diff --git a/lib/web/scripts.go b/lib/web/scripts.go
index 2ace80a8c5131..231ff7832138d 100644
--- a/lib/web/scripts.go
+++ b/lib/web/scripts.go
@@ -36,7 +36,10 @@ import (
 	"github.com/gravitational/teleport/lib/web/scripts"
 )
 
-const insecureParamName = "insecure"
+const (
+	insecureParamName = "insecure"
+	groupParamName    = "group"
+)
 
 // installScriptHandle handles calls for "/scripts/install.sh" and responds with a bash script installing Teleport
 // by downloading and running `teleport-update`. This installation script does not start the agent, join it,
@@ -62,6 +65,9 @@ func (h *Handler) installScriptHandle(w http.ResponseWriter, r *http.Request, pa
 		}
 		opts.Insecure = v
 	}
+	if group := r.URL.Query().Get(groupParamName); group != "" {
+		opts.Group = group
+	}
 
 	script, err := scripts.GetInstallScript(r.Context(), opts)
 	if err != nil {
diff --git a/lib/web/scripts/install.go b/lib/web/scripts/install.go
index 394fb5bc3d035..1c981e52a6ae5 100644
--- a/lib/web/scripts/install.go
+++ b/lib/web/scripts/install.go
@@ -92,6 +92,9 @@ type InstallScriptOptions struct {
 	// the artifacts from the CDN.
 	// The agent install in insecure mode will not be able to automatically update.
 	Insecure bool
+	// Group is the group for agent installation used by 'teleport-update enable' command.
+	// Ignored by legacy script.
+	Group string
 }
 
 // Check validates that the minimal options are set.
@@ -138,6 +141,9 @@ func (o *InstallScriptOptions) oneOffParams() (params oneoff.OneOffScriptParams)
 	}
 
 	successMessage := "Teleport successfully installed."
+	if o.Group != "" {
+		args = append(args, "--group", shsprintf.EscapeDefaultContext(o.Group))
+	}
 	if o.Insecure {
 		args = append(args, "--insecure")
 		successMessage += " --insecure was used during installation, automatic updates will not work unless the Proxy Service presents a certificate trusted by the system."
diff --git a/lib/web/scripts/install_test.go b/lib/web/scripts/install_test.go
index 82074daffa5e6..0aee64198b68a 100644
--- a/lib/web/scripts/install_test.go
+++ b/lib/web/scripts/install_test.go
@@ -97,6 +97,24 @@ func TestGetInstallScript(t *testing.T) {
 				require.Contains(t, script, "packageSuffix='bin.tar.gz'")
 			},
 		},
+		{
+			name: "Oneoff install with group",
+			opts: InstallScriptOptions{
+				AutoupdateStyle: UpdaterBinaryAutoupdate,
+				TeleportVersion: testVersion,
+				ProxyAddr:       testProxyAddr,
+				TeleportFlavor:  types.PackageNameOSS,
+				Group:           "development",
+			},
+			assertFn: func(t *testing.T, script string) {
+				require.Contains(t, script, "entrypoint='teleport-update'")
+				require.Contains(t, script, fmt.Sprintf("teleportVersion='v%s'", testVersion))
+				require.Contains(t, script, fmt.Sprintf("teleportFlavor='%s'", types.PackageNameOSS))
+				require.Contains(t, script, fmt.Sprintf("cdnBaseURL='%s'", teleportassets.CDNBaseURL()))
+				require.Contains(t, script, fmt.Sprintf("entrypointArgs='enable --proxy %s --group development'", testProxyAddr))
+				require.Contains(t, script, "packageSuffix='bin.tar.gz'")
+			},
+		},
 		{
 			name: "Oneoff install custom CDN",
 			opts: InstallScriptOptions{