE_DIR@" || :
 
diff --git a/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.sh.in b/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.sh.in
index 233a93fa..5a5eb8b8 100644
--- a/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.sh.in
+++ b/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.sh.in
@@ -22,7 +22,7 @@ for JWT in @ZITI_IDENTITY_DIR@/*.jwt; do
     }
     # equivalent to BASH's ${JWT%.jwt}.json
     CONFIG="$(echo "${JWT}" | sed -E 's|(.*).jwt|\1.json|')"
-    if @CPACK_BIN_DIR@/@SYSTEMD_SERVICE_NAME@ enroll --jwt ${JWT} --identity ${CONFIG}; then
+    if @CPACK_BIN_DIR@/@SYSTEMD_SERVICE_NAME@ enroll --jwt "${JWT}" --identity "${CONFIG}"; then
         rm --force "${JWT}"
         echo "INFO: enrolled $(basename "${JWT}") in ${CONFIG}"
     else