diff --git a/lib/autoupdate/agent/config.go b/lib/autoupdate/agent/config.go
index 079d08ef57df0..6a355bc824d75 100644
--- a/lib/autoupdate/agent/config.go
+++ b/lib/autoupdate/agent/config.go
@@ -239,4 +239,6 @@ type FindResp struct {
 	InWindow bool `yaml:"in_window"`
 	// Jitter duration before an automated install
 	Jitter time.Duration `yaml:"jitter"`
+	// AGPL installations cannot use the official CDN.
+	AGPL bool `yaml:"agpl,omitempty"`
 }
diff --git a/lib/autoupdate/agent/testdata/TestUpdater_Install/agpl_requires_base_URL.golden b/lib/autoupdate/agent/testdata/TestUpdater_Install/agpl_requires_base_URL.golden
new file mode 100644
index 0000000000000..7c30a0f7fa0c8
--- /dev/null
+++ b/lib/autoupdate/agent/testdata/TestUpdater_Install/agpl_requires_base_URL.golden
@@ -0,0 +1,9 @@
+version: v1
+kind: update_config
+spec:
+    proxy: ""
+    enabled: false
+    pinned: false
+status:
+    active:
+        version: ""
diff --git a/lib/autoupdate/agent/testdata/TestUpdater_Update/agpl_requires_base_URL.golden b/lib/autoupdate/agent/testdata/TestUpdater_Update/agpl_requires_base_URL.golden
new file mode 100644
index 0000000000000..772aa8fb1de55
--- /dev/null
+++ b/lib/autoupdate/agent/testdata/TestUpdater_Update/agpl_requires_base_URL.golden
@@ -0,0 +1,11 @@
+version: v1
+kind: update_config
+spec:
+    proxy: localhost
+    enabled: true
+    pinned: false
+status:
+    active:
+        version: old-version
+    backup:
+        version: backup-version
diff --git a/lib/autoupdate/agent/updater.go b/lib/autoupdate/agent/updater.go
index 08dddc27b285d..953a06e779520 100644
--- a/lib/autoupdate/agent/updater.go
+++ b/lib/autoupdate/agent/updater.go
@@ -327,7 +327,7 @@ func (u *Updater) Install(ctx context.Context, override OverrideConfig) error {
 		u.Log.InfoContext(ctx, "Initiating installation.", targetKey, target, activeKey, active)
 	}
 
-	if err := u.update(ctx, cfg, target, override.AllowOverwrite); err != nil {
+	if err := u.update(ctx, cfg, target, override.AllowOverwrite, resp.AGPL); err != nil {
 		if errors.Is(err, ErrFilePresent) && !override.AllowOverwrite {
 			u.Log.WarnContext(ctx, "Use --overwrite to force removal of existing binaries installed via script.")
 			u.Log.WarnContext(ctx, "If a teleport rpm or deb package is installed, upgrade it to the latest version and retry. DO NOT USE --overwrite.")
@@ -608,7 +608,7 @@ func (u *Updater) Update(ctx context.Context, now bool) error {
 		time.Sleep(resp.Jitter)
 	}
 
-	updateErr := u.update(ctx, cfg, target, false)
+	updateErr := u.update(ctx, cfg, target, false, resp.AGPL)
 	writeErr := writeConfig(u.ConfigPath, cfg)
 	if writeErr != nil {
 		writeErr = trace.Wrap(writeErr, "failed to write %s", updateConfigName)
@@ -642,12 +642,16 @@ func (u *Updater) find(ctx context.Context, cfg *UpdateConfig) (FindResp, error)
 		return FindResp{}, trace.Wrap(err, "failed to request version from proxy")
 	}
 	var flags autoupdate.InstallFlags
+	var agpl bool
 	switch resp.Edition {
 	case modules.BuildEnterprise:
 		flags |= autoupdate.FlagEnterprise
-	case modules.BuildOSS, modules.BuildCommunity:
+	case modules.BuildCommunity:
+	case modules.BuildOSS:
+		agpl = true
 	default:
-		u.Log.WarnContext(ctx, "Unknown edition detected, defaulting to community.", "edition", resp.Edition)
+		agpl = true
+		u.Log.WarnContext(ctx, "Unknown edition detected, defaulting to OSS.", "edition", resp.Edition)
 	}
 	if resp.FIPS {
 		flags |= autoupdate.FlagFIPS
@@ -657,10 +661,19 @@ func (u *Updater) find(ctx context.Context, cfg *UpdateConfig) (FindResp, error)
 		Target:   NewRevision(resp.AutoUpdate.AgentVersion, flags),
 		InWindow: resp.AutoUpdate.AgentAutoUpdate,
 		Jitter:   time.Duration(jitterSec) * time.Second,
+		AGPL:     agpl,
 	}, nil
 }
 
-func (u *Updater) update(ctx context.Context, cfg *UpdateConfig, target Revision, force bool) error {
+func (u *Updater) update(ctx context.Context, cfg *UpdateConfig, target Revision, force, agpl bool) error {
+	baseURL := cfg.Spec.BaseURL
+	if baseURL == "" {
+		if agpl {
+			return trace.Errorf("--base-url flag must be specified for AGPL edition of Teleport")
+		}
+		baseURL = autoupdate.DefaultBaseURL
+	}
+
 	active := cfg.Status.Active
 	backup := deref(cfg.Status.Backup)
 	switch backup {
@@ -679,10 +692,6 @@ func (u *Updater) update(ctx context.Context, cfg *UpdateConfig, target Revision
 
 	// Install and link the desired version (or validate existing installation)
 
-	baseURL := cfg.Spec.BaseURL
-	if baseURL == "" {
-		baseURL = autoupdate.DefaultBaseURL
-	}
 	err := u.Installer.Install(ctx, target, baseURL)
 	if err != nil {
 		return trace.Wrap(err, "failed to install")
diff --git a/lib/autoupdate/agent/updater_test.go b/lib/autoupdate/agent/updater_test.go
index 2faf2dbd13e31..f32f933690f65 100644
--- a/lib/autoupdate/agent/updater_test.go
+++ b/lib/autoupdate/agent/updater_test.go
@@ -225,6 +225,7 @@ func TestUpdater_Update(t *testing.T) {
 		flags      autoupdate.InstallFlags
 		inWindow   bool
 		now        bool
+		agpl       bool
 		installErr error
 		setupErr   error
 		reloadErr  error
@@ -526,6 +527,27 @@ func TestUpdater_Update(t *testing.T) {
 			setupCalls:  1,
 			errMatch:    "setup error",
 		},
+		{
+			name: "agpl requires base URL",
+			cfg: &UpdateConfig{
+				Version: updateConfigVersion,
+				Kind:    updateConfigKind,
+				Spec: UpdateSpec{
+					Enabled: true,
+				},
+				Status: UpdateStatus{
+					Active: NewRevision("old-version", 0),
+					Backup: toPtr(NewRevision("backup-version", 0)),
+				},
+			},
+			inWindow: true,
+			agpl:     true,
+
+			reloadCalls: 0,
+			revertCalls: 0,
+			setupCalls:  0,
+			errMatch:    "AGPL",
+		},
 		{
 			name: "reload fails",
 			cfg: &UpdateConfig{
@@ -601,9 +623,13 @@ func TestUpdater_Update(t *testing.T) {
 						AgentAutoUpdate: tt.inWindow,
 					},
 				}
+				config.Edition = "community"
 				if tt.flags&autoupdate.FlagEnterprise != 0 {
 					config.Edition = "ent"
 				}
+				if tt.agpl {
+					config.Edition = "oss"
+				}
 				config.FIPS = tt.flags&autoupdate.FlagFIPS != 0
 				err := json.NewEncoder(w).Encode(config)
 				require.NoError(t, err)
@@ -1145,6 +1171,7 @@ func TestUpdater_Install(t *testing.T) {
 		cfg        *UpdateConfig // nil -> file not present
 		userCfg    OverrideConfig
 		flags      autoupdate.InstallFlags
+		agpl       bool
 		installErr error
 		setupErr   error
 		reloadErr  error
@@ -1270,6 +1297,15 @@ func TestUpdater_Install(t *testing.T) {
 			installedBaseURL:  autoupdate.DefaultBaseURL,
 			errMatch:          "install error",
 		},
+		{
+			name: "agpl requires base URL",
+			cfg: &UpdateConfig{
+				Version: updateConfigVersion,
+				Kind:    updateConfigKind,
+			},
+			agpl:     true,
+			errMatch: "AGPL",
+		},
 		{
 			name: "version already installed",
 			cfg: &UpdateConfig{
@@ -1443,9 +1479,13 @@ func TestUpdater_Install(t *testing.T) {
 						AgentVersion: "16.3.0",
 					},
 				}
+				config.Edition = "community"
 				if tt.flags&autoupdate.FlagEnterprise != 0 {
 					config.Edition = "ent"
 				}
+				if tt.agpl {
+					config.Edition = "oss"
+				}
 				config.FIPS = tt.flags&autoupdate.FlagFIPS != 0
 				err := json.NewEncoder(w).Encode(config)
 				require.NoError(t, err)