diff --git a/Makefile b/Makefile
index 3b35a07c7ed60..34ccbc2390742 100644
--- a/Makefile
+++ b/Makefile
@@ -427,6 +427,15 @@ tsh-app:
 	cp "$(BUILDDIR)/tsh" "$(TSH_APP_BUNDLE)/Contents/MacOS/."
 	$(NOTARIZE_TSH_APP)
 
+.PHONY: tctl-app
+tctl-app: TCTL_APP_BUNDLE = $(BUILDDIR)/tctl.app
+tctl-app: TCTL_APP_ENTITLEMENTS = build.assets/macos/$(TCTL_SKELETON)/$(TCTL_SKELETON).entitlements
+tctl-app:
+	cp -rf "build.assets/macos/$(TCTL_SKELETON)/tctl.app/" "$(TCTL_APP_BUNDLE)/"
+	mkdir -p "$(TCTL_APP_BUNDLE)/Contents/MacOS/"
+	cp "$(BUILDDIR)/tctl" "$(TCTL_APP_BUNDLE)/Contents/MacOS/."
+	$(NOTARIZE_TCTL_APP)
+
 #
 # BPF support (IF ENABLED)
 # Requires a recent version of clang and libbpf installed.
@@ -613,12 +622,15 @@ include darwin-signing.mk
 release-darwin-unsigned: RELEASE:=$(RELEASE)-unsigned
 release-darwin-unsigned: full build-archive
 
+SIGNED_BINARIES := $(BINARIES:%tsh=%tsh.app)
+SIGNED_BINARIES := $(SIGNED_BINARIES:%tctl=%tctl.app)
+
 .PHONY: release-darwin
 ifneq ($(ARCH),universal)
 release-darwin: release-darwin-unsigned
 	$(NOTARIZE_BINARIES)
-	$(MAKE) tsh-app
-	$(MAKE) build-archive BINARIES="$(subst tsh,tsh.app,$(BINARIES))"
+	$(MAKE) tsh-app tctl-app
+	$(MAKE) build-archive BINARIES="$(SIGNED_BINARIES)"
 	@if [ -f e/Makefile ]; then $(MAKE) -C e release; fi
 else
 
@@ -635,23 +647,26 @@ else
 # Ensure you have the rust toolchains for these installed by running
 #   make ARCH=arm64 rustup-install-target-toolchain
 #   make ARCH=amd64 rustup-install-target-toolchain
-release-darwin: TARBINS := $(subst tsh,tsh.app,$(TARBINS))
+release-darwin: TARBINS := $(TARBINS:%tsh=%tsh.app)
+release-darwin: TARBINS := $(TARBINS:%tctl=%tctl.app)
 release-darwin: $(RELEASE_darwin_arm64) $(RELEASE_darwin_amd64)
 	mkdir -p $(BUILDDIR_arm64) $(BUILDDIR_amd64)
 	tar -C $(BUILDDIR_arm64) -xzf $(RELEASE_darwin_arm64) --strip-components=1 $(TARBINS)
 	tar -C $(BUILDDIR_amd64) -xzf $(RELEASE_darwin_amd64) --strip-components=1 $(TARBINS)
 
 	lipo -create -output $(BUILDDIR)/teleport $(BUILDDIR_arm64)/teleport $(BUILDDIR_amd64)/teleport
-	lipo -create -output $(BUILDDIR)/tctl $(BUILDDIR_arm64)/tctl $(BUILDDIR_amd64)/tctl
 	lipo -create -output $(BUILDDIR)/tbot $(BUILDDIR_arm64)/tbot $(BUILDDIR_amd64)/tbot
 	lipo -create -output $(BUILDDIR)/fdpass-teleport $(BUILDDIR_arm64)/fdpass-teleport $(BUILDDIR_amd64)/fdpass-teleport
 	lipo -create -output $(BUILDDIR)/tsh \
 		$(BUILDDIR_arm64)/tsh.app/Contents/MacOS/tsh \
 		$(BUILDDIR_amd64)/tsh.app/Contents/MacOS/tsh
+	lipo -create -output $(BUILDDIR)/tctl \
+		$(BUILDDIR_arm64)/tctl.app/Contents/MacOS/tctl \
+		$(BUILDDIR_amd64)/tctl.app/Contents/MacOS/tctl
 
 	$(NOTARIZE_BINARIES)
-	$(MAKE) tsh-app
-	$(MAKE) ARCH=universal build-archive BINARIES="$(subst tsh,tsh.app,$(BINARIES))"
+	$(MAKE) tsh-app tctl-app
+	$(MAKE) ARCH=universal build-archive BINARIES="$(SIGNED_BINARIES)"
 	@if [ -f e/Makefile ]; then $(MAKE) -C e release; fi
 endif
 
@@ -1660,9 +1675,13 @@ pkg: | $(RELEASE_DIR)
 	mkdir -p $(BUILDDIR)/
 
 	@echo Building tsh-$(VERSION).pkg
-	./build.assets/build-pkg-tsh.sh -t oss -v $(VERSION) -b $(TSH_BUNDLEID) -a $(ARCH) $(TARBALL_PATH_SECTION)
+	./build.assets/build-pkg-app.sh -t oss -v $(VERSION) -b $(TSH_BUNDLEID) -a $(ARCH) $(TARBALL_PATH_SECTION)
 	mv tsh*.pkg* $(BUILDDIR)/
 
+	@echo Building tctl-$(VERSION).pkg
+	./build.assets/build-pkg-app.sh -p tctl -t oss -v $(VERSION) -b $(TCTL_BUNDLEID) -a $(ARCH) $(TARBALL_PATH_SECTION)
+	mv tctl*.pkg* $(BUILDDIR)/
+
 	@echo Building teleport-bin-$(VERSION).pkg
 	cp ./build.assets/build-package.sh ./build.assets/build-common.sh $(BUILDDIR)/
 	chmod +x $(BUILDDIR)/build-package.sh
@@ -1671,7 +1690,7 @@ pkg: | $(RELEASE_DIR)
 	cd $(BUILDDIR) && ./build-package.sh -t oss -v $(VERSION) -p pkg -b $(TELEPORT_BUNDLEID) -a $(ARCH) $(RUNTIME_SECTION) $(TARBALL_PATH_SECTION)
 
 	@echo Combining teleport-bin-$(VERSION).pkg and tsh-$(VERSION).pkg into teleport-$(VERSION).pkg
-	productbuild --package $(BUILDDIR)/tsh*.pkg --package $(BUILDDIR)/teleport-bin*.pkg $(TELEPORT_PKG_UNSIGNED)
+	productbuild --package $(BUILDDIR)/tsh*.pkg --package $(BUILDDIR)/tctl*.pkg --package $(BUILDDIR)/teleport-bin*.pkg $(TELEPORT_PKG_UNSIGNED)
 	$(NOTARIZE_TELEPORT_PKG)
 
 	if [ -f e/Makefile ]; then $(MAKE) -C e pkg; fi
diff --git a/build.assets/build-package.sh b/build.assets/build-package.sh
index f5092e3937c6f..3930950043a98 100755
--- a/build.assets/build-package.sh
+++ b/build.assets/build-package.sh
@@ -218,7 +218,7 @@ if [[ "${PACKAGE_TYPE}" == "pkg" ]]; then
         ARCH_TAG="-${PACKAGE_ARCH}"
     fi
     SIGN_PKG="true"
-    FILE_LIST="${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport"
+    FILE_LIST="${TAR_PATH}/teleport ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport"
     BUNDLE_ID="${b:-com.gravitational.teleport}"
     if [[ "${TELEPORT_TYPE}" == "ent" ]]; then
         PKG_FILENAME="teleport-ent-${TELEPORT_VERSION}${ARCH_TAG}.${PACKAGE_TYPE}"
diff --git a/build.assets/build-pkg-tsh.sh b/build.assets/build-pkg-app.sh
similarity index 85%
rename from build.assets/build-pkg-tsh.sh
rename to build.assets/build-pkg-app.sh
index 5a4d0f3b84ca1..cf6e8b0493908 100755
--- a/build.assets/build-pkg-tsh.sh
+++ b/build.assets/build-pkg-app.sh
@@ -7,9 +7,10 @@ TELEPORT_VERSION=''  # -v, version, without leading 'v'
 TARBALL_DIRECTORY='' # -s
 BUNDLEID="${TSH_BUNDLEID}"
 PACKAGE_ARCH=amd64   # -a, default to amd64 for backward-compatibilty.
+PACKAGE_NAME=tsh     # -p, name of app, defaulted to tsh
 
 usage() {
-  log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-b bundle_id] [-n]"
+  log "Usage: $0 -t oss|eng -v version [-s tarball_directory] [-b bundle_id] [-n] [-p tsh|tctl]"
 }
 
 # make_non_relocatable_plist changes the default component plist of the $root
@@ -36,7 +37,7 @@ main() {
   . "$buildassets/build-common.sh"
 
   local opt=''
-  while getopts "t:v:s:b:a:n" opt; do
+  while getopts "t:v:s:b:a:p:n" opt; do
     case "$opt" in
       t)
         if [[ "$OPTARG" != "oss" && "$OPTARG" != "ent" ]]; then
@@ -62,6 +63,14 @@ main() {
       a)
         PACKAGE_ARCH="$OPTARG"
         ;;
+      p)
+        if [[ "$OPTARG" != "tsh" && "$OPTARG" != "tctl" ]]; then
+          log "$0: invalid value for -$opt, want 'tsh' or 'tctl'"
+          usage
+          exit 1
+        fi
+        PACKAGE_NAME="$OPTARG"
+        ;;
       n)
         DRY_RUN_PREFIX='echo + '  # declared by build-common.sh
         ;;
@@ -152,15 +161,20 @@ or name of the key to sign packages"
   tar xzf "$tarname" -C "$tmp"
 
   # Prepare app shell.
-  local target="$tmp/root/tsh.app"
-  cp -r "$tmp/teleport/tsh.app" "$target"
+  local target="$tmp/root/$PACKAGE_NAME.app"
+  cp -r "$tmp/teleport/$PACKAGE_NAME.app" "$target"
+
+  local entitlements="$buildassets/macos/$TSH_SKELETON/$TSH_SKELETON.entitlements"
+  if [[ "$PACKAGE_NAME" == "tctl" ]]; then
+    entitlements="$buildassets/macos/$TCTL_SKELETON/$TCTL_SKELETON.entitlements"
+  fi
 
   # Sign app.
   $DRY_RUN_PREFIX codesign -f \
     -o kill,hard,runtime \
     -s "$DEVELOPER_ID_APPLICATION" \
     -i "$BUNDLEID" \
-    --entitlements "$buildassets"/macos/$TSH_SKELETON/tsh*.entitlements \
+    --entitlements "$entitlements" \
     --timestamp \
     "$target"
 
@@ -171,10 +185,10 @@ or name of the key to sign packages"
   if [[ "$PACKAGE_ARCH" != "universal" ]]; then
     arch_tag="-$PACKAGE_ARCH"
   fi
-  target="$tmp/tsh-$TELEPORT_VERSION$arch_tag.pkg" # switches from app to pkg
+  target="$tmp/$PACKAGE_NAME-$TELEPORT_VERSION$arch_tag.pkg" # switches from app to pkg
   local pkg_root="$tmp/root"
-  local pkg_component_plist="$tmp/tsh-component.plist"
-  local pkg_scripts="$buildassets/macos/scripts"
+  local pkg_component_plist="$tmp/$PACKAGE_NAME-component.plist"
+  local pkg_scripts="$buildassets/macos/scripts/$PACKAGE_NAME"
   make_non_relocatable_plist "$pkg_root" "$pkg_component_plist"
   pkgbuild \
     --root "$pkg_root" \
diff --git a/build.assets/macos/install b/build.assets/macos/install
index 84414b9f19354..ce8db0ac3442b 100755
--- a/build.assets/macos/install
+++ b/build.assets/macos/install
@@ -34,8 +34,9 @@ esac
 echo "Starting Teleport installation..."
 cd $(dirname $0)
 mkdir -p $VARDIR $BINDIR
-cp -f teleport tctl tbot fdpass-teleport $BINDIR/ || exit 1
+cp -f teleport tbot fdpass-teleport $BINDIR/ || exit 1
 cp -rf tsh.app/ "$APPS_DIR"/tsh.app/ || exit 1
+cp -rf tctl.app/ "$APPS_DIR"/tctl.app/ || exit 1
 
 echo "Teleport binaries have been copied to $BINDIR"
 echo ""
diff --git a/build.assets/macos/scripts/tctl/postinstall b/build.assets/macos/scripts/tctl/postinstall
new file mode 100755
index 0000000000000..826926bb96ae4
--- /dev/null
+++ b/build.assets/macos/scripts/tctl/postinstall
@@ -0,0 +1,19 @@
+#!/bin/sh
+set -eu
+
+main() {
+  BIN=/usr/local/bin/
+  [ ! -d "$BIN" ] && mkdir -p "$BIN"
+
+  # If tctl exists and is not a link, make a backup.
+  if [ -f "$BIN/tctl" ] && [ ! -L "$BIN/tctl" ]; then
+    rm -f "$BIN/tctl.bak"
+    mv "$BIN/tctl" "$BIN/tctl.bak"
+  fi
+
+  # Link package to $BIN.
+  rm -f "$BIN/tctl"  # in case link exists
+  ln -s "/Applications/tctl.app/Contents/MacOS/tctl" "$BIN/tctl"
+}
+
+main "$@"
diff --git a/build.assets/macos/scripts/postinstall b/build.assets/macos/scripts/tsh/postinstall
similarity index 100%
rename from build.assets/macos/scripts/postinstall
rename to build.assets/macos/scripts/tsh/postinstall
diff --git a/build.assets/macos/tctl/tctl.app/Contents/Info.plist b/build.assets/macos/tctl/tctl.app/Contents/Info.plist
new file mode 100644
index 0000000000000..bfb71f81bd539
--- /dev/null
+++ b/build.assets/macos/tctl/tctl.app/Contents/Info.plist
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>BuildMachineOSBuild</key>
+		<string>21D49</string>
+		<key>CFBundleDevelopmentRegion</key>
+		<string>en</string>
+		<key>CFBundleExecutable</key>
+		<string>tctl</string>
+		<key>CFBundleIconFile</key>
+		<string>app.icns</string>
+		<key>CFBundleIdentifier</key>
+		<string>com.gravitational.teleport.tctl</string>
+		<key>CFBundleInfoDictionaryVersion</key>
+		<string>6.0</string>
+		<key>CFBundleName</key>
+		<string>tctl</string>
+		<key>CFBundlePackageType</key>
+		<string>APPL</string>
+		<key>CFBundleShortVersionString</key>
+		<string>1.0</string>
+		<key>CFBundleSupportedPlatforms</key>
+		<array>
+			<string>MacOSX</string>
+		</array>
+		<key>CFBundleVersion</key>
+		<string>1.0</string>
+		<key>DTCompiler</key>
+		<string>com.apple.compilers.llvm.clang.1_0</string>
+		<key>DTPlatformBuild</key>
+		<string>13C100</string>
+		<key>DTPlatformName</key>
+		<string>macosx</string>
+		<key>DTPlatformVersion</key>
+		<string>11.0</string>
+		<key>DTSDKBuild</key>
+		<string>21C46</string>
+		<key>DTSDKName</key>
+		<string>macosx11.0</string>
+		<key>DTXcode</key>
+		<string>1321</string>
+		<key>DTXcodeBuild</key>
+		<string>13C100</string>
+		<key>LSMinimumSystemVersion</key>
+		<string>10.15.0</string>
+		<key>NSHumanReadableCopyright</key>
+		<string/>
+		<key>NSMainStoryboardFile</key>
+		<string>Main</string>
+		<key>NSPrincipalClass</key>
+		<string>NSApplication</string>
+	</dict>
+</plist>
diff --git a/build.assets/macos/tctl/tctl.app/Contents/PkgInfo b/build.assets/macos/tctl/tctl.app/Contents/PkgInfo
new file mode 100644
index 0000000000000..bd04210fb49f6
--- /dev/null
+++ b/build.assets/macos/tctl/tctl.app/Contents/PkgInfo
@@ -0,0 +1 @@
+APPL????
\ No newline at end of file
diff --git a/build.assets/macos/tctl/tctl.app/Contents/Resources/app.icns b/build.assets/macos/tctl/tctl.app/Contents/Resources/app.icns
new file mode 100644
index 0000000000000..8c050994a7865
Binary files /dev/null and b/build.assets/macos/tctl/tctl.app/Contents/Resources/app.icns differ
diff --git a/build.assets/macos/tctl/tctl.app/Contents/embedded.provisionprofile b/build.assets/macos/tctl/tctl.app/Contents/embedded.provisionprofile
new file mode 100644
index 0000000000000..9f4646e38bd91
Binary files /dev/null and b/build.assets/macos/tctl/tctl.app/Contents/embedded.provisionprofile differ
diff --git a/build.assets/macos/tctl/tctl.entitlements b/build.assets/macos/tctl/tctl.entitlements
new file mode 100644
index 0000000000000..f662233a0aa17
--- /dev/null
+++ b/build.assets/macos/tctl/tctl.entitlements
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.developer.team-identifier</key>
+  <string>QH8AA5B8UP</string>
+  <key>com.apple.application-identifier</key>
+  <string>QH8AA5B8UP.com.gravitational.teleport.tctl</string>
+
+  <key>keychain-access-groups</key>
+  <array>
+    <string>QH8AA5B8UP.com.gravitational.teleport.tctl</string>
+  </array>
+</dict>
+</plist>
diff --git a/build.assets/macos/tctl/tctl.provisionprofile b/build.assets/macos/tctl/tctl.provisionprofile
new file mode 100644
index 0000000000000..9f4646e38bd91
Binary files /dev/null and b/build.assets/macos/tctl/tctl.provisionprofile differ
diff --git a/build.assets/macos/tctldev/tctl.app/Contents/Info.plist b/build.assets/macos/tctldev/tctl.app/Contents/Info.plist
new file mode 100644
index 0000000000000..c9bd3e9c18124
--- /dev/null
+++ b/build.assets/macos/tctldev/tctl.app/Contents/Info.plist
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>BuildMachineOSBuild</key>
+		<string>21D49</string>
+		<key>CFBundleDevelopmentRegion</key>
+		<string>en</string>
+		<key>CFBundleExecutable</key>
+		<string>tctl</string>
+		<key>CFBundleIdentifier</key>
+		<string>com.goteleport.tctldev</string>
+		<key>CFBundleInfoDictionaryVersion</key>
+		<string>6.0</string>
+		<key>CFBundleName</key>
+		<string>tctl</string>
+		<key>CFBundlePackageType</key>
+		<string>APPL</string>
+		<key>CFBundleShortVersionString</key>
+		<string>1.0</string>
+		<key>CFBundleSupportedPlatforms</key>
+		<array>
+			<string>MacOSX</string>
+		</array>
+		<key>CFBundleVersion</key>
+		<string>1.0</string>
+		<key>DTCompiler</key>
+		<string>com.apple.compilers.llvm.clang.1_0</string>
+		<key>DTPlatformBuild</key>
+		<string>13C100</string>
+		<key>DTPlatformName</key>
+		<string>macosx</string>
+		<key>DTPlatformVersion</key>
+		<string>11.0</string>
+		<key>DTSDKBuild</key>
+		<string>21C46</string>
+		<key>DTSDKName</key>
+		<string>macosx11.0</string>
+		<key>DTXcode</key>
+		<string>1321</string>
+		<key>DTXcodeBuild</key>
+		<string>13C100</string>
+		<key>LSMinimumSystemVersion</key>
+		<string>10.15.0</string>
+		<key>NSHumanReadableCopyright</key>
+		<string/>
+		<key>NSMainStoryboardFile</key>
+		<string>Main</string>
+		<key>NSPrincipalClass</key>
+		<string>NSApplication</string>
+	</dict>
+</plist>
diff --git a/build.assets/macos/tctldev/tctl.app/Contents/PkgInfo b/build.assets/macos/tctldev/tctl.app/Contents/PkgInfo
new file mode 100644
index 0000000000000..bd04210fb49f6
--- /dev/null
+++ b/build.assets/macos/tctldev/tctl.app/Contents/PkgInfo
@@ -0,0 +1 @@
+APPL????
\ No newline at end of file
diff --git a/build.assets/macos/tctldev/tctl.app/Contents/Resources/app.icns b/build.assets/macos/tctldev/tctl.app/Contents/Resources/app.icns
new file mode 100644
index 0000000000000..8c050994a7865
Binary files /dev/null and b/build.assets/macos/tctldev/tctl.app/Contents/Resources/app.icns differ
diff --git a/build.assets/macos/tctldev/tctl.app/Contents/embedded.provisionprofile b/build.assets/macos/tctldev/tctl.app/Contents/embedded.provisionprofile
new file mode 100644
index 0000000000000..58b01d317eb0d
Binary files /dev/null and b/build.assets/macos/tctldev/tctl.app/Contents/embedded.provisionprofile differ
diff --git a/build.assets/macos/tctldev/tctldev.entitlements b/build.assets/macos/tctldev/tctldev.entitlements
new file mode 100644
index 0000000000000..fc7d6e05cc3bb
--- /dev/null
+++ b/build.assets/macos/tctldev/tctldev.entitlements
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.developer.team-identifier</key>
+  <string>K497G57PDJ</string>
+  <key>com.apple.application-identifier</key>
+  <string>K497G57PDJ.com.goteleport.tctldev</string>
+
+  <key>keychain-access-groups</key>
+  <array>
+    <string>K497G57PDJ.com.goteleport.tctldev</string>
+  </array>
+</dict>
+</plist>
diff --git a/build.assets/macos/tctldev/tctldev.provisionprofile b/build.assets/macos/tctldev/tctldev.provisionprofile
new file mode 100644
index 0000000000000..58b01d317eb0d
Binary files /dev/null and b/build.assets/macos/tctldev/tctldev.provisionprofile differ
diff --git a/darwin-signing.mk b/darwin-signing.mk
index dd5fe25548257..2af0377c56820 100644
--- a/darwin-signing.mk
+++ b/darwin-signing.mk
@@ -45,9 +45,11 @@ CSC_NAME = $(subst Developer ID Application: ,,$(DEVELOPER_ID_APPLICATION))
 # release and development.
 TELEPORT_BUNDLEID = $(TELEPORT_BUNDLEID_$(CLEAN_ENV_NAME))
 TSH_BUNDLEID = $(TSH_BUNDLEID_$(CLEAN_ENV_NAME))
+TCTL_BUNDLEID = $(TCTL_BUNDLEID_$(CLEAN_ENV_NAME))
 
 # TSH_SKELETON is a directory name relative to build.assets/macos/
 TSH_SKELETON = $(TSH_SKELETON_$(CLEAN_ENV_NAME))
+TCTL_SKELETON = $(TCTL_SKELETON_$(CLEAN_ENV_NAME))
 
 # --- build-prod environment (promote is the old name and will be removed)
 # Key names can be found on https://goteleport.com/security
@@ -57,6 +59,8 @@ INSTALLER_KEY_NAME_build_prod = Developer ID Installer: Gravitational Inc.
 TELEPORT_BUNDLEID_build_prod = com.gravitational.teleport
 TSH_BUNDLEID_build_prod = $(TEAMID).com.gravitational.teleport.tsh
 TSH_SKELETON_build_prod = tsh
+TCTL_BUNDLEID_build_prod = $(TEAMID).com.gravitational.teleport.tctl
+TCTL_SKELETON_build_prod = tctl
 
 TEAMID_promote = $(TEAMID_build_prod)
 DEVELOPER_KEY_NAME_promote = $(DEVELOPER_KEY_NAME_build_prod)
@@ -64,6 +68,8 @@ INSTALLER_KEY_NAME_promote = $(INSTALLER_KEY_NAME_build_prod)
 TELEPORT_BUNDLEID_promote = $(TELEPORT_BUNDLEID_build_prod)
 TSH_BUNDLEID_promote = $(TSH_BUNDLEID_build_prod)
 TSH_SKELETON_promote = $(TSH_SKELETON_build_prod)
+TCTL_BUNDLEID_promote = $(TCTL_BUNDLEID_build_prod)
+TCTL_SKELETON_promote = $(TCTL_SKELETON_build_prod)
 
 # --- build-stage environment (build is the old name and will be removed)
 TEAMID_build_stage = K497G57PDJ
@@ -72,6 +78,8 @@ INSTALLER_KEY_NAME_build_stage = Developer ID Installer: Ada Lin
 TELEPORT_BUNDLEID_build_stage = com.goteleport.dev
 TSH_BUNDLEID_build_stage = $(TEAMID).com.goteleport.tshdev
 TSH_SKELETON_build_stage = tshdev
+TCTL_BUNDLEID_build_stage = $(TEAMID).com.goteleport.tctldev
+TCTL_SKELETON_build_stage = tctldev
 
 TEAMID_build = $(TEAMID_build_stage)
 DEVELOPER_KEY_NAME_build = $(DEVELOPER_KEY_NAME_build_stage)
@@ -79,6 +87,8 @@ INSTALLER_KEY_NAME_build = $(INSTALLER_KEY_NAME_build_stage)
 TELEPORT_BUNDLEID_build = $(TELEPORT_BUNDLEID_build_stage)
 TSH_BUNDLEID_build = $(TSH_BUNDLEID_build_stage)
 TSH_SKELETON_build = $(TSH_SKELETON_build_stage)
+TCTL_BUNDLEID_build = $(TCTL_BUNDLEID_build_stage)
+TCTL_SKELETON_build = $(TCTL_SKELETON_build_stage)
 
 # SHOULD_NOTARIZE evalutes to "true" if we should sign and notarize binaries,
 # and the empty string if not. We only notarize if APPLE_USERNAME and
@@ -119,6 +129,11 @@ define notarize_tsh_app
 	$(call notarize_app_bundle,$(TSH_APP_BUNDLE),$(TSH_BUNDLEID),$(TSH_APP_ENTITLEMENTS))
 endef
 
+NOTARIZE_TCTL_APP = $(if $(SHOULD_NOTARIZE),$(notarize_tctl_app),$(not_notarizing_cmd))
+define notarize_tctl_app
+	$(call notarize_app_bundle,$(TCTL_APP_BUNDLE),$(TCTL_BUNDLEID),$(TCTL_APP_ENTITLEMENTS))
+endef
+
 NOTARIZE_TELEPORT_PKG = $(if $(SHOULD_NOTARIZE),$(notarize_teleport_pkg),$(not_notarizing_cmd))
 define notarize_teleport_pkg
 	$(call notarize_pkg,$(TELEPORT_PKG_UNSIGNED),$(TELEPORT_PKG_SIGNED))
@@ -176,3 +191,5 @@ print-darwin-signing-vars:
 	$(call echo_var,TELEPORT_BUNDLEID)
 	$(call echo_var,TSH_BUNDLEID)
 	$(call echo_var,TSH_SKELETON)
+	$(call echo_var,TCTL_BUNDLEID)
+	$(call echo_var,TCTL_SKELETON)