diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md index 25de789f56f..34e19289a86 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md @@ -5,9 +5,9 @@ description: Configure and enforce Docker Desktop settings using an admin-settin keywords: admin controls, settings management, configuration, enterprise, docker desktop, json file weight: 10 aliases: - - /desktop/hardened-desktop/settings-management/configure/ - - /security/for-admins/hardened-desktop/settings-management/configure/ - - /security/for-admins/hardened-desktop/settings-management/configure-json-file/ + - /desktop/hardened-desktop/settings-management/configure/ + - /security/for-admins/hardened-desktop/settings-management/configure/ + - /security/for-admins/hardened-desktop/settings-management/configure-json-file/ --- {{< summary-bar feature_name="Hardened Docker Desktop" >}} @@ -19,13 +19,15 @@ Settings Management lets you configure and enforce Docker Desktop settings acros Before you begin, make sure you have: - [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) for -your organization + your organization - A Docker Business subscription Docker Desktop only applies settings from the `admin-settings.json` file when both authentication and Docker Business license checks succeed. > [!IMPORTANT] > +> The presence of the `admin-settings.json` file enforces sign-in on Docker Desktop (behavior since version 4.29). This is intended for business features that require authentication. +> > Users must be signed in and part of a Docker Business organization. If either condition isn't met, the settings file is ignored. ## Step one: Create the settings file @@ -33,12 +35,12 @@ Docker Desktop only applies settings from the `admin-settings.json` file when bo You can create the `admin-settings.json` file in two ways: - Use the `--admin-settings` installer flag to auto-generate the file: - - [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) installation guide - - [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) installation guide + - [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) installation guide + - [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) installation guide - Create it manually (UTF-8 without BOM) and place it in the following locations: - - Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json` - - Windows: `C:\ProgramData\DockerDesktop\admin-settings.json` - - Linux: `/usr/share/docker-desktop/admin-settings.json` + - Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json` + - Windows: `C:\ProgramData\DockerDesktop\admin-settings.json` + - Linux: `/usr/share/docker-desktop/admin-settings.json` > [!IMPORTANT] > @@ -56,7 +58,7 @@ Each setting supports a `locked` field that controls user permissions: - When `locked` is set to `true`, users can't change that value in Docker Desktop, the CLI, or config files. - When `locked` is set to `false`, the value acts like a default suggestion and users -can still update it. + can still update it. Settings where `locked` is set to `false` are ignored on existing installs if a user has already customized that value in `settings-store.json`, @@ -119,7 +121,7 @@ The following sample is an `admin-settings.json` file with common enterprise set "http": "", "https": "", "exclude": [], - "pac":"", + "pac": "", "embeddedPac": "", "transparentPorts": "" }, @@ -146,23 +148,23 @@ The following sample is an `admin-settings.json` file with common enterprise set }, "dockerDaemonOptions": { "locked": false, - "value":"{\"debug\": false}" + "value": "{\"debug\": false}" }, "vpnkitCIDR": { "locked": false, - "value":"192.168.65.0/24" + "value": "192.168.65.0/24" } }, "kubernetes": { - "locked": false, - "enabled": false, - "showSystemContainers": false, - "imagesRepository": "" + "locked": false, + "enabled": false, + "showSystemContainers": false, + "imagesRepository": "" }, "windowsContainers": { "dockerDaemonOptions": { "locked": false, - "value":"{\"debug\": false}" + "value": "{\"debug\": false}" } }, "disableUpdate": { @@ -196,7 +198,7 @@ The following sample is an `admin-settings.json` file with common enterprise set "sharedByDefault": true }, { - "path":"$TMP", + "path": "$TMP", "sharedByDefault": false } ], @@ -275,74 +277,74 @@ The following tables describe all available settings in the `admin-settings.json ### General settings -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -|`configurationFileVersion`| |Specifies the version of the configuration file format.| | -|`analyticsEnabled`| |If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. | | -|`disableUpdate`| |If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.| | -| `blockDockerLoad` | | If `value` is set to `true`, users are no longer able to run [`docker load`](/reference/cli/docker/image/load/) and receive an error if they try to.| | -| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. | Docker Desktop version 4.30 and later | -| `desktopTerminalEnabled` | | If `value` is set to `false`, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. | | -|`exposeDockerAPIOnTCP2375`| Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| | -| `silentModulesUpdate` | | If `value` is set to `true`, Docker Desktop automatically updates components that don't require a restart. For example, the Docker CLI or Docker Scout components. | Docker Desktop version 4.46 and later. | +| Parameter | OS | Description | Version | +| :------------------------- | ------------ | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `configurationFileVersion` | | Specifies the version of the configuration file format. | | +| `analyticsEnabled` | | If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. | | +| `disableUpdate` | | If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled. | | +| `blockDockerLoad` | | If `value` is set to `true`, users are no longer able to run [`docker load`](/reference/cli/docker/image/load/) and receive an error if they try to. | | +| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. | Docker Desktop version 4.30 and later | +| `desktopTerminalEnabled` | | If `value` is set to `false`, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. | | +| `exposeDockerAPIOnTCP2375` | Windows only | Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules. | | +| `silentModulesUpdate` | | If `value` is set to `true`, Docker Desktop automatically updates components that don't require a restart. For example, the Docker CLI or Docker Scout components. | Docker Desktop version 4.46 and later. | ### Extensions -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -|`extensionsEnabled`| |If `value` is set to false, Docker Extensions are disabled. | | -| `onlyMarketplaceExtensions` | | If `value` is set to true, developers are blocked from installing other extensions via the command line.| | -| `extensionsPrivateMarketplace` | | If `value` is set to true, activates the private marketplace is enabled which ensures Docker Desktop connects to content defined and controlled by the administrator instead of the public Docker marketplace. | | -| `extensionsPrivateMarketplaceAdminContactURL` | | Defines a contact link for developers to request new extensions in the private marketplace. | | +| Parameter | OS | Description | Version | +| :-------------------------------------------- | --- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `extensionsEnabled` | | If `value` is set to false, Docker Extensions are disabled. | | +| `onlyMarketplaceExtensions` | | If `value` is set to true, developers are blocked from installing other extensions via the command line. | | +| `extensionsPrivateMarketplace` | | If `value` is set to true, activates the private marketplace is enabled which ensures Docker Desktop connects to content defined and controlled by the administrator instead of the public Docker marketplace. | | +| `extensionsPrivateMarketplaceAdminContactURL` | | Defines a contact link for developers to request new extensions in the private marketplace. | | ### File sharing and emulation -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -| `filesharingAllowedDirectories` | | Specify which paths your developers can add file shares to. Also accepts `$HOME`, `$TMP`, or `$TEMP` as `path` variables. When a path is added, its subdirectories are allowed. If `sharedByDefault` is set to `true`, that path will be added upon factory reset or when Docker Desktop first starts. | | -| `useVirtualizationFrameworkVirtioFS`| macOS only | If `value` is set to `true`, VirtioFS is set as the file sharing mechanism. Note: If both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `true`, VirtioFS takes precedence. Likewise, if both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `false`, osxfs is set as the file sharing mechanism. | | -| `useGrpcfuse` | macOS only | If `value` is set to `true`, gRPC Fuse is set as the file sharing mechanism. | | -| `useVirtualizationFrameworkRosetta`| macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. | Docker Desktop version 4.29 and later. | +| Parameter | OS | Description | Version | +| :----------------------------------- | ---------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `filesharingAllowedDirectories` | | Specify which paths your developers can add file shares to. Also accepts `$HOME`, `$TMP`, or `$TEMP` as `path` variables. When a path is added, its subdirectories are allowed. If `sharedByDefault` is set to `true`, that path will be added upon factory reset or when Docker Desktop first starts. | | +| `useVirtualizationFrameworkVirtioFS` | macOS only | If `value` is set to `true`, VirtioFS is set as the file sharing mechanism. Note: If both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `true`, VirtioFS takes precedence. Likewise, if both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `false`, osxfs is set as the file sharing mechanism. | | +| `useGrpcfuse` | macOS only | If `value` is set to `true`, gRPC Fuse is set as the file sharing mechanism. | | +| `useVirtualizationFrameworkRosetta` | macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. | Docker Desktop version 4.29 and later. | ### Docker Scout -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -|`scout`| | Setting `useBackgroundIndexing` to `false` disables automatic indexing of images loaded to the image store. Setting `sbomIndexing` to `false` prevents users from being able to index image by inspecting them in Docker Desktop or using `docker scout` CLI commands. | | +| Parameter | OS | Description | Version | +| :-------- | --- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `scout` | | Setting `useBackgroundIndexing` to `false` disables automatic indexing of images loaded to the image store. Setting `sbomIndexing` to `false` prevents users from being able to index image by inspecting them in Docker Desktop or using `docker scout` CLI commands. | | ### Proxy settings -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -|`proxy`| |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores any values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | | -| `windowsDockerdPort`| Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. | | -|`enableKerberosNtlm`| |When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. For more information, see the settings documentation. | Docker Desktop version 4.32 and later. | -| `pac` | | Specifies a PAC file URL. For example, `"pac": "http://proxy/proxy.pac"`. | | -| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-Config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"DIRECT\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. | +| Parameter | OS | Description | Version | +| :------------------- | ------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `proxy` | | If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores any values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | | +| `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. | | +| `enableKerberosNtlm` | | When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. For more information, see the settings documentation. | Docker Desktop version 4.32 and later. | +| `pac` | | Specifies a PAC file URL. For example, `"pac": "http://proxy/proxy.pac"`. | | +| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"DIRECT\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. | ### Container proxy -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -|`containersProxy` | | Creates air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md).| Docker Desktop version 4.29 and later. | -| `pac` | | Specifies a PAC file URL. For example, `"pac": "http://containerproxy/proxy.pac"`. | | -| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-Config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"PROXY 192.168.92.1:2003\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. | +| Parameter | OS | Description | Version | +| :---------------- | --- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `containersProxy` | | Creates air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md). | Docker Desktop version 4.29 and later. | +| `pac` | | Specifies a PAC file URL. For example, `"pac": "http://containerproxy/proxy.pac"`. | | +| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"PROXY 192.168.92.1:2003\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. | ### Linux VM settings -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -| `linuxVM` | |Parameters and settings related to Linux VM options - grouped together here for convenience. | | -|        `wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=` flag. | | -|        `dockerDaemonOptions` | |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | | -|        `vpnkitCIDR` | |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | | +| Parameter | OS | Description | Version | +| :----------------------------------------------- | ------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `linuxVM` | | Parameters and settings related to Linux VM options - grouped together here for convenience. | | +|        `wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=` flag. | | +|        `dockerDaemonOptions` | | If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | | +|        `vpnkitCIDR` | | Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | | ### Windows containers -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -| `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. | | -|        `dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file).| | +| Parameter | OS | Description | Version | +| :----------------------------------------------- | --- | :------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. | | +|        `dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). | | > [!NOTE] > @@ -350,9 +352,9 @@ The following tables describe all available settings in the `admin-settings.json ### Kubernetes settings -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -|`kubernetes`| | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`. The [imagesRepository](/manuals/desktop/use-desktop/kubernetes.md#configuring-a-custom-image-registry-for-kubernetes-control-plane-images) setting lets you specify which repository Docker Desktop pulls control-plane Kubernetes images from. | | +| Parameter | OS | Description | Version | +| :----------- | --- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `kubernetes` | | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`. The [imagesRepository](/manuals/desktop/use-desktop/kubernetes.md#configuring-a-custom-image-registry-for-kubernetes-control-plane-images) setting lets you specify which repository Docker Desktop pulls control-plane Kubernetes images from. | | > [!NOTE] > @@ -365,23 +367,23 @@ The following tables describe all available settings in the `admin-settings.json ### Networking settings -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -| `defaultNetworkingMode` | Windows and Mac only | Defines the default IP protocol for new Docker networks: `dual-stack` (IPv4 + IPv6, default), `ipv4only`, or `ipv6only`. | Docker Desktop version 4.43 and later. | -| `dnsInhibition` | Windows and Mac only | Controls DNS record filtering returned to containers. Options: `auto` (recommended), `ipv4`, `ipv6`, `none`| Docker Desktop version 4.43 and later. | -| `portBindingBehavior` | Linux-based containers only | Defines port binding restrictions and default behavior, allowing admins to control how a user exposes ports from their containers. Options: `default-port-binding`, `default-local-port-binding`, `local-only-port-binding` | Docker Desktop version 4.52 and later. | +| Parameter | OS | Description | Version | +| :---------------------- | --------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `defaultNetworkingMode` | Windows and Mac only | Defines the default IP protocol for new Docker networks: `dual-stack` (IPv4 + IPv6, default), `ipv4only`, or `ipv6only`. | Docker Desktop version 4.43 and later. | +| `dnsInhibition` | Windows and Mac only | Controls DNS record filtering returned to containers. Options: `auto` (recommended), `ipv4`, `ipv6`, `none` | Docker Desktop version 4.43 and later. | +| `portBindingBehavior` | Linux-based containers only | Defines port binding restrictions and default behavior, allowing admins to control how a user exposes ports from their containers. Options: `default-port-binding`, `default-local-port-binding`, `local-only-port-binding` | Docker Desktop version 4.52 and later. | For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows). ### AI settings -| Parameter | OS | Description | Version | -|:----------------------------|---------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| -| `enableInference` | | Setting `enableInference` to `true` enables [Docker Model Runner](/manuals/ai/model-runner/_index.md). | | -| `enableInferenceTCP` | | Enable host-side TCP support. This setting requires the Docker Model Runner setting to be enabled first. | | -| `enableInferenceTCPPort` | | Specifies the exposed TCP port. This setting requires the Docker Model Runner and Enable host-side TCP support settings to be enabled first. | | -| `enableInferenceCORS` | | Specifies the allowed CORS origins. Empty string to deny all,`*` to accept all, or a list of comma-separated values. This setting requires the Docker Model Runner and Enable host-side TCP support settings to be enabled first. | | -| `enableInferenceGPUVariant` | Windows only | Setting `enableInferenceGPUVariant` to `true` enables GPU-backed inference. The additional components required for this don't come by default with Docker Desktop, therefore they will be downloaded to `~/.docker/bin/inference`. | | +| Parameter | OS | Description | Version | +| :-------------------------- | ------------ | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `enableInference` | | Setting `enableInference` to `true` enables [Docker Model Runner](/manuals/ai/model-runner/_index.md). | | +| `enableInferenceTCP` | | Enable host-side TCP support. This setting requires the Docker Model Runner setting to be enabled first. | | +| `enableInferenceTCPPort` | | Specifies the exposed TCP port. This setting requires the Docker Model Runner and Enable host-side TCP support settings to be enabled first. | | +| `enableInferenceCORS` | | Specifies the allowed CORS origins. Empty string to deny all,`*` to accept all, or a list of comma-separated values. This setting requires the Docker Model Runner and Enable host-side TCP support settings to be enabled first. | | +| `enableInferenceGPUVariant` | Windows only | Setting `enableInferenceGPUVariant` to `true` enables GPU-backed inference. The additional components required for this don't come by default with Docker Desktop, therefore they will be downloaded to `~/.docker/bin/inference`. | | ### Beta features @@ -389,18 +391,18 @@ For more information, see [Networking](/manuals/desktop/features/networking.md#n > > For Docker Desktop versions 4.41 and earlier, some of these settings lived under the **Experimental features** tab on the **Features in development** page. -| Parameter | OS | Description | Version | -|:-----------------------------------------------------|----|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------| -| `allowBetaFeatures` | | If `value` is set to `true`, beta features are enabled. | | -| `enableDockerAI` | | If `allowBetaFeatures` is true, setting `enableDockerAI` to `true` enables [Gordon](/manuals/ai/gordon/_index.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | | -| `enableDockerMCPToolkit` | | If `allowBetaFeatures` is true, setting `enableDockerMCPToolkit` to `true` enables the [MCP Toolkit feature](/manuals/ai/mcp-catalog-and-toolkit/toolkit.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | | -| `allowExperimentalFeatures` | | If `value` is set to `true`, experimental features are enabled. | Docker Desktop version 4.41 and earlier | +| Parameter | OS | Description | Version | +| :-------------------------- | --- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | +| `allowBetaFeatures` | | If `value` is set to `true`, beta features are enabled. | | +| `enableDockerAI` | | If `allowBetaFeatures` is true, setting `enableDockerAI` to `true` enables [Gordon](/manuals/ai/gordon/_index.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | | +| `enableDockerMCPToolkit` | | If `allowBetaFeatures` is true, setting `enableDockerMCPToolkit` to `true` enables the [MCP Toolkit feature](/manuals/ai/mcp-catalog-and-toolkit/toolkit.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | | +| `allowExperimentalFeatures` | | If `value` is set to `true`, experimental features are enabled. | Docker Desktop version 4.41 and earlier | ### Enhanced Container Isolation -|Parameter|OS|Description|Version| -|:-------------------------------|---|:-------------------------------|---| -|`enhancedContainerIsolation`| | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/_index.md).| | -|        `dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This lets you relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. | | -|               `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. | | -|               `commandList` | | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. | | +| Parameter | OS | Description | Version | +| :------------------------------------------------------------- | --- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `enhancedContainerIsolation` | | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/_index.md). | | +|        `dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This lets you relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. | | +|               `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. | | +|               `commandList` | | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. | |