From fa5018eabc068b9de27a488c1f4ecbbd9d23031a Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Fri, 4 Oct 2024 11:38:51 +0100 Subject: [PATCH 01/12] ENGDOCS-2245 --- content/guides/admin-set-up/_index.md | 46 +++++++++++++++++++ .../admin-set-up/comms-and-info-gathering.md | 27 +++++++++++ content/guides/admin-set-up/deploy.md | 13 ++++++ .../admin-set-up/finalize-plans-and-setup.md | 23 ++++++++++ content/guides/admin-set-up/testing.md | 23 ++++++++++ 5 files changed, 132 insertions(+) create mode 100644 content/guides/admin-set-up/_index.md create mode 100644 content/guides/admin-set-up/comms-and-info-gathering.md create mode 100644 content/guides/admin-set-up/deploy.md create mode 100644 content/guides/admin-set-up/finalize-plans-and-setup.md create mode 100644 content/guides/admin-set-up/testing.md diff --git a/content/guides/admin-set-up/_index.md b/content/guides/admin-set-up/_index.md new file mode 100644 index 000000000000..47e71ea42b6a --- /dev/null +++ b/content/guides/admin-set-up/_index.md @@ -0,0 +1,46 @@ +--- +title: Set up your company for success with Docker +linkTitle: Admin set up +summary: Get the most out of Docker by streamlining workflows, standardizing development environments, and ensuring smooth deployments across your company +description: Learn how to onboard your company and take advantage of all of the Docker products and features. +levels: [intermediate] +params: + featured: true + image: + resource_links: + - title: Overview of Administration in Docker + url: /admin/ + - title: Single sign-on + url: /security/for-admins/single-sign-on/ + - title: Enforce sign-in + url: /security/for-admins/enforce-sign-in/ + - title: Roles and permissions + url: /security/for-admins/roles-and-permissions/ + - title: Settings Management + url: /security/for-admins/hardened-desktop/settings-management/ + - title: Registry Access Management + url: /security/for-admins/hardened-desktop/registry-access-management/ + - title: Image Access Management + url: /security/for-admins/hardened-desktop/image-access-management/ +--- + +Docker's tools provide a scalable, secure platform that empowers your developers to create, ship, and run applications faster. As an administrator, you have the ability to streamline workflows, standardize development environments, and ensure smooth deployments across your organization. + +By configuring Docker products to suit your company’s needs, you can optimize performance, simplify user management, and maintain control over resources. Whether you’re managing Docker Desktop, Docker Hub, or Docker Build Cloud, this guide will help you set up and configure Docker products to maximize productivity and success for your team whilst meeting compliance and security policies + +## What you’ll learn + +- The importance of signing in to the company's Docker organization for access to usage data and enhanced functionality. +- How to standardize Docker Desktop versions and settings to create a consistent baseline for all users, while allowing flexibility for advanced developers. +- Strategies for implementing Docker’s security configurations to meet company IT and software development security requirements without hindering developer productivity. + +## Who’s this for? + +- Administrators responsible for managing Docker environments within their organization +- IT leaders looking to streamline development and deployment workflows +- Teams aiming to standardize application environments across multiple users +- Organizations seeking to optimize their use of Docker products for greater scalability and efficiency + +## Tools integration + +Okta, Entra ID SAML 2.0, Azure Connect (OIDC), MDM solutions like Intune \ No newline at end of file diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md new file mode 100644 index 000000000000..9d811d43061a --- /dev/null +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -0,0 +1,27 @@ +--- +title: Communication and information gathering +description: Gather your company's requirements from key stakeholders and communicate to your developers. +weight: 10 +--- + + +Docker user communication +You may already have Docker Desktop users in your company. Some of the steps in this process may cause changes in how they use Docker Desktop. It’s recommended that you send out a communication up front to the users letting them know that as part of the subscription onboarding process you will be upgrading existing Docker Desktop users to a supported version of the product, reviewing settings to help user productivity, and requiring users to sign in to the company’s Docker org with their business email so they are using the subscription. + +MDM team communication +Device management solutions like Intune and Jamf are a standard way to distribute software across enterprises. There is typically a MDM team that manages this tool. We recommend talking with that team early in the process to understand their requirements and lead time on distributing changes. The Docker configurations can include both JSON files and/or registry key/plist entries that will be distributed to developer machines. It is recommended to use MDM tooling to both distribute configuration files, and ensure their contents don’t change. + +Identify Organizations +Some companies may have more than one Docker organization created. These organizations may have been created for specific purposes, or may not be needed anymore. If you suspect your company has more than one organization, it's recommended you survey your teams to see if they have their own organizations. You can also contact your Docker CS representative to get a list of organizations with users whose emails match your domain name. + +Baseline configuration discussions +Docker offers a significant number of configuration parameters that can be preset, including enforcing sign in for Docker Desktop users. The Docker organization owner and the development lead should review the settings to determine which of those settings to configure to create the company’s baseline configuration. There are also settings for the free trials of other Docker products included in the subscription. The list of configurations that can be preset is located here. + +Security configuration discussions +Docker offers a number of security related features that have configuration parameters that can be preset. The infosec representative, Docker organization owner, and the development lead should review those features to determine which they want to enable as part of the company’s baseline configuration. The list of security related features is located here. + +Meet with the Docker implementation team +The Docker Implementation Team can help you step through setting up your organization, configuring SSO, enforcing sign in, and configuring Docker. You can reach out to set up a meeting by emailing successteam@docker.com + +SSO domain verification +The SSO process has multiple steps involving different teams, so it's recommended that the process is started right away. The first step is domain verification. This step ensures that the person setting up SSO actually controls the domain they are requesting. The detailed steps to verify a domain are located here. Your DNS team will need to be involved in this step. \ No newline at end of file diff --git a/content/guides/admin-set-up/deploy.md b/content/guides/admin-set-up/deploy.md new file mode 100644 index 000000000000..069c21c0686a --- /dev/null +++ b/content/guides/admin-set-up/deploy.md @@ -0,0 +1,13 @@ +--- +title: Deploy +description: Deploy your Docker setup across your company. +weight: 40 +--- + +Enforce SSO +CAUTION: This step will affect any existing users signing into your Docker organization. Please communicate with your users and carefully read and follow the list of instructions in the admin UI before confirming this step! Enforcing SSO means that anyone who has a Docker profile with an email address that matches your verified domain MUST log in using your SSO connection. Make sure the Identity provider groups associated with your SSO connection cover all the developer groups that you want to have access to the Docker Subscription. + +Deploy configuration settings and enforce sign in to users +CAUTION: This step will affect all existing users of Docker Desktop. Please communicate with your users before taking this step, and ensure IT and MDM teams are ready for any unexpected issues to arise. Have the MDM team deploy the configuration files for Docker to all users. + +Congratulations, you have successfully completed the admin implementation process for Docker! diff --git a/content/guides/admin-set-up/finalize-plans-and-setup.md b/content/guides/admin-set-up/finalize-plans-and-setup.md new file mode 100644 index 000000000000..19d594075a63 --- /dev/null +++ b/content/guides/admin-set-up/finalize-plans-and-setup.md @@ -0,0 +1,23 @@ +--- +title: Finalize plans and begin setup +description: +weight: 20 +--- + +Create SSO Connection +Once the domain is verified, the next step is to create the SSO connection. This will involve your identity provider team to configure the identity groups and help set up the SSO connection. Note that this step of creating the SSO connection will not affect the Docker Desktop user experience, and you will be able to test before enforcing SSO for all users. The steps in the process are located here. + +Finalize baseline configuration settings +Come to agreement between your Docker organization owner and your Development lead on the settings to be configured as part of the Docker baseline. This should include the enforce sign in configuration for your Docker organization. + +Manage Organizations +If you have more than one organization, it’s recommended that you either consolidate them into one organization or use the account hierarchy feature to manage multiple organizations. Please work with the CS and implementation teams to make this happen. + +Finalize security configuration settings +Come to agreement between your Infosec representative, Docker organization owner, and Development lead on the security features/settings to be preset as part of your Docker baseline configuration. + +Send finalized settings files to MDM team +Once all of the settings have been entered to the files that need to be distributed, pass the files to your MDM team to package up. It’s highly recommended that the next step in week 3 is a test distribution to a small number of Docker Desktop users to verify the functionality works as expected. + +Set up free tier Docker product entitlements included in the subscription +Set up the cloud builder for free monthly minutes in Docker Build Cloud, and up to three repositories to monitor via Docker Scout. Please note that your free entitlements stop when your limits are exceeded so there is no fear of a surprise cost overage. The instructions on setting up the cloud builder are located on build.docker.com and there is a video walkthrough here, and the instructions on adding a repository for scout monitoring is here for Docker Hub repositories, and here for integration to other image registries. \ No newline at end of file diff --git a/content/guides/admin-set-up/testing.md b/content/guides/admin-set-up/testing.md new file mode 100644 index 000000000000..1ccc3e330db4 --- /dev/null +++ b/content/guides/admin-set-up/testing.md @@ -0,0 +1,23 @@ +--- +title: Testing +description: Test your Docker setup. +weight: 30 +--- + +Ensure supported version of Docker Desktop +CAUTION: This step could affect the experience for users on older versions of Docker Desktop. Existing users may have older versions of Docker Desktop that are no longer supported or are out of date. It is highly recommended that everyone update to a supported version. We recommend using a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. In any of these cases it's important that the users are upgraded to a supported Docker Desktop version. + +SSO and SCIM testing +If you want to use SCIM for further automation of provisioning and deprovisioning of users, there are some additional configurations required by your identity provider team. Please see here for a list of settings. Once all of the configuration is done, it is time for testing of the SSO connection, group mapping, provisioning, and SCIM (if configured). SSO testing can be done by logging into Docker Desktop or Docker Hub with the email address associated with a Docker account that also belongs to the domain that was verified. Users that log in using their Docker usernames will continue to be unaffected by the SSO/SCIM setup. NOTE: Some users may need CLI based logins to Docker Hub, and for this they will need a personal access token (PAT). Please see here for more details. + +Test Registry/Image Access Management +CAUTION: This step will affect any existing users signing into your Docker organization. Please communicate with your users before completing this step. If you are planning to use Registry Access Management (RAM) and/or Image Access Management (IAM), configure the settings in the Docker admin portal. Please see here for RAM details, and here for the video walkthrough. Please see here for the IAM details, and here for the video walkthrough. + +Deploy settings and enforce sign in to test group +Deploy the Docker settings and enforce sign in to a small group of test users via MDM. Have this group test their developer workflows with containers using Docker Desktop and Hub to confirm all settings and enforce sign in are working as expected. + +Test Build Cloud capabilities +Have one of your Docker Desktop testers connect to the cloud builder you created and do a build. See here for more details. + +Verify Scout monitoring of repositories +Check the scout.docker.com portal to verify the data and trending for the repositories enabled. From 7cf1fcfa1bfa5541332a683db1b760662e87cc45 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Mon, 7 Oct 2024 12:36:56 +0100 Subject: [PATCH 02/12] module 1 content --- content/guides/admin-set-up/_index.md | 14 ++-- .../admin-set-up/comms-and-info-gathering.md | 72 +++++++++++++++---- .../admin-set-up/finalize-plans-and-setup.md | 6 +- 3 files changed, 72 insertions(+), 20 deletions(-) diff --git a/content/guides/admin-set-up/_index.md b/content/guides/admin-set-up/_index.md index 47e71ea42b6a..645c5fbc971f 100644 --- a/content/guides/admin-set-up/_index.md +++ b/content/guides/admin-set-up/_index.md @@ -1,7 +1,7 @@ --- title: Set up your company for success with Docker linkTitle: Admin set up -summary: Get the most out of Docker by streamlining workflows, standardizing development environments, and ensuring smooth deployments across your company +summary: Get the most out of Docker by streamlining workflows, standardizing development environments, and ensuring smooth deployments across your company. description: Learn how to onboard your company and take advantage of all of the Docker products and features. levels: [intermediate] params: @@ -28,12 +28,6 @@ Docker's tools provide a scalable, secure platform that empowers your developers By configuring Docker products to suit your company’s needs, you can optimize performance, simplify user management, and maintain control over resources. Whether you’re managing Docker Desktop, Docker Hub, or Docker Build Cloud, this guide will help you set up and configure Docker products to maximize productivity and success for your team whilst meeting compliance and security policies -## What you’ll learn - -- The importance of signing in to the company's Docker organization for access to usage data and enhanced functionality. -- How to standardize Docker Desktop versions and settings to create a consistent baseline for all users, while allowing flexibility for advanced developers. -- Strategies for implementing Docker’s security configurations to meet company IT and software development security requirements without hindering developer productivity. - ## Who’s this for? - Administrators responsible for managing Docker environments within their organization @@ -41,6 +35,12 @@ By configuring Docker products to suit your company’s needs, you can optimize - Teams aiming to standardize application environments across multiple users - Organizations seeking to optimize their use of Docker products for greater scalability and efficiency +## What you’ll learn + +- The importance of signing in to the company's Docker organization for access to usage data and enhanced functionality. +- How to standardize Docker Desktop versions and settings to create a consistent baseline for all users, while allowing flexibility for advanced developers. +- Strategies for implementing Docker’s security configurations to meet company IT and software development security requirements without hindering developer productivity. + ## Tools integration Okta, Entra ID SAML 2.0, Azure Connect (OIDC), MDM solutions like Intune \ No newline at end of file diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md index 9d811d43061a..845c02ba61e9 100644 --- a/content/guides/admin-set-up/comms-and-info-gathering.md +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -4,24 +4,72 @@ description: Gather your company's requirements from key stakeholders and commun weight: 10 --- +## Step one: Communicate with your developers and IT teams + +### Docker user communication -Docker user communication You may already have Docker Desktop users in your company. Some of the steps in this process may cause changes in how they use Docker Desktop. It’s recommended that you send out a communication up front to the users letting them know that as part of the subscription onboarding process you will be upgrading existing Docker Desktop users to a supported version of the product, reviewing settings to help user productivity, and requiring users to sign in to the company’s Docker org with their business email so they are using the subscription. -MDM team communication +### MDM team communication + Device management solutions like Intune and Jamf are a standard way to distribute software across enterprises. There is typically a MDM team that manages this tool. We recommend talking with that team early in the process to understand their requirements and lead time on distributing changes. The Docker configurations can include both JSON files and/or registry key/plist entries that will be distributed to developer machines. It is recommended to use MDM tooling to both distribute configuration files, and ensure their contents don’t change. -Identify Organizations -Some companies may have more than one Docker organization created. These organizations may have been created for specific purposes, or may not be needed anymore. If you suspect your company has more than one organization, it's recommended you survey your teams to see if they have their own organizations. You can also contact your Docker CS representative to get a list of organizations with users whose emails match your domain name. +## Step two: Identify Docker organizations + +Some companies may have more than one [Docker organization](/manuals/admin/organization/_index.md) created. These organizations may have been created for specific purposes, or may not be needed anymore. If you suspect your company has more than one Docker organization, it's recommended you survey your teams to see if they have their own organizations. You can also contact your Docker Customer Success representative to get a list of organizations with users whose emails match your domain name. + +## Step three: Gather requirements + +### Baseline configuration + +Docker offers a significant number of configuration parameters that can be preset. + +The Docker organization owner and the development lead should review the settings to determine which of those settings to configure to create the company’s baseline configuration. You should also discuss [enforcing sign-in]() for your Docker Desktop users and whether you want to take advantage of the free trials of other Docker products. such as [Docker Scout](), which is included in the subscription. + +{{< accordion title="Baseline settings to review" >}} + +| Setting | OS Requirements | Description | +|---------------------|-----------------|-----------------| +| `proxy` | | This setting configures the proxy used by Docker Desktop to access the internet. The proxy can be set manually or get its value from the system.| +| `wslEngineEnabled` | Windows only | This setting specifies whether the user should use WSL 2 or HyperV for the VM for Windows installations.| +| `kubernetes` | | Docker Desktop offers a Kubernetes single-node cluster for Kubernetes deployments locally. This setting controls whether it is started when Docker Desktop starts, and its configuration.| +| `analyticsEnabled` | | Docker allows users to opt out of sending usage data to Docker. The usage data feeds what admins are able to see about Docker Desktop usage, so it is highly recommended to enable and lock this setting.| +| `useVirtualizationFrameworkVirtioFS`| macOS only | VirtioFS is the newer higher performance file sharing framework for MacOS. It takes precedence over the older frameworks if it is enabled.| +| `useVirtualizationFrameworkRosetta` | macOS only | Rosetta is the Apple emulator for x86 chipsets. This setting allows Docker Desktop to use Rosetta when running containers built for the x86 chipset.| +| `allowExperimentalFeatures` | | Docker Desktop versions often contain experimental features for trial and feedback. If this setting is set to false, experimental features are disabled.| +| `allowBetaFeatures` | | Docker Desktop versions often contain beta features for trial and feedback. If this setting is set to false, beta features are disabled.| +| `configurationFileVersion` | | Specifies the version of the configuration file format.| +| `dockerDaemonOptions` - Linux Containers | | This setting overrides the options in the Docker Engine config file. See the Docker Engine reference for details. Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | +| `vpnkitCIDR` | | Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | +| `dockerDaemonOptions` - Windows Containers | Windows only | This setting overrides the options in the daemon config file. See the Docker Engine reference for details. | +| `extensionsEnabled` | | Docker extensions are third-party add-ons for Docker Desktop. This setting affects if they are allowed.| +| `useGrpcfuse` | macOS only | If the value is set to true, gRPC Fuse is set as the file sharing mechanism. | +| `displayedOnboarding` | | There is an onboarding survey that displays when Docker Desktop is installed and opened for the first time. This setting can disable the survey.| + +{{< /accordion >}} + +### Security configuration + +Docker offers a number of security related features that have configuration parameters that can be preset. The infosec representative, Docker organization owner, and the development lead should review those features to determine what should be enabled to meet your company’s security requirements. + +{{< accordion title="Security settings to review" >}} -Baseline configuration discussions -Docker offers a significant number of configuration parameters that can be preset, including enforcing sign in for Docker Desktop users. The Docker organization owner and the development lead should review the settings to determine which of those settings to configure to create the company’s baseline configuration. There are also settings for the free trials of other Docker products included in the subscription. The list of configurations that can be preset is located here. +| Setting | OS Requirements | Description | +|------------|-----------------|---------------| +| Enhanced Container Isolation | | When this setting is enabled, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md). | +| Registry Access Management (Docker Org) | | This parameter is set in the Docker org admin interface. Restricts the registries that `docker pull` and `docker push` commands can access. Note: This is not an endpoint security solution, but a guardrail for users working within company guidelines. For more information, see [Registry Access Management](/manuals/security/for-admins/hardened-desktop/registry-access-management.md).| +| Image Access Management (Docker Org) | | This parameter is set in the Docker org admin interface. Restricts the categories of images accessible within Docker Hub. Note: This is not an endpoint security solution; it's a guardrail for users working within company guidelines. For more information, see [Image Access Management](/manuals/security/for-admins/hardened-desktop/image-access-management.md).| +| Scout | | Settings related to how Scout creates SBOMs (Software Bill of Materials) for images and indexes vulnerabilities for images.| +| exposeDockerAPIOnTCP2375 | Windows only | Exposes the Docker API on a specified port. If the value is set to true, the Docker API is exposed on port 2375. **Note**: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| +| windowsDockerdPort | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. **Note**: Available for Windows containers only. | +| filesharingAllowedDirectories | | Specify which paths on the developer host machine or network your users can add container file shares to.| +| enableKerberosNtlm | | When set to true, Kerberos and NTLM authentication is enabled. Default is false. Available in Docker Desktop version 4.32 and later.| +| containersProxy (Beta) | | Allows you to create air-gapped containers. For more information, see [Air-Gapped Containers](/manual/security/for-admins/hardened-desktop/air-gapped-containers.md).| +| blockDockerLoad | | When this setting is enabled, users can no longer run the `docker load` command and will receive an error if they try.| +| disableUpdate | | Users get notifications about new Docker Desktop versions. Enabling this setting removes those notifications. Helpful if corporate IT manages Docker Desktop version updates for users.| -Security configuration discussions -Docker offers a number of security related features that have configuration parameters that can be preset. The infosec representative, Docker organization owner, and the development lead should review those features to determine which they want to enable as part of the company’s baseline configuration. The list of security related features is located here. +{{< /accordion >}} -Meet with the Docker implementation team -The Docker Implementation Team can help you step through setting up your organization, configuring SSO, enforcing sign in, and configuring Docker. You can reach out to set up a meeting by emailing successteam@docker.com +## Option step four: Meet with the Docker Implementation team -SSO domain verification -The SSO process has multiple steps involving different teams, so it's recommended that the process is started right away. The first step is domain verification. This step ensures that the person setting up SSO actually controls the domain they are requesting. The detailed steps to verify a domain are located here. Your DNS team will need to be involved in this step. \ No newline at end of file +The Docker Implementation team can help you step through setting up your organization, configuring SSO, enforcing sign in, and configuring Docker. You can reach out to set up a meeting by emailing successteam@docker.com diff --git a/content/guides/admin-set-up/finalize-plans-and-setup.md b/content/guides/admin-set-up/finalize-plans-and-setup.md index 19d594075a63..1660586dbddf 100644 --- a/content/guides/admin-set-up/finalize-plans-and-setup.md +++ b/content/guides/admin-set-up/finalize-plans-and-setup.md @@ -20,4 +20,8 @@ Send finalized settings files to MDM team Once all of the settings have been entered to the files that need to be distributed, pass the files to your MDM team to package up. It’s highly recommended that the next step in week 3 is a test distribution to a small number of Docker Desktop users to verify the functionality works as expected. Set up free tier Docker product entitlements included in the subscription -Set up the cloud builder for free monthly minutes in Docker Build Cloud, and up to three repositories to monitor via Docker Scout. Please note that your free entitlements stop when your limits are exceeded so there is no fear of a surprise cost overage. The instructions on setting up the cloud builder are located on build.docker.com and there is a video walkthrough here, and the instructions on adding a repository for scout monitoring is here for Docker Hub repositories, and here for integration to other image registries. \ No newline at end of file +Set up the cloud builder for free monthly minutes in Docker Build Cloud, and up to three repositories to monitor via Docker Scout. Please note that your free entitlements stop when your limits are exceeded so there is no fear of a surprise cost overage. The instructions on setting up the cloud builder are located on build.docker.com and there is a video walkthrough here, and the instructions on adding a repository for scout monitoring is here for Docker Hub repositories, and here for integration to other image registries. + + +SSO domain verification +The SSO process has multiple steps involving different teams, so it's recommended that the process is started right away. The first step is domain verification. This step ensures that the person setting up SSO actually controls the domain they are requesting. The detailed steps to verify a domain are located here. Your DNS team will need to be involved in this step. \ No newline at end of file From b4c1b1d45f3979609d4c6bee31247b98bb9b40e6 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Mon, 7 Oct 2024 12:39:50 +0100 Subject: [PATCH 03/12] module 1 content --- content/guides/admin-set-up/comms-and-info-gathering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md index 845c02ba61e9..2579d06f7952 100644 --- a/content/guides/admin-set-up/comms-and-info-gathering.md +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -24,7 +24,7 @@ Some companies may have more than one [Docker organization](/manuals/admin/organ Docker offers a significant number of configuration parameters that can be preset. -The Docker organization owner and the development lead should review the settings to determine which of those settings to configure to create the company’s baseline configuration. You should also discuss [enforcing sign-in]() for your Docker Desktop users and whether you want to take advantage of the free trials of other Docker products. such as [Docker Scout](), which is included in the subscription. +The Docker organization owner and the development lead should review the settings to determine which of those settings to configure to create the company’s baseline configuration. You should also discuss [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) for your Docker Desktop users and whether you want to take advantage of the free trials of other Docker products. such as [Docker Scout](/manuals/scout/_index.md), which is included in the subscription. {{< accordion title="Baseline settings to review" >}} From 20c022c5d24ff99aee2e0731926d7f2dbc1cd146 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Mon, 7 Oct 2024 13:23:17 +0100 Subject: [PATCH 04/12] module 2, 3, 4 content --- .../admin-set-up/comms-and-info-gathering.md | 4 +-- .../admin-set-up/finalize-plans-and-setup.md | 31 ++++++++++--------- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md index 2579d06f7952..0e2b6f6f8578 100644 --- a/content/guides/admin-set-up/comms-and-info-gathering.md +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -24,7 +24,7 @@ Some companies may have more than one [Docker organization](/manuals/admin/organ Docker offers a significant number of configuration parameters that can be preset. -The Docker organization owner and the development lead should review the settings to determine which of those settings to configure to create the company’s baseline configuration. You should also discuss [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) for your Docker Desktop users and whether you want to take advantage of the free trials of other Docker products. such as [Docker Scout](/manuals/scout/_index.md), which is included in the subscription. +The Docker organization owner and the development lead should review the settings to determine which of those settings to configure to create the company’s baseline configuration. You should also discuss [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) for your Docker Desktop users and whether you want to take advantage of the free trials of other Docker products such as [Docker Scout](/manuals/scout/_index.md), which is included in the subscription. {{< accordion title="Baseline settings to review" >}} @@ -64,7 +64,7 @@ Docker offers a number of security related features that have configuration para | windowsDockerdPort | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. **Note**: Available for Windows containers only. | | filesharingAllowedDirectories | | Specify which paths on the developer host machine or network your users can add container file shares to.| | enableKerberosNtlm | | When set to true, Kerberos and NTLM authentication is enabled. Default is false. Available in Docker Desktop version 4.32 and later.| -| containersProxy (Beta) | | Allows you to create air-gapped containers. For more information, see [Air-Gapped Containers](/manual/security/for-admins/hardened-desktop/air-gapped-containers.md).| +| containersProxy (Beta) | | Allows you to create air-gapped containers. For more information, see [Air-Gapped Containers](/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md).| | blockDockerLoad | | When this setting is enabled, users can no longer run the `docker load` command and will receive an error if they try.| | disableUpdate | | Users get notifications about new Docker Desktop versions. Enabling this setting removes those notifications. Helpful if corporate IT manages Docker Desktop version updates for users.| diff --git a/content/guides/admin-set-up/finalize-plans-and-setup.md b/content/guides/admin-set-up/finalize-plans-and-setup.md index 1660586dbddf..4da2e55100af 100644 --- a/content/guides/admin-set-up/finalize-plans-and-setup.md +++ b/content/guides/admin-set-up/finalize-plans-and-setup.md @@ -1,27 +1,28 @@ --- title: Finalize plans and begin setup -description: +description: Collaborate with your MDM team to distribute configurations and set up SSO and Docker product trials. weight: 20 --- -Create SSO Connection -Once the domain is verified, the next step is to create the SSO connection. This will involve your identity provider team to configure the identity groups and help set up the SSO connection. Note that this step of creating the SSO connection will not affect the Docker Desktop user experience, and you will be able to test before enforcing SSO for all users. The steps in the process are located here. +## Step one: Send finalized settings files to MDM team -Finalize baseline configuration settings -Come to agreement between your Docker organization owner and your Development lead on the settings to be configured as part of the Docker baseline. This should include the enforce sign in configuration for your Docker organization. +Once you have come to an agreement between with the relevant teams regarding your baseline and security configurations outlined in module one, follow the instructions in the [Settings Management]() documentation to create the `admin-settings.json` file which contains these configurations. -Manage Organizations -If you have more than one organization, it’s recommended that you either consolidate them into one organization or use the account hierarchy feature to manage multiple organizations. Please work with the CS and implementation teams to make this happen. +Once this has been done, work with your MDM team to deploy the `admin-settings.json` file and your chosen method for [Enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). -Finalize security configuration settings -Come to agreement between your Infosec representative, Docker organization owner, and Development lead on the security features/settings to be preset as part of your Docker baseline configuration. +It’s highly recommended that the next step in week 3 is a test distribution to a small number of Docker Desktop users to verify the functionality works as expected. -Send finalized settings files to MDM team -Once all of the settings have been entered to the files that need to be distributed, pass the files to your MDM team to package up. It’s highly recommended that the next step in week 3 is a test distribution to a small number of Docker Desktop users to verify the functionality works as expected. +## Step two: Manage your organizations -Set up free tier Docker product entitlements included in the subscription -Set up the cloud builder for free monthly minutes in Docker Build Cloud, and up to three repositories to monitor via Docker Scout. Please note that your free entitlements stop when your limits are exceeded so there is no fear of a surprise cost overage. The instructions on setting up the cloud builder are located on build.docker.com and there is a video walkthrough here, and the instructions on adding a repository for scout monitoring is here for Docker Hub repositories, and here for integration to other image registries. +If you have more than one organization, it’s recommended that you either consolidate them into one organization or use the account hierarchy feature to manage multiple organizations. Please work with the CS and implementation teams to make this happen. +## Step three: Begin setup -SSO domain verification -The SSO process has multiple steps involving different teams, so it's recommended that the process is started right away. The first step is domain verification. This step ensures that the person setting up SSO actually controls the domain they are requesting. The detailed steps to verify a domain are located here. Your DNS team will need to be involved in this step. \ No newline at end of file +### SSO domain verification +The SSO process has multiple steps involving different teams, so it's recommended that the process is started right away. The first step is domain verification. This step ensures that the person setting up SSO actually controls the domain they are requesting. The detailed steps to verify a domain are located here. Your DNS team will need to be involved in this step. + +### Create SSO Connection +Once the domain is verified, the next step is to create the SSO connection. This will involve your identity provider team to configure the identity groups and help set up the SSO connection. Note that this step of creating the SSO connection will not affect the Docker Desktop user experience, and you will be able to test before enforcing SSO for all users. The steps in the process are located here. + +### Set up free tier Docker product entitlements included in the subscription +Set up the cloud builder for free monthly minutes in Docker Build Cloud, and up to three repositories to monitor via Docker Scout. Please note that your free entitlements stop when your limits are exceeded so there is no fear of a surprise cost overage. The instructions on setting up the cloud builder are located on build.docker.com and there is a video walkthrough here, and the instructions on adding a repository for scout monitoring is here for Docker Hub repositories, and here for integration to other image registries. From 1f64ccfb883c4d4acd82bf6e71f0ff555bafe4e0 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Mon, 7 Oct 2024 13:23:31 +0100 Subject: [PATCH 05/12] module 2, 3, 4 content --- content/guides/admin-set-up/deploy.md | 4 ++-- .../admin-set-up/finalize-plans-and-setup.md | 7 +++++++ content/guides/admin-set-up/testing.md | 16 +++++++++------- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/content/guides/admin-set-up/deploy.md b/content/guides/admin-set-up/deploy.md index 069c21c0686a..0538f2f7ca72 100644 --- a/content/guides/admin-set-up/deploy.md +++ b/content/guides/admin-set-up/deploy.md @@ -4,10 +4,10 @@ description: Deploy your Docker setup across your company. weight: 40 --- -Enforce SSO +## Step one: Enforce SSO CAUTION: This step will affect any existing users signing into your Docker organization. Please communicate with your users and carefully read and follow the list of instructions in the admin UI before confirming this step! Enforcing SSO means that anyone who has a Docker profile with an email address that matches your verified domain MUST log in using your SSO connection. Make sure the Identity provider groups associated with your SSO connection cover all the developer groups that you want to have access to the Docker Subscription. -Deploy configuration settings and enforce sign in to users +## Step two: Deploy configuration settings and enforce sign in to users CAUTION: This step will affect all existing users of Docker Desktop. Please communicate with your users before taking this step, and ensure IT and MDM teams are ready for any unexpected issues to arise. Have the MDM team deploy the configuration files for Docker to all users. Congratulations, you have successfully completed the admin implementation process for Docker! diff --git a/content/guides/admin-set-up/finalize-plans-and-setup.md b/content/guides/admin-set-up/finalize-plans-and-setup.md index 4da2e55100af..f7a646ce72cf 100644 --- a/content/guides/admin-set-up/finalize-plans-and-setup.md +++ b/content/guides/admin-set-up/finalize-plans-and-setup.md @@ -19,10 +19,17 @@ If you have more than one organization, it’s recommended that you either conso ## Step three: Begin setup ### SSO domain verification + The SSO process has multiple steps involving different teams, so it's recommended that the process is started right away. The first step is domain verification. This step ensures that the person setting up SSO actually controls the domain they are requesting. The detailed steps to verify a domain are located here. Your DNS team will need to be involved in this step. ### Create SSO Connection + Once the domain is verified, the next step is to create the SSO connection. This will involve your identity provider team to configure the identity groups and help set up the SSO connection. Note that this step of creating the SSO connection will not affect the Docker Desktop user experience, and you will be able to test before enforcing SSO for all users. The steps in the process are located here. ### Set up free tier Docker product entitlements included in the subscription + Set up the cloud builder for free monthly minutes in Docker Build Cloud, and up to three repositories to monitor via Docker Scout. Please note that your free entitlements stop when your limits are exceeded so there is no fear of a surprise cost overage. The instructions on setting up the cloud builder are located on build.docker.com and there is a video walkthrough here, and the instructions on adding a repository for scout monitoring is here for Docker Hub repositories, and here for integration to other image registries. + +### Ensure supported version of Docker Desktop + +CAUTION: This step could affect the experience for users on older versions of Docker Desktop. Existing users may have older versions of Docker Desktop that are no longer supported or are out of date. It is highly recommended that everyone update to a supported version. We recommend using a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. In any of these cases it's important that the users are upgraded to a supported Docker Desktop version. diff --git a/content/guides/admin-set-up/testing.md b/content/guides/admin-set-up/testing.md index 1ccc3e330db4..cc6d2e14fc78 100644 --- a/content/guides/admin-set-up/testing.md +++ b/content/guides/admin-set-up/testing.md @@ -4,20 +4,22 @@ description: Test your Docker setup. weight: 30 --- -Ensure supported version of Docker Desktop -CAUTION: This step could affect the experience for users on older versions of Docker Desktop. Existing users may have older versions of Docker Desktop that are no longer supported or are out of date. It is highly recommended that everyone update to a supported version. We recommend using a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. In any of these cases it's important that the users are upgraded to a supported Docker Desktop version. +## SSO and SCIM testing -SSO and SCIM testing If you want to use SCIM for further automation of provisioning and deprovisioning of users, there are some additional configurations required by your identity provider team. Please see here for a list of settings. Once all of the configuration is done, it is time for testing of the SSO connection, group mapping, provisioning, and SCIM (if configured). SSO testing can be done by logging into Docker Desktop or Docker Hub with the email address associated with a Docker account that also belongs to the domain that was verified. Users that log in using their Docker usernames will continue to be unaffected by the SSO/SCIM setup. NOTE: Some users may need CLI based logins to Docker Hub, and for this they will need a personal access token (PAT). Please see here for more details. -Test Registry/Image Access Management +## Test Registry/Image Access Management + CAUTION: This step will affect any existing users signing into your Docker organization. Please communicate with your users before completing this step. If you are planning to use Registry Access Management (RAM) and/or Image Access Management (IAM), configure the settings in the Docker admin portal. Please see here for RAM details, and here for the video walkthrough. Please see here for the IAM details, and here for the video walkthrough. -Deploy settings and enforce sign in to test group +## Deploy settings and enforce sign in to test group + Deploy the Docker settings and enforce sign in to a small group of test users via MDM. Have this group test their developer workflows with containers using Docker Desktop and Hub to confirm all settings and enforce sign in are working as expected. -Test Build Cloud capabilities +## Test Build Cloud capabilities + Have one of your Docker Desktop testers connect to the cloud builder you created and do a build. See here for more details. -Verify Scout monitoring of repositories +## Verify Scout monitoring of repositories + Check the scout.docker.com portal to verify the data and trending for the repositories enabled. From 14895d4884401227e97e4c18e406dc6120b5e724 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Mon, 7 Oct 2024 15:05:10 +0100 Subject: [PATCH 06/12] edits and additions --- content/guides/admin-set-up/_index.md | 4 ++ .../admin-set-up/comms-and-info-gathering.md | 42 ++++++++++--------- content/guides/admin-set-up/deploy.md | 12 ++++-- .../admin-set-up/finalize-plans-and-setup.md | 32 ++++++++------ content/guides/admin-set-up/testing.md | 17 +++++--- 5 files changed, 68 insertions(+), 39 deletions(-) diff --git a/content/guides/admin-set-up/_index.md b/content/guides/admin-set-up/_index.md index 645c5fbc971f..bd8fd8bdc6e6 100644 --- a/content/guides/admin-set-up/_index.md +++ b/content/guides/admin-set-up/_index.md @@ -22,6 +22,10 @@ params: url: /security/for-admins/hardened-desktop/registry-access-management/ - title: Image Access Management url: /security/for-admins/hardened-desktop/image-access-management/ + - title: Docker Build Cloud subscription information + url: /manuals/subscription/build-cloud/build-details/ + - title: Docker Scout subscription information + url: /manuals/subscription/scout-details/ --- Docker's tools provide a scalable, secure platform that empowers your developers to create, ship, and run applications faster. As an administrator, you have the ability to streamline workflows, standardize development environments, and ensure smooth deployments across your organization. diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md index 0e2b6f6f8578..62a106a44684 100644 --- a/content/guides/admin-set-up/comms-and-info-gathering.md +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -8,11 +8,15 @@ weight: 10 ### Docker user communication -You may already have Docker Desktop users in your company. Some of the steps in this process may cause changes in how they use Docker Desktop. It’s recommended that you send out a communication up front to the users letting them know that as part of the subscription onboarding process you will be upgrading existing Docker Desktop users to a supported version of the product, reviewing settings to help user productivity, and requiring users to sign in to the company’s Docker org with their business email so they are using the subscription. +You may already have Docker Desktop users within your company, and some steps in this process may affect how they interact with the platform. It's highly recommended to communicate early with users, informing them that as part of the subscription onboarding, they will be upgraded to a supported version of Docker Desktop. + +Additionally, communicate that settings will be reviewed to optimize productivity, and users will be required to sign in to the company’s Docker organization using their business email to fully utilize the subscription benefits. ### MDM team communication -Device management solutions like Intune and Jamf are a standard way to distribute software across enterprises. There is typically a MDM team that manages this tool. We recommend talking with that team early in the process to understand their requirements and lead time on distributing changes. The Docker configurations can include both JSON files and/or registry key/plist entries that will be distributed to developer machines. It is recommended to use MDM tooling to both distribute configuration files, and ensure their contents don’t change. +Device management solutions, such as Intune and Jamf, are commonly used for software distribution across enterprises, typically managed by a dedicated MDM team. We recommend engaging with this team early in the process to understand their requirements and the lead time for deploying changes. + +Several key setup steps in this guide require the use of JSON files, registry keys, or .plist files that need to be distributed to developer machines. It’s a best practice to use MDM tools for deploying these configuration files and ensuring their integrity is preserved. ## Step two: Identify Docker organizations @@ -22,7 +26,7 @@ Some companies may have more than one [Docker organization](/manuals/admin/organ ### Baseline configuration -Docker offers a significant number of configuration parameters that can be preset. +Through [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md), Docker offers a significant number of configuration parameters that can be preset. The Docker organization owner and the development lead should review the settings to determine which of those settings to configure to create the company’s baseline configuration. You should also discuss [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) for your Docker Desktop users and whether you want to take advantage of the free trials of other Docker products such as [Docker Scout](/manuals/scout/_index.md), which is included in the subscription. @@ -39,37 +43,37 @@ The Docker organization owner and the development lead should review the setting | `allowExperimentalFeatures` | | Docker Desktop versions often contain experimental features for trial and feedback. If this setting is set to false, experimental features are disabled.| | `allowBetaFeatures` | | Docker Desktop versions often contain beta features for trial and feedback. If this setting is set to false, beta features are disabled.| | `configurationFileVersion` | | Specifies the version of the configuration file format.| -| `dockerDaemonOptions` - Linux Containers | | This setting overrides the options in the Docker Engine config file. See the Docker Engine reference for details. Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | +| `dockerDaemonOptions` - Linux Containers | | This setting overrides the options in the Docker Engine config file. For details, see the [Docker Engine reference](/reference/cli/dockerd.md#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | | `vpnkitCIDR` | | Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | -| `dockerDaemonOptions` - Windows Containers | Windows only | This setting overrides the options in the daemon config file. See the Docker Engine reference for details. | +| `dockerDaemonOptions` - Windows Containers | Windows only | This setting overrides the options in the daemon config file. For details, see the [Docker Engine reference](/reference/cli/dockerd.md#daemon-configuration-file).| | `extensionsEnabled` | | Docker extensions are third-party add-ons for Docker Desktop. This setting affects if they are allowed.| | `useGrpcfuse` | macOS only | If the value is set to true, gRPC Fuse is set as the file sharing mechanism. | -| `displayedOnboarding` | | There is an onboarding survey that displays when Docker Desktop is installed and opened for the first time. This setting can disable the survey.| +| `displayedOnboarding` | | There is an onboarding survey that displays when Docker Desktop is installed and opened for the first time. This setting can disable the survey.| {{< /accordion >}} ### Security configuration -Docker offers a number of security related features that have configuration parameters that can be preset. The infosec representative, Docker organization owner, and the development lead should review those features to determine what should be enabled to meet your company’s security requirements. +Docker also offers a number of security related features, again through [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md), that can be preset. The infosec representative, Docker organization owner, and the development lead should review those features to determine what should be enabled to meet your company’s security requirements. {{< accordion title="Security settings to review" >}} | Setting | OS Requirements | Description | |------------|-----------------|---------------| -| Enhanced Container Isolation | | When this setting is enabled, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md). | -| Registry Access Management (Docker Org) | | This parameter is set in the Docker org admin interface. Restricts the registries that `docker pull` and `docker push` commands can access. Note: This is not an endpoint security solution, but a guardrail for users working within company guidelines. For more information, see [Registry Access Management](/manuals/security/for-admins/hardened-desktop/registry-access-management.md).| -| Image Access Management (Docker Org) | | This parameter is set in the Docker org admin interface. Restricts the categories of images accessible within Docker Hub. Note: This is not an endpoint security solution; it's a guardrail for users working within company guidelines. For more information, see [Image Access Management](/manuals/security/for-admins/hardened-desktop/image-access-management.md).| -| Scout | | Settings related to how Scout creates SBOMs (Software Bill of Materials) for images and indexes vulnerabilities for images.| -| exposeDockerAPIOnTCP2375 | Windows only | Exposes the Docker API on a specified port. If the value is set to true, the Docker API is exposed on port 2375. **Note**: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| -| windowsDockerdPort | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. **Note**: Available for Windows containers only. | -| filesharingAllowedDirectories | | Specify which paths on the developer host machine or network your users can add container file shares to.| -| enableKerberosNtlm | | When set to true, Kerberos and NTLM authentication is enabled. Default is false. Available in Docker Desktop version 4.32 and later.| -| containersProxy (Beta) | | Allows you to create air-gapped containers. For more information, see [Air-Gapped Containers](/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md).| -| blockDockerLoad | | When this setting is enabled, users can no longer run the `docker load` command and will receive an error if they try.| -| disableUpdate | | Users get notifications about new Docker Desktop versions. Enabling this setting removes those notifications. Helpful if corporate IT manages Docker Desktop version updates for users.| +| Enhanced Container Isolation | | When this setting is enabled, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, and prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md). | +| Registry Access Management | | This parameter restricts the registries that `docker pull` and `docker push` commands can access. Note: This is not an endpoint security solution, but a guardrail for users working within company guidelines. For more information, see [Registry Access Management](/manuals/security/for-admins/hardened-desktop/registry-access-management.md).| +| Image Access Management | | This parameter restricts the categories of images accessible within Docker Hub. Note: This is not an endpoint security solution; it's a guardrail for users working within company guidelines. For more information, see [Image Access Management](/manuals/security/for-admins/hardened-desktop/image-access-management.md).| +| Scout | | Settings related to how Scout creates SBOMs (Software Bill of Materials) and indexes vulnerabilities for images.| +| `exposeDockerAPIOnTCP2375` | Windows only | Exposes the Docker API on a specified port. If the value is set to true, the Docker API is exposed on port `2375`. This is unauthenticated and should only be enabled if protected by suitable firewall rules.| +| `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. It is available for Windows containers only. | +| `filesharingAllowedDirectories` | | Specify which paths on the developer host machine or network your users can add container file shares to.| +| `enableKerberosNtlm` | | When set to true, Kerberos and NTLM authentication is enabled. Default is false. Available in Docker Desktop version 4.32 and later.| +| `containersProxy` | | Allows you to create air-gapped containers. For more information, see [Air-Gapped Containers](/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md).| +| `blockDockerLoad` | | When this setting is enabled, users can no longer run the `docker load` command and will receive an error if they try.| +| `disableUpdate` | | Users get notifications about new Docker Desktop versions. Enabling this setting removes those notifications. Helpful if corporate IT manages Docker Desktop version updates for users.| {{< /accordion >}} ## Option step four: Meet with the Docker Implementation team -The Docker Implementation team can help you step through setting up your organization, configuring SSO, enforcing sign in, and configuring Docker. You can reach out to set up a meeting by emailing successteam@docker.com +The Docker Implementation team can help you step through setting up your organization, configuring SSO, enforcing sign in, and configuring Docker. You can reach out to set up a meeting by emailing successteam@docker.com. diff --git a/content/guides/admin-set-up/deploy.md b/content/guides/admin-set-up/deploy.md index 0538f2f7ca72..9fdb04fb7e50 100644 --- a/content/guides/admin-set-up/deploy.md +++ b/content/guides/admin-set-up/deploy.md @@ -4,10 +4,16 @@ description: Deploy your Docker setup across your company. weight: 40 --- +> [!WARNING] +> Ensure you communicate with your users before proceeding, and confirm that your IT and MDM teams are prepared to handle any unexpected issues, as these steps will affect all existing users signing into your Docker organization. + + ## Step one: Enforce SSO -CAUTION: This step will affect any existing users signing into your Docker organization. Please communicate with your users and carefully read and follow the list of instructions in the admin UI before confirming this step! Enforcing SSO means that anyone who has a Docker profile with an email address that matches your verified domain MUST log in using your SSO connection. Make sure the Identity provider groups associated with your SSO connection cover all the developer groups that you want to have access to the Docker Subscription. + +Enforcing SSO means that anyone who has a Docker profile with an email address that matches your verified domain must sign in using your SSO connection. Make sure the Identity provider groups associated with your SSO connection cover all the developer groups that you want to have access to the Docker subscription. ## Step two: Deploy configuration settings and enforce sign in to users -CAUTION: This step will affect all existing users of Docker Desktop. Please communicate with your users before taking this step, and ensure IT and MDM teams are ready for any unexpected issues to arise. Have the MDM team deploy the configuration files for Docker to all users. -Congratulations, you have successfully completed the admin implementation process for Docker! +Have the MDM team deploy the configuration files for Docker to all users. + +Congratulations, you have successfully completed the admin implementation process for Docker. diff --git a/content/guides/admin-set-up/finalize-plans-and-setup.md b/content/guides/admin-set-up/finalize-plans-and-setup.md index f7a646ce72cf..80eb21b99661 100644 --- a/content/guides/admin-set-up/finalize-plans-and-setup.md +++ b/content/guides/admin-set-up/finalize-plans-and-setup.md @@ -4,32 +4,40 @@ description: Collaborate with your MDM team to distribute configurations and set weight: 20 --- -## Step one: Send finalized settings files to MDM team +## Step one: Send finalized settings files to the MDM team -Once you have come to an agreement between with the relevant teams regarding your baseline and security configurations outlined in module one, follow the instructions in the [Settings Management]() documentation to create the `admin-settings.json` file which contains these configurations. +After reaching an agreement with the relevant teams on your baseline and security configurations as outlined in module one, follow the instructions in the [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md) documentation to create the admin-settings.json file that captures these configurations. -Once this has been done, work with your MDM team to deploy the `admin-settings.json` file and your chosen method for [Enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). +Once the file is ready, collaborate with your MDM team to deploy the admin-settings.json file, along with your chosen method for [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md).. -It’s highly recommended that the next step in week 3 is a test distribution to a small number of Docker Desktop users to verify the functionality works as expected. +> [!IMPORTANT] +> +> It’s highly recommended that you test this first with a small number of Docker Desktop developers to verify the functionality works as expected before deploying more widely. ## Step two: Manage your organizations -If you have more than one organization, it’s recommended that you either consolidate them into one organization or use the account hierarchy feature to manage multiple organizations. Please work with the CS and implementation teams to make this happen. +If you have more than one organization, it’s recommended that you either consolidate them into one organization or create a [Docker company](/manuals/admin/company/_index.md) to manage multiple organizations. Work with the Docker Customer Success and Implementation teams to make this happen. ## Step three: Begin setup -### SSO domain verification +### Set up single sign-on SSO domain verification -The SSO process has multiple steps involving different teams, so it's recommended that the process is started right away. The first step is domain verification. This step ensures that the person setting up SSO actually controls the domain they are requesting. The detailed steps to verify a domain are located here. Your DNS team will need to be involved in this step. +Single sign-on (SSO) allows developers to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. For more information, see the [documentation](/manuals/security/for-admins/single-sign-on/_index.md). -### Create SSO Connection - -Once the domain is verified, the next step is to create the SSO connection. This will involve your identity provider team to configure the identity groups and help set up the SSO connection. Note that this step of creating the SSO connection will not affect the Docker Desktop user experience, and you will be able to test before enforcing SSO for all users. The steps in the process are located here. +You can also enable [SCIM] for further automation of provisioning and deprovisioning of users. ### Set up free tier Docker product entitlements included in the subscription -Set up the cloud builder for free monthly minutes in Docker Build Cloud, and up to three repositories to monitor via Docker Scout. Please note that your free entitlements stop when your limits are exceeded so there is no fear of a surprise cost overage. The instructions on setting up the cloud builder are located on build.docker.com and there is a video walkthrough here, and the instructions on adding a repository for scout monitoring is here for Docker Hub repositories, and here for integration to other image registries. +[Docker Build Cloud](/manuals/build-cloud/_index.md) significantly reduces build times, both locally and in CI, by providing a dedicated remote builder and shared cache. Powered by the cloud, developer time and local resources are freed up so your team can focus on more important things, like innovation. To get started, [set up a cloud builder](http://build.docker.com). + +[Docker Scout](manuals/scout/_index.md) is a solution for proactively enhancing your software supply chain security. By analyzing your images, Docker Scout compiles an inventory of components, also known as a Software Bill of Materials (SBOM). The SBOM is matched against a continuously updated vulnerability database to pinpoint security weaknesses. To get started, see [Quickstart](/manuals/scout/quickstart.md). ### Ensure supported version of Docker Desktop -CAUTION: This step could affect the experience for users on older versions of Docker Desktop. Existing users may have older versions of Docker Desktop that are no longer supported or are out of date. It is highly recommended that everyone update to a supported version. We recommend using a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. In any of these cases it's important that the users are upgraded to a supported Docker Desktop version. +> [!WARNING] +> +> This step could affect the experience for users on older versions of Docker Desktop. + +Existing users may be running outdated or unsupported versions of Docker Desktop. It is highly recommended all users update to a supported version. Docker Desktop versions released within the past 6 months from the latest release are supported. + +We recommend using a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. diff --git a/content/guides/admin-set-up/testing.md b/content/guides/admin-set-up/testing.md index cc6d2e14fc78..f6174f7c653b 100644 --- a/content/guides/admin-set-up/testing.md +++ b/content/guides/admin-set-up/testing.md @@ -6,20 +6,27 @@ weight: 30 ## SSO and SCIM testing -If you want to use SCIM for further automation of provisioning and deprovisioning of users, there are some additional configurations required by your identity provider team. Please see here for a list of settings. Once all of the configuration is done, it is time for testing of the SSO connection, group mapping, provisioning, and SCIM (if configured). SSO testing can be done by logging into Docker Desktop or Docker Hub with the email address associated with a Docker account that also belongs to the domain that was verified. Users that log in using their Docker usernames will continue to be unaffected by the SSO/SCIM setup. NOTE: Some users may need CLI based logins to Docker Hub, and for this they will need a personal access token (PAT). Please see here for more details. +You can test SSO and SCIM by signing in to Docker Desktop or Docker Hub with the email address linked to a Docker account that is part of the verified domain. Developers who sign in using their Docker usernames will remain unaffected by the SSO and/or SCIM setup. + +> [!IMPORTANT] +> +> Some users may need CLI based logins to Docker Hub, and for this they will need a [personal access token (PAT)](/manuals/security/for-developers/access-tokens.md). ## Test Registry/Image Access Management -CAUTION: This step will affect any existing users signing into your Docker organization. Please communicate with your users before completing this step. If you are planning to use Registry Access Management (RAM) and/or Image Access Management (IAM), configure the settings in the Docker admin portal. Please see here for RAM details, and here for the video walkthrough. Please see here for the IAM details, and here for the video walkthrough. +> [!WARNING] +> Be sure to communicate with your users before proceeding, as this step will impact all existing users signing into your Docker organization + +If you plan to use [Registry Access Management (RAM)](/manuals/security/for-admins/hardened-desktop/registry-access-management.md) and/or [Image Access Management (IAM)](/manuals/security/for-admins/hardened-desktop/image-access-management.md), ensure your test developer signs in to Docker Desktop using their organization credentials. Once authenticated, have them attempt to pull an unauthorized image or one from a disallowed registry via the Docker CLI. They should receive an error message indicating that the registry is restricted by the organization. ## Deploy settings and enforce sign in to test group -Deploy the Docker settings and enforce sign in to a small group of test users via MDM. Have this group test their developer workflows with containers using Docker Desktop and Hub to confirm all settings and enforce sign in are working as expected. +Deploy the Docker settings and enforce sign-in for a small group of test users via MDM. Have this group test their development workflows with containers on Docker Desktop and Docker Hub to ensure all settings and the sign-in enforcement function as expected. ## Test Build Cloud capabilities -Have one of your Docker Desktop testers connect to the cloud builder you created and do a build. See here for more details. +Have one of your Docker Desktop testers [connect to the cloud builder you created and use it to build](/manuals/build-cloud/usage.md). ## Verify Scout monitoring of repositories -Check the scout.docker.com portal to verify the data and trending for the repositories enabled. +Check the [Docker Scout dashboard](https://scout.docker.com/) to confirm that data is being properly received for the repositories where Docker Scout has been enabled. From b696174c85a15a632a6af74490dbf0f02b8732dc Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Mon, 7 Oct 2024 15:11:35 +0100 Subject: [PATCH 07/12] fix build --- content/guides/admin-set-up/_index.md | 4 ++-- content/guides/admin-set-up/comms-and-info-gathering.md | 2 +- content/guides/admin-set-up/deploy.md | 3 +-- content/guides/admin-set-up/testing.md | 2 +- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/content/guides/admin-set-up/_index.md b/content/guides/admin-set-up/_index.md index bd8fd8bdc6e6..fa035ec5b04b 100644 --- a/content/guides/admin-set-up/_index.md +++ b/content/guides/admin-set-up/_index.md @@ -23,9 +23,9 @@ params: - title: Image Access Management url: /security/for-admins/hardened-desktop/image-access-management/ - title: Docker Build Cloud subscription information - url: /manuals/subscription/build-cloud/build-details/ + url: /subscription/build-cloud/build-details/ - title: Docker Scout subscription information - url: /manuals/subscription/scout-details/ + url: /subscription/scout-details/ --- Docker's tools provide a scalable, secure platform that empowers your developers to create, ship, and run applications faster. As an administrator, you have the ability to streamline workflows, standardize development environments, and ensure smooth deployments across your organization. diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md index 62a106a44684..eaf179875aeb 100644 --- a/content/guides/admin-set-up/comms-and-info-gathering.md +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -74,6 +74,6 @@ Docker also offers a number of security related features, again through [Setting {{< /accordion >}} -## Option step four: Meet with the Docker Implementation team +## Optional step four: Meet with the Docker Implementation team The Docker Implementation team can help you step through setting up your organization, configuring SSO, enforcing sign in, and configuring Docker. You can reach out to set up a meeting by emailing successteam@docker.com. diff --git a/content/guides/admin-set-up/deploy.md b/content/guides/admin-set-up/deploy.md index 9fdb04fb7e50..fddc992b4432 100644 --- a/content/guides/admin-set-up/deploy.md +++ b/content/guides/admin-set-up/deploy.md @@ -7,12 +7,11 @@ weight: 40 > [!WARNING] > Ensure you communicate with your users before proceeding, and confirm that your IT and MDM teams are prepared to handle any unexpected issues, as these steps will affect all existing users signing into your Docker organization. - ## Step one: Enforce SSO Enforcing SSO means that anyone who has a Docker profile with an email address that matches your verified domain must sign in using your SSO connection. Make sure the Identity provider groups associated with your SSO connection cover all the developer groups that you want to have access to the Docker subscription. -## Step two: Deploy configuration settings and enforce sign in to users +## Step two: Deploy configuration settings and enforce sign-in to users Have the MDM team deploy the configuration files for Docker to all users. diff --git a/content/guides/admin-set-up/testing.md b/content/guides/admin-set-up/testing.md index f6174f7c653b..d4fd0b805ccc 100644 --- a/content/guides/admin-set-up/testing.md +++ b/content/guides/admin-set-up/testing.md @@ -12,7 +12,7 @@ You can test SSO and SCIM by signing in to Docker Desktop or Docker Hub with the > > Some users may need CLI based logins to Docker Hub, and for this they will need a [personal access token (PAT)](/manuals/security/for-developers/access-tokens.md). -## Test Registry/Image Access Management +## Test RAM and IAM > [!WARNING] > Be sure to communicate with your users before proceeding, as this step will impact all existing users signing into your Docker organization From 1bc248f11f2ca7ff8ccaf41c4339cd09b796cdd8 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Mon, 7 Oct 2024 15:53:51 +0100 Subject: [PATCH 08/12] vale stuff --- _vale/config/vocabularies/Docker/accept.txt | 6 ++++++ .../guides/admin-set-up/comms-and-info-gathering.md | 10 +++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/_vale/config/vocabularies/Docker/accept.txt b/_vale/config/vocabularies/Docker/accept.txt index 35a06b4664e0..2514ebd0a31c 100644 --- a/_vale/config/vocabularies/Docker/accept.txt +++ b/_vale/config/vocabularies/Docker/accept.txt @@ -69,6 +69,8 @@ IPs? IPv[46] IPvlan Intel +Intune +Jamf JFrog JetBrains Kitematic @@ -80,14 +82,17 @@ Logstash MAC Mac Mail(chimp|gun) +MDM Microsoft MySQL NAT Netplan Nginx +NTLM Nuxeo OAuth OCI +[Oo]nboarding OTel Okta Postgres @@ -188,3 +193,4 @@ umask ungated vSphere virtiofs +vpnkit diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md index eaf179875aeb..787f0339649b 100644 --- a/content/guides/admin-set-up/comms-and-info-gathering.md +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -14,13 +14,13 @@ Additionally, communicate that settings will be reviewed to optimize productivit ### MDM team communication -Device management solutions, such as Intune and Jamf, are commonly used for software distribution across enterprises, typically managed by a dedicated MDM team. We recommend engaging with this team early in the process to understand their requirements and the lead time for deploying changes. +Device management solutions, such as Intune and Jamf, are commonly used for software distribution across enterprises, typically managed by a dedicated MDM team. It is recommended that you engage with this team early in the process to understand their requirements and the lead time for deploying changes. Several key setup steps in this guide require the use of JSON files, registry keys, or .plist files that need to be distributed to developer machines. It’s a best practice to use MDM tools for deploying these configuration files and ensuring their integrity is preserved. ## Step two: Identify Docker organizations -Some companies may have more than one [Docker organization](/manuals/admin/organization/_index.md) created. These organizations may have been created for specific purposes, or may not be needed anymore. If you suspect your company has more than one Docker organization, it's recommended you survey your teams to see if they have their own organizations. You can also contact your Docker Customer Success representative to get a list of organizations with users whose emails match your domain name. +Some companies may have more than one [Docker organization](/manuals/admin/organization/_index.md) created. These organizations may have been created for specific purposes, or may not be needed anymore. If you suspect your company has more than one Docker organization, it's recommended you survey your teams to see if they have their own organizations. You can also contact your Docker Customer Success representative to get a list of organizations with users whose emails match your domain name. ## Step three: Gather requirements @@ -37,9 +37,9 @@ The Docker organization owner and the development lead should review the setting | `proxy` | | This setting configures the proxy used by Docker Desktop to access the internet. The proxy can be set manually or get its value from the system.| | `wslEngineEnabled` | Windows only | This setting specifies whether the user should use WSL 2 or HyperV for the VM for Windows installations.| | `kubernetes` | | Docker Desktop offers a Kubernetes single-node cluster for Kubernetes deployments locally. This setting controls whether it is started when Docker Desktop starts, and its configuration.| -| `analyticsEnabled` | | Docker allows users to opt out of sending usage data to Docker. The usage data feeds what admins are able to see about Docker Desktop usage, so it is highly recommended to enable and lock this setting.| -| `useVirtualizationFrameworkVirtioFS`| macOS only | VirtioFS is the newer higher performance file sharing framework for MacOS. It takes precedence over the older frameworks if it is enabled.| -| `useVirtualizationFrameworkRosetta` | macOS only | Rosetta is the Apple emulator for x86 chipsets. This setting allows Docker Desktop to use Rosetta when running containers built for the x86 chipset.| +| `analyticsEnabled` | | Docker lets users to opt out of sending usage data to Docker. The usage data feeds what admins are able to see about Docker Desktop usage, so it is highly recommended to enable and lock this setting.| +| `useVirtualizationFrameworkVirtioFS`| macOS only | Virtiofs is the newer higher performance file sharing framework for Mac. It takes precedence over the older frameworks if it is enabled.| +| `useVirtualizationFrameworkRosetta` | macOS only | Rosetta is the Apple emulator for x86 chipsets. This setting lets Docker Desktop to use Rosetta when running containers built for the x86 chipset.| | `allowExperimentalFeatures` | | Docker Desktop versions often contain experimental features for trial and feedback. If this setting is set to false, experimental features are disabled.| | `allowBetaFeatures` | | Docker Desktop versions often contain beta features for trial and feedback. If this setting is set to false, beta features are disabled.| | `configurationFileVersion` | | Specifies the version of the configuration file format.| From a42343ba9978312193057c9a3e869b6ba0a01497 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Mon, 7 Oct 2024 16:05:03 +0100 Subject: [PATCH 09/12] more vale fun --- _vale/config/vocabularies/Docker/accept.txt | 9 +++++++-- content/guides/admin-set-up/comms-and-info-gathering.md | 6 +++--- content/guides/admin-set-up/deploy.md | 2 +- content/guides/admin-set-up/finalize-plans-and-setup.md | 4 ++-- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/_vale/config/vocabularies/Docker/accept.txt b/_vale/config/vocabularies/Docker/accept.txt index 2514ebd0a31c..f1685dadf646 100644 --- a/_vale/config/vocabularies/Docker/accept.txt +++ b/_vale/config/vocabularies/Docker/accept.txt @@ -65,6 +65,7 @@ Grafana Gravatar HTTP HyperKit +IAM IPs? IPv[46] IPvlan @@ -73,6 +74,7 @@ Intune Jamf JFrog JetBrains +Kerberos Kitematic Kubernetes LTS @@ -92,9 +94,9 @@ NTLM Nuxeo OAuth OCI -[Oo]nboarding OTel Okta +PAT Postgres PowerShell Python @@ -143,8 +145,10 @@ Zsh [Ff]iletypes? [GgCc]oroutine [Hh]ostname +[Ii]nfosec [Ll]oopback [Mm]oby +[Oo]nboarding [Pp]aravirtualization [Pp]roxying [Rr]eal-time @@ -154,10 +158,12 @@ Zsh [Ss]warm [Tt]oolchains? [Vv]irtualize +[Vv]irtiofs [Ww]alkthrough cgroup config containerd +deprovisioning deserialization deserialize displayName @@ -192,5 +198,4 @@ ufw umask ungated vSphere -virtiofs vpnkit diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md index 787f0339649b..8da3fed338f3 100644 --- a/content/guides/admin-set-up/comms-and-info-gathering.md +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -37,7 +37,7 @@ The Docker organization owner and the development lead should review the setting | `proxy` | | This setting configures the proxy used by Docker Desktop to access the internet. The proxy can be set manually or get its value from the system.| | `wslEngineEnabled` | Windows only | This setting specifies whether the user should use WSL 2 or HyperV for the VM for Windows installations.| | `kubernetes` | | Docker Desktop offers a Kubernetes single-node cluster for Kubernetes deployments locally. This setting controls whether it is started when Docker Desktop starts, and its configuration.| -| `analyticsEnabled` | | Docker lets users to opt out of sending usage data to Docker. The usage data feeds what admins are able to see about Docker Desktop usage, so it is highly recommended to enable and lock this setting.| +| `analyticsEnabled` | | Docker lets users opt out of sending usage data to Docker. The usage data feeds what admins are able to see about Docker Desktop usage, so it is highly recommended to enable and lock this setting.| | `useVirtualizationFrameworkVirtioFS`| macOS only | Virtiofs is the newer higher performance file sharing framework for Mac. It takes precedence over the older frameworks if it is enabled.| | `useVirtualizationFrameworkRosetta` | macOS only | Rosetta is the Apple emulator for x86 chipsets. This setting lets Docker Desktop to use Rosetta when running containers built for the x86 chipset.| | `allowExperimentalFeatures` | | Docker Desktop versions often contain experimental features for trial and feedback. If this setting is set to false, experimental features are disabled.| @@ -68,7 +68,7 @@ Docker also offers a number of security related features, again through [Setting | `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. It is available for Windows containers only. | | `filesharingAllowedDirectories` | | Specify which paths on the developer host machine or network your users can add container file shares to.| | `enableKerberosNtlm` | | When set to true, Kerberos and NTLM authentication is enabled. Default is false. Available in Docker Desktop version 4.32 and later.| -| `containersProxy` | | Allows you to create air-gapped containers. For more information, see [Air-Gapped Containers](/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md).| +| `containersProxy` | | Lets you create air-gapped containers. For more information, see [Air-Gapped Containers](/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md).| | `blockDockerLoad` | | When this setting is enabled, users can no longer run the `docker load` command and will receive an error if they try.| | `disableUpdate` | | Users get notifications about new Docker Desktop versions. Enabling this setting removes those notifications. Helpful if corporate IT manages Docker Desktop version updates for users.| @@ -76,4 +76,4 @@ Docker also offers a number of security related features, again through [Setting ## Optional step four: Meet with the Docker Implementation team -The Docker Implementation team can help you step through setting up your organization, configuring SSO, enforcing sign in, and configuring Docker. You can reach out to set up a meeting by emailing successteam@docker.com. +The Docker Implementation team can help you step through setting up your organization, configuring SSO, enforcing sign in, and configuring Docker. You can reach out to set up a meeting by emailing successteam@docker.com. diff --git a/content/guides/admin-set-up/deploy.md b/content/guides/admin-set-up/deploy.md index fddc992b4432..ab91d9f4e568 100644 --- a/content/guides/admin-set-up/deploy.md +++ b/content/guides/admin-set-up/deploy.md @@ -9,7 +9,7 @@ weight: 40 ## Step one: Enforce SSO -Enforcing SSO means that anyone who has a Docker profile with an email address that matches your verified domain must sign in using your SSO connection. Make sure the Identity provider groups associated with your SSO connection cover all the developer groups that you want to have access to the Docker subscription. +Enforcing SSO means that anyone who has a Docker profile with an email address that matches your verified domain must sign in using your SSO connection. Make sure the Identity provider groups associated with your SSO connection cover all the developer groups that you want to have access to the Docker subscription. ## Step two: Deploy configuration settings and enforce sign-in to users diff --git a/content/guides/admin-set-up/finalize-plans-and-setup.md b/content/guides/admin-set-up/finalize-plans-and-setup.md index 80eb21b99661..42aff92015d7 100644 --- a/content/guides/admin-set-up/finalize-plans-and-setup.md +++ b/content/guides/admin-set-up/finalize-plans-and-setup.md @@ -22,7 +22,7 @@ If you have more than one organization, it’s recommended that you either conso ### Set up single sign-on SSO domain verification -Single sign-on (SSO) allows developers to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. For more information, see the [documentation](/manuals/security/for-admins/single-sign-on/_index.md). +Single sign-on (SSO) lets developers to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. For more information, see the [documentation](/manuals/security/for-admins/single-sign-on/_index.md). You can also enable [SCIM] for further automation of provisioning and deprovisioning of users. @@ -40,4 +40,4 @@ You can also enable [SCIM] for further automation of provisioning and deprovisio Existing users may be running outdated or unsupported versions of Docker Desktop. It is highly recommended all users update to a supported version. Docker Desktop versions released within the past 6 months from the latest release are supported. -We recommend using a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. +It's recommended that you use us a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. From 7e3c3fd4cf871b6914460787f86e427569335200 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Mon, 7 Oct 2024 16:09:06 +0100 Subject: [PATCH 10/12] change step --- content/guides/admin-set-up/finalize-plans-and-setup.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/guides/admin-set-up/finalize-plans-and-setup.md b/content/guides/admin-set-up/finalize-plans-and-setup.md index 42aff92015d7..c58cd7dda716 100644 --- a/content/guides/admin-set-up/finalize-plans-and-setup.md +++ b/content/guides/admin-set-up/finalize-plans-and-setup.md @@ -6,9 +6,9 @@ weight: 20 ## Step one: Send finalized settings files to the MDM team -After reaching an agreement with the relevant teams on your baseline and security configurations as outlined in module one, follow the instructions in the [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md) documentation to create the admin-settings.json file that captures these configurations. +After reaching an agreement with the relevant teams on your baseline and security configurations as outlined in module one, follow the instructions in the [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md) documentation to create the `admin-settings.json` file that captures these configurations. -Once the file is ready, collaborate with your MDM team to deploy the admin-settings.json file, along with your chosen method for [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md).. +Once the file is ready, collaborate with your MDM team to deploy the `admin-settings.json` file, along with your chosen method for [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md).. > [!IMPORTANT] > @@ -40,4 +40,4 @@ You can also enable [SCIM] for further automation of provisioning and deprovisio Existing users may be running outdated or unsupported versions of Docker Desktop. It is highly recommended all users update to a supported version. Docker Desktop versions released within the past 6 months from the latest release are supported. -It's recommended that you use us a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. +It's recommended that you use a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. From b1c5add3a34815ec191f577ceebe795ec9078e83 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Thu, 10 Oct 2024 10:48:17 +0100 Subject: [PATCH 11/12] docs team review edits --- .../admin-set-up/comms-and-info-gathering.md | 50 +------------------ .../admin-set-up/finalize-plans-and-setup.md | 10 ++-- 2 files changed, 7 insertions(+), 53 deletions(-) diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md index 8da3fed338f3..a70f525ab160 100644 --- a/content/guides/admin-set-up/comms-and-info-gathering.md +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -24,55 +24,9 @@ Some companies may have more than one [Docker organization](/manuals/admin/organ ## Step three: Gather requirements -### Baseline configuration +Through [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md), Docker provides numerous configuration parameters that can be preset. The Docker organization owner, development lead, and infosec representative should review these settings to establish the company’s baseline configuration, including security features and [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) for Docker Desktop users. Additionally, they should decide whether to take advantage of free trials for other Docker products, such as [Docker Scout](/manuals/scout/_index.md), which is included in the subscription. -Through [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md), Docker offers a significant number of configuration parameters that can be preset. - -The Docker organization owner and the development lead should review the settings to determine which of those settings to configure to create the company’s baseline configuration. You should also discuss [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) for your Docker Desktop users and whether you want to take advantage of the free trials of other Docker products such as [Docker Scout](/manuals/scout/_index.md), which is included in the subscription. - -{{< accordion title="Baseline settings to review" >}} - -| Setting | OS Requirements | Description | -|---------------------|-----------------|-----------------| -| `proxy` | | This setting configures the proxy used by Docker Desktop to access the internet. The proxy can be set manually or get its value from the system.| -| `wslEngineEnabled` | Windows only | This setting specifies whether the user should use WSL 2 or HyperV for the VM for Windows installations.| -| `kubernetes` | | Docker Desktop offers a Kubernetes single-node cluster for Kubernetes deployments locally. This setting controls whether it is started when Docker Desktop starts, and its configuration.| -| `analyticsEnabled` | | Docker lets users opt out of sending usage data to Docker. The usage data feeds what admins are able to see about Docker Desktop usage, so it is highly recommended to enable and lock this setting.| -| `useVirtualizationFrameworkVirtioFS`| macOS only | Virtiofs is the newer higher performance file sharing framework for Mac. It takes precedence over the older frameworks if it is enabled.| -| `useVirtualizationFrameworkRosetta` | macOS only | Rosetta is the Apple emulator for x86 chipsets. This setting lets Docker Desktop to use Rosetta when running containers built for the x86 chipset.| -| `allowExperimentalFeatures` | | Docker Desktop versions often contain experimental features for trial and feedback. If this setting is set to false, experimental features are disabled.| -| `allowBetaFeatures` | | Docker Desktop versions often contain beta features for trial and feedback. If this setting is set to false, beta features are disabled.| -| `configurationFileVersion` | | Specifies the version of the configuration file format.| -| `dockerDaemonOptions` - Linux Containers | | This setting overrides the options in the Docker Engine config file. For details, see the [Docker Engine reference](/reference/cli/dockerd.md#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | -| `vpnkitCIDR` | | Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | -| `dockerDaemonOptions` - Windows Containers | Windows only | This setting overrides the options in the daemon config file. For details, see the [Docker Engine reference](/reference/cli/dockerd.md#daemon-configuration-file).| -| `extensionsEnabled` | | Docker extensions are third-party add-ons for Docker Desktop. This setting affects if they are allowed.| -| `useGrpcfuse` | macOS only | If the value is set to true, gRPC Fuse is set as the file sharing mechanism. | -| `displayedOnboarding` | | There is an onboarding survey that displays when Docker Desktop is installed and opened for the first time. This setting can disable the survey.| - -{{< /accordion >}} - -### Security configuration - -Docker also offers a number of security related features, again through [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md), that can be preset. The infosec representative, Docker organization owner, and the development lead should review those features to determine what should be enabled to meet your company’s security requirements. - -{{< accordion title="Security settings to review" >}} - -| Setting | OS Requirements | Description | -|------------|-----------------|---------------| -| Enhanced Container Isolation | | When this setting is enabled, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, and prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md). | -| Registry Access Management | | This parameter restricts the registries that `docker pull` and `docker push` commands can access. Note: This is not an endpoint security solution, but a guardrail for users working within company guidelines. For more information, see [Registry Access Management](/manuals/security/for-admins/hardened-desktop/registry-access-management.md).| -| Image Access Management | | This parameter restricts the categories of images accessible within Docker Hub. Note: This is not an endpoint security solution; it's a guardrail for users working within company guidelines. For more information, see [Image Access Management](/manuals/security/for-admins/hardened-desktop/image-access-management.md).| -| Scout | | Settings related to how Scout creates SBOMs (Software Bill of Materials) and indexes vulnerabilities for images.| -| `exposeDockerAPIOnTCP2375` | Windows only | Exposes the Docker API on a specified port. If the value is set to true, the Docker API is exposed on port `2375`. This is unauthenticated and should only be enabled if protected by suitable firewall rules.| -| `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. It is available for Windows containers only. | -| `filesharingAllowedDirectories` | | Specify which paths on the developer host machine or network your users can add container file shares to.| -| `enableKerberosNtlm` | | When set to true, Kerberos and NTLM authentication is enabled. Default is false. Available in Docker Desktop version 4.32 and later.| -| `containersProxy` | | Lets you create air-gapped containers. For more information, see [Air-Gapped Containers](/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md).| -| `blockDockerLoad` | | When this setting is enabled, users can no longer run the `docker load` command and will receive an error if they try.| -| `disableUpdate` | | Users get notifications about new Docker Desktop versions. Enabling this setting removes those notifications. Helpful if corporate IT manages Docker Desktop version updates for users.| - -{{< /accordion >}} +To view the parameters that can be preset, see [Configure Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md#step-two-configure-the-settings-you-want-to-lock-in). ## Optional step four: Meet with the Docker Implementation team diff --git a/content/guides/admin-set-up/finalize-plans-and-setup.md b/content/guides/admin-set-up/finalize-plans-and-setup.md index c58cd7dda716..3f085fb1c556 100644 --- a/content/guides/admin-set-up/finalize-plans-and-setup.md +++ b/content/guides/admin-set-up/finalize-plans-and-setup.md @@ -8,7 +8,7 @@ weight: 20 After reaching an agreement with the relevant teams on your baseline and security configurations as outlined in module one, follow the instructions in the [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md) documentation to create the `admin-settings.json` file that captures these configurations. -Once the file is ready, collaborate with your MDM team to deploy the `admin-settings.json` file, along with your chosen method for [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md).. +Once the file is ready, collaborate with your MDM team to deploy the `admin-settings.json` file, along with your chosen method for [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). > [!IMPORTANT] > @@ -22,9 +22,9 @@ If you have more than one organization, it’s recommended that you either conso ### Set up single sign-on SSO domain verification -Single sign-on (SSO) lets developers to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. For more information, see the [documentation](/manuals/security/for-admins/single-sign-on/_index.md). +Single sign-on (SSO) lets developers authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. For more information, see the [documentation](/manuals/security/for-admins/single-sign-on/_index.md). -You can also enable [SCIM] for further automation of provisioning and deprovisioning of users. +You can also enable [SCIM](/manuals/security/for-admins/provisioning/scim.md) for further automation of provisioning and deprovisioning of users. ### Set up free tier Docker product entitlements included in the subscription @@ -32,12 +32,12 @@ You can also enable [SCIM] for further automation of provisioning and deprovisio [Docker Scout](manuals/scout/_index.md) is a solution for proactively enhancing your software supply chain security. By analyzing your images, Docker Scout compiles an inventory of components, also known as a Software Bill of Materials (SBOM). The SBOM is matched against a continuously updated vulnerability database to pinpoint security weaknesses. To get started, see [Quickstart](/manuals/scout/quickstart.md). -### Ensure supported version of Docker Desktop +### Ensure you're running a supported version of Docker Desktop > [!WARNING] > > This step could affect the experience for users on older versions of Docker Desktop. -Existing users may be running outdated or unsupported versions of Docker Desktop. It is highly recommended all users update to a supported version. Docker Desktop versions released within the past 6 months from the latest release are supported. +Existing users may be running outdated or unsupported versions of Docker Desktop. It is highly recommended that all users update to a supported version. Docker Desktop versions released within the past 6 months from the latest release are supported. It's recommended that you use a MDM solution to manage the version of Docker Desktop for users. Users may also get Docker Desktop directly from Docker or through a company software portal. From 99e9835d6d26a2a344e733592ff1ebe2ab162b17 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Tue, 15 Oct 2024 10:30:19 +0100 Subject: [PATCH 12/12] KB review --- content/guides/admin-set-up/_index.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/content/guides/admin-set-up/_index.md b/content/guides/admin-set-up/_index.md index fa035ec5b04b..0a5bff1818fc 100644 --- a/content/guides/admin-set-up/_index.md +++ b/content/guides/admin-set-up/_index.md @@ -30,7 +30,7 @@ params: Docker's tools provide a scalable, secure platform that empowers your developers to create, ship, and run applications faster. As an administrator, you have the ability to streamline workflows, standardize development environments, and ensure smooth deployments across your organization. -By configuring Docker products to suit your company’s needs, you can optimize performance, simplify user management, and maintain control over resources. Whether you’re managing Docker Desktop, Docker Hub, or Docker Build Cloud, this guide will help you set up and configure Docker products to maximize productivity and success for your team whilst meeting compliance and security policies +By configuring Docker products to suit your company’s needs, you can optimize performance, simplify user management, and maintain control over resources. This guide will help you set up and configure Docker products to maximize productivity and success for your team whilst meeting compliance and security policies ## Who’s this for? @@ -38,6 +38,7 @@ By configuring Docker products to suit your company’s needs, you can optimize - IT leaders looking to streamline development and deployment workflows - Teams aiming to standardize application environments across multiple users - Organizations seeking to optimize their use of Docker products for greater scalability and efficiency +- Organizations with [Docker Business subscriptions](https://www.docker.com/pricing/). ## What you’ll learn @@ -45,6 +46,24 @@ By configuring Docker products to suit your company’s needs, you can optimize - How to standardize Docker Desktop versions and settings to create a consistent baseline for all users, while allowing flexibility for advanced developers. - Strategies for implementing Docker’s security configurations to meet company IT and software development security requirements without hindering developer productivity. +## Features covered + +- Organizations. These are the core structure for managing your Docker environment, grouping users, teams, and image repositories. Your organization was created with your subscription and is managed by one or more Owners. Users signed into the organization are assigned seats based on the purchased subscription. +- Enforce sign-in. By default, Docker Desktop does not require sign-in. However, you can configure settings to enforce this and ensure your developers sign in to your Docker organization. +- SSO. Without SSO, user management in a Docker organization is manual. Setting up an SSO connection between your identity provider and Docker ensures compliance with your security policy and automates user provisioning. Adding SCIM further automates user provisioning and de-provisioning. +- General and security settings. Configuring key settings will ensure smooth onboarding and usage of Docker products within your environment. Additionally, you can enable security features based on your company's specific security needs. + +## Who needs to be involved? + +- Docker organization owner: A Docker organization owner must be involved in the process and will be required for several key steps. +- DNS team: The DNS team is needed during the SSO setup to verify the company domain. +- MDM team: Responsible for distributing Docker-specific configuration files to developer machines. +- Identity Provider team: Required for configuring the identity provider and establishing the SSO connection during setup. +- Development lead: A development lead with knowledge of Docker configurations to help establish a baseline for developer settings. +- IT team: An IT representative familiar with company desktop policies to assist with aligning Docker configuration to those policies. +- Infosec: A security team member with knowledge of company development security policies to help configure security features. +- Docker testers: A small group of developers to test the new settings and configurations before full deployment. + ## Tools integration Okta, Entra ID SAML 2.0, Azure Connect (OIDC), MDM solutions like Intune \ No newline at end of file