diff --git a/cmd/auth/login/login.go b/cmd/auth/login/login.go
index 5c40505..ad3070e 100644
--- a/cmd/auth/login/login.go
+++ b/cmd/auth/login/login.go
@@ -307,7 +307,7 @@ func loginMain(cmd *cobra.Command, opts *LoginCmdOpts) error {
 			Secret: newOlmCreds.Secret,
 		}
 	} else {
-		logger.Info("Olm credentials already exist for this account, skipping generation")
+		// logger.Info("Olm credentials already exist for this account, skipping generation")
 	}
 
 	accountStore.Accounts[user.UserID] = newAccount
diff --git a/cmd/select/account/account.go b/cmd/select/account/account.go
index d9a69f0..5389039 100644
--- a/cmd/select/account/account.go
+++ b/cmd/select/account/account.go
@@ -136,7 +136,7 @@ func accountMain(cmd *cobra.Command, opts *AccountCmdOpts) error {
 	// Health check passed, fetch user data and update account info
 	user, err := apiClient.GetUser()
 	if err != nil {
-		logger.Warning("Failed to fetch user data: %v. Account switched, but user info not updated.", err)
+		logger.Warning("Failed to fetch user data: %v. Account switched, but user info not updated. You may need to log back in.", err)
 		// Still show success message using stored account data
 		selectedAccountStr := utils.AccountDisplayNameWithHost(selectedAccount)
 		logger.Success("Successfully selected account: %s", selectedAccountStr)
diff --git a/cmd/up/client/client.go b/cmd/up/client/client.go
index 74f3dcc..0c24805 100644
--- a/cmd/up/client/client.go
+++ b/cmd/up/client/client.go
@@ -516,7 +516,8 @@ func clientUpMain(cmd *cobra.Command, opts *ClientUpCmdOpts, extraArgs []string)
 	// - User directly passing id/secret (should NOT fetch userToken)
 	var userToken string
 	credentialsFromKeyringEnv := os.Getenv("PANGOLIN_CREDENTIALS_FROM_KEYRING")
-	if credentialsFromKeyringEnv == "1" || credentialsFromKeyring {
+	credentialsFromKeyring = credentialsFromKeyringEnv == "1" || credentialsFromKeyring
+	if credentialsFromKeyring {
 		// Credentials came from config, fetch userToken from secrets
 		activeAccount, err := accountStore.ActiveAccount()
 		if err != nil {
@@ -555,16 +556,20 @@ func clientUpMain(cmd *cobra.Command, opts *ClientUpCmdOpts, extraArgs []string)
 		},
 	}
 
-	initialFp := fingerprint.GatherFingerprintInfo()
-	initialFingerprint := initialFp.ToMap()
-	initialPostures := fingerprint.GatherPostureChecks().ToMap()
-
-	// Write the fingerprint to disk immediately so it's available for other processes
-	if fingerprintFilePath, err := config.GetFingerprintFilePath(); err == nil && fingerprintFilePath != "" {
-		if fingerprintDir, err := config.GetFingerprintDir(); err == nil && fingerprintDir != "" {
-			_ = os.MkdirAll(fingerprintDir, 0o755)
+	// Only collect fingerprint for user devices; machine clients (id/secret provided) skip it
+	var initialFingerprint, initialPostures map[string]interface{}
+	if credentialsFromKeyring {
+		initialFp := fingerprint.GatherFingerprintInfo()
+		initialFingerprint = initialFp.ToMap()
+		initialPostures = fingerprint.GatherPostureChecks().ToMap()
+
+		// Write the fingerprint to disk immediately so it's available for other processes
+		if fingerprintFilePath, err := config.GetFingerprintFilePath(); err == nil && fingerprintFilePath != "" {
+			if fingerprintDir, err := config.GetFingerprintDir(); err == nil && fingerprintDir != "" {
+				_ = os.MkdirAll(fingerprintDir, 0o755)
+			}
+			_ = os.WriteFile(fingerprintFilePath, []byte(initialFp.PlatformFingerprint), 0o644)
 		}
-		_ = os.WriteFile(fingerprintFilePath, []byte(initialFp.PlatformFingerprint), 0o644)
 	}
 
 	tunnelConfig := olmpkg.TunnelConfig{
@@ -605,8 +610,11 @@ func clientUpMain(cmd *cobra.Command, opts *ClientUpCmdOpts, extraArgs []string)
 	}
 	defer olm.Close()
 
-	cancelFingerprinting := startFingerprinting(olm)
-	defer cancelFingerprinting()
+	// Only run ongoing fingerprint updates for user devices
+	if credentialsFromKeyring {
+		cancelFingerprinting := startFingerprinting(olm)
+		defer cancelFingerprinting()
+	}
 
 	if enableAPI {
 		_ = olm.StartApi()