-
Notifications
You must be signed in to change notification settings - Fork 7.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation for Configuration Profiles #21073
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
@@ -47,6 +47,88 @@ | |||||||||
7. Test the GPO. Test the GPO on a small set of machines first to ensure it behaves as expected. You can use the `gpupdate /force` command on a test machine to manually refresh its group policy settings and check the registry to confirm the changes. | ||||||||||
8. Once verified, you can proceed with broader deployment. Monitor the deployment to ensure the settings are applied correctly across the organization's computers. | ||||||||||
|
||||||||||
## Configuration Profiles method (Mac only) | ||||||||||
|
||||||||||
> [!NOTE] | ||||||||||
> | ||||||||||
> The configuration profiles method is available with Docker Desktop version 4.35 and later. | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @KatTomrushka keep me honest here - won't this be announced in 4.36? so we should align here too to keep consistent? Also is it EA or straight to GA? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Correct, 4.35 is coming out on 10 Oct (although might well be delayed). The macOS config profiles along with the PKG installer are aimed for 4.36 which is the earliest possible release to get proper Customer 0 and product readiness. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ok perfecto, thank you! @aheck Let's change this to |
||||||||||
|
||||||||||
Configuration Profiles are a feature of macOS that allows administrators to distribute | ||||||||||
Check warning on line 56 in content/manuals/security/for-admins/enforce-sign-in/methods.md GitHub Actions / vale
|
||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||
configuration information to the Macs they manage. Is is the safest method to | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||
enforce sign-in on macOS because the installed configuration profiles are | ||||||||||
protected by Apples' System Integrity Protection (SIP) and can therefore not be | ||||||||||
tampered with by the users. | ||||||||||
|
||||||||||
1. Save the the following XML code to a file with the suffix `.mobileconfig` (e.g. | ||||||||||
Check failure on line 62 in content/manuals/security/for-admins/enforce-sign-in/methods.md GitHub Actions / vale
|
||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||
`docker.mobileconfig`): | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||
|
||||||||||
|
||||||||||
```xml | ||||||||||
<?xml version="1.0" encoding="UTF-8"?> | ||||||||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||||||||||
<plist version="1.0"> | ||||||||||
<dict> | ||||||||||
<key>PayloadContent</key> | ||||||||||
<array> | ||||||||||
<dict> | ||||||||||
<key>PayloadType</key> | ||||||||||
<string>com.docker.config</string> | ||||||||||
<key>PayloadVersion</key> | ||||||||||
<integer>1</integer> | ||||||||||
<key>PayloadIdentifier</key> | ||||||||||
<string>com.docker.config</string> | ||||||||||
<key>PayloadUUID</key> | ||||||||||
<string>eed295b0-a650-40b0-9dda-90efb12be3c7</string> | ||||||||||
<key>PayloadDisplayName</key> | ||||||||||
<string>Docker Desktop Configuration</string> | ||||||||||
<key>PayloadDescription</key> | ||||||||||
<string>Configuration profile to manage Docker Desktop settings.</string> | ||||||||||
<key>PayloadOrganization</key> | ||||||||||
<string>Your Company Name</string> | ||||||||||
<key>allowedOrgs</key> | ||||||||||
<string>first_org;second_org</string> | ||||||||||
</dict> | ||||||||||
</array> | ||||||||||
<key>PayloadType</key> | ||||||||||
<string>Configuration</string> | ||||||||||
<key>PayloadVersion</key> | ||||||||||
<integer>1</integer> | ||||||||||
<key>PayloadIdentifier</key> | ||||||||||
<string>com.yourcompany.docker.config</string> | ||||||||||
<key>PayloadUUID</key> | ||||||||||
<string>0deedb64-7dc9-46e5-b6bf-69d64a9561ce</string> | ||||||||||
<key>PayloadDisplayName</key> | ||||||||||
<string>Docker Desktop Config Profile</string> | ||||||||||
<key>PayloadDescription</key> | ||||||||||
<string>Config profile to enforce Docker Desktop settings for allowed organizations.</string> | ||||||||||
<key>PayloadOrganization</key> | ||||||||||
<string>Your Company Name</string> | ||||||||||
</dict> | ||||||||||
</plist> | ||||||||||
``` | ||||||||||
|
||||||||||
2. Change the placeholder `Your Company Name` to the name of your company. | ||||||||||
|
||||||||||
3. The names of the allowed organizations are stored in the `allowedOrgs` | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||
property. It can contain either the name of a single organization | ||||||||||
|
||||||||||
```xml | ||||||||||
<key>allowedOrgs</key> | ||||||||||
<string>yourcompany</string> | ||||||||||
``` | ||||||||||
|
||||||||||
or a list of organization names, separated by semicolon: | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd move this up to line 113, I wouldn't split it and I've just show the multi-org example for simplicity. |
||||||||||
|
||||||||||
|
||||||||||
```xml | ||||||||||
<key>allowedOrgs</key> | ||||||||||
<string>first_org;second_org</string> | ||||||||||
``` | ||||||||||
|
||||||||||
4. Use a MDM solution to distribute your modified `.mobileconfig` file to your | ||||||||||
Check warning on line 128 in content/manuals/security/for-admins/enforce-sign-in/methods.md GitHub Actions / vale
|
||||||||||
macOS clients. Sign-in is now enforced on all of those devices. | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||
|
||||||||||
|
||||||||||
## plist method (Mac only) | ||||||||||
|
||||||||||
> [!NOTE] | ||||||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.