diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
index e994789f..3e6d4e24 100644
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -42,3 +42,4 @@ jobs:
           FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
           FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
           FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
+          FLEET_SECRET_EXAMPLE_PASSWORD: ${{ secrets.FLEET_SECRET_EXAMPLE_PASSWORD }}
diff --git a/README.md b/README.md
index 938c4e8b..02a832b8 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a Git
 
 1. Clone the [GitHub repository](https://github.com/fleetdm/fleet-gitops), create your own GitHub repository, and push your clone to your new repo. Note that a workflow will run once and fail because the required variables haven't been added (step 2 and 3).
 
-2. Add `FLEET_URL` and `FLEET_API_TOKEN` secrets to your new repository's secrets. Learn how [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). [Create an API-only user](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user) with the "GitOps" role and set `FLEET_API_TOKEN` to your user's API token. If you're using Fleet Free, set the API-only user's role to global admin.
+2. Add `FLEET_URL` and `FLEET_API_TOKEN` secrets to your new repository's secrets. Learn how [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). [Create an API-only user](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user) with the "GitOps" role and set `FLEET_API_TOKEN` to your user's API token. If you're using Fleet Free, set the API-only user's role to global admin. If you'd like to test out the functionality of nesting secrets in scripts or config profiles, define `$FLEET_SECRET_EXAMPLE_PASSWORD` in your repository's secrets.
 
 4. If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment lines 22 and 23 in `gitops.sh`.
    - If you are using different variable names for your secrets, edit the appropriate line to reflect the correct variable name. 
diff --git a/lib/macos/scripts/secret-var-example.sh b/lib/macos/scripts/secret-var-example.sh
new file mode 100644
index 00000000..f73a2f27
--- /dev/null
+++ b/lib/macos/scripts/secret-var-example.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "$FLEET_SECRET_EXAMPLE_PASSWORD"
diff --git a/teams/workstations.yml b/teams/workstations.yml
index d818561d..d9b820a3 100644
--- a/teams/workstations.yml
+++ b/teams/workstations.yml
@@ -21,6 +21,7 @@ controls:
   scripts:
     - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh
     - path: ../lib/macos/scripts/set-timezone.script.sh
+    - path: ../lib/macos/scripts/secret-var-example.sh
 team_settings:
   secrets:
     - secret: "$FLEET_WORKSTATIONS_ENROLL_SECRET"