diff --git a/enroll/puppet.py b/enroll/puppet.py
index d8a1179..0e8a08a 100644
--- a/enroll/puppet.py
+++ b/enroll/puppet.py
@@ -828,10 +828,7 @@ def _collect_puppet_roles(
             or fw.get("iptables_v4_save")
             or fw.get("iptables_v6_save")
         )
-        packages = [
-            str(p).strip() for p in (fw.get("packages") or []) if str(p).strip()
-        ]
-        if has_fw or packages or fw.get("notes"):
+        if has_fw:
             runtime_role = ensure_role("enroll_runtime")
             runtime_role.add_managed_dir(
                 "/etc/enroll",
diff --git a/enroll/salt.py b/enroll/salt.py
index e407b78..3e860b8 100644
--- a/enroll/salt.py
+++ b/enroll/salt.py
@@ -884,10 +884,7 @@ def _collect_salt_roles(
             or fw.get("iptables_v4_save")
             or fw.get("iptables_v6_save")
         )
-        packages = [
-            str(p).strip() for p in (fw.get("packages") or []) if str(p).strip()
-        ]
-        if has_fw or packages or fw.get("notes"):
+        if has_fw:
             runtime_role = ensure_role("enroll_runtime")
             runtime_role.add_managed_dir(
                 "/etc/enroll",
diff --git a/pyproject.toml b/pyproject.toml
index 6acb29a..c24c6d6 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "enroll"
-version = "0.7.0b2"
+version = "0.7.0b3"
 description = "Enroll a server's running state retrospectively into Ansible"
 authors = ["Miguel Jacq <mig@mig5.net>"]
 license = "GPL-3.0-or-later"
diff --git a/tests/test_manifest_puppet.py b/tests/test_manifest_puppet.py
index 467dfb0..8f367f7 100644
--- a/tests/test_manifest_puppet.py
+++ b/tests/test_manifest_puppet.py
@@ -800,7 +800,7 @@ def test_manifest_puppet_renders_firewall_runtime_resources(tmp_path: Path):
     assert "$firewall_runtime['ipset_restore_cmd']" in fqdn_pp
 
 
-def test_manifest_puppet_includes_enroll_runtime_for_firewall_notes_only(
+def test_manifest_puppet_omits_firewall_runtime_when_no_rules_were_sampled(
     tmp_path: Path,
 ):
     bundle = tmp_path / "bundle"
@@ -828,16 +828,7 @@ def test_manifest_puppet_includes_enroll_runtime_for_firewall_notes_only(
     manifest.manifest(str(bundle), str(out), target="puppet")
 
     site_pp = (out / "manifests" / "site.pp").read_text(encoding="utf-8")
-    assert "include enroll_runtime" in site_pp
-    assert "include firewall_runtime" in site_pp
-    assert site_pp.index("include enroll_runtime") < site_pp.index(
-        "include firewall_runtime"
-    )
-    runtime_pp = (
-        out / "modules" / "enroll_runtime" / "manifests" / "init.pp"
-    ).read_text(encoding="utf-8")
-    firewall_pp = (
-        out / "modules" / "firewall_runtime" / "manifests" / "init.pp"
-    ).read_text(encoding="utf-8")
-    assert "file { '/etc/enroll':" in runtime_pp
-    assert "require => File['/etc/enroll']," in firewall_pp
+    assert "include enroll_runtime" not in site_pp
+    assert "include firewall_runtime" not in site_pp
+    assert not (out / "modules" / "enroll_runtime").exists()
+    assert not (out / "modules" / "firewall_runtime").exists()
diff --git a/tests/test_manifest_salt.py b/tests/test_manifest_salt.py
index 75b6942..1418258 100644
--- a/tests/test_manifest_salt.py
+++ b/tests/test_manifest_salt.py
@@ -626,7 +626,9 @@ def test_manifest_salt_renders_firewall_runtime_states(tmp_path: Path):
     assert "firewall_runtime.get('ipset_restore_cmd')" in fqdn_sls
 
 
-def test_manifest_salt_includes_enroll_runtime_for_firewall_notes_only(tmp_path: Path):
+def test_manifest_salt_omits_firewall_runtime_when_no_rules_were_sampled(
+    tmp_path: Path,
+):
     bundle = tmp_path / "bundle"
     out = tmp_path / "salt"
     state = {
@@ -652,16 +654,7 @@ def test_manifest_salt_includes_enroll_runtime_for_firewall_notes_only(tmp_path:
     manifest.manifest(str(bundle), str(out), target="salt")
 
     top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8"))
-    assert "roles.enroll_runtime" in top["base"]["*"]
-    assert "roles.firewall_runtime" in top["base"]["*"]
-    assert top["base"]["*"].index("roles.enroll_runtime") < top["base"]["*"].index(
-        "roles.firewall_runtime"
-    )
-    runtime_sls = (out / "states" / "roles" / "enroll_runtime" / "init.sls").read_text(
-        encoding="utf-8"
-    )
-    firewall_sls = (
-        out / "states" / "roles" / "firewall_runtime" / "init.sls"
-    ).read_text(encoding="utf-8")
-    assert '"/etc/enroll":' in runtime_sls
-    assert '- file: "/etc/enroll"' in firewall_sls
+    assert "roles.enroll_runtime" not in top["base"]["*"]
+    assert "roles.firewall_runtime" not in top["base"]["*"]
+    assert not (out / "states" / "roles" / "enroll_runtime").exists()
+    assert not (out / "states" / "roles" / "firewall_runtime").exists()