Adds doc for Windows/macOS MDM integration

[riccardomanfrin]

Summary by CodeRabbit

Summary by CodeRabbit

• Documentation

  • Added an MDM Integration guide explaining OS-native managed-configuration enforcement for Windows and macOS, including where policies are read, how updates are applied, verification steps, and troubleshooting.
  • Added navigation entry for the new “MDM Integration” page.

• New Assets

  • Added macOS MDM managed-preferences templates (plist, mobileconfig, and a generator script).
  • Added Windows Group Policy templates (ADMX/ADML) and a JumpCloud PowerShell import script.

[coderabbitai]

Warning

Review limit reached

@riccardomanfrin, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 46 minutes and 51 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 35d85927-db8a-4d46-86a7-a0e450c5f8f6

📥 Commits

Reviewing files that changed from the base of the PR and between 1e6a964 and 9f40ea0.

📒 Files selected for processing (2)

• public/docs-static/files/netbird-macos.sh
• public/docs-static/files/netbird-policy.reg.ps1

📝 Walkthrough

Walkthrough

The PR introduces a new MDM Integration documentation page and supporting platform-specific templates for enforcing NetBird client configuration via OS-native MDM. It includes policy schema definitions (ADMX/ADML), delivery scripts and templates for Windows and macOS, comprehensive documentation covering all platforms and delivery methods, and verification and troubleshooting workflows.

Changes

MDM Integration Documentation

Layer / File(s)	Summary
Navigation routing src/components/NavigationDocs.jsx	New MDM Integration link added to the CLIENT group in the documentation navigation.
MDM documentation foundation and policy reference src/pages/client/mdm-integration.mdx	Page setup with component imports and description export, enforcement behavior overview (priority, locked fields, ~1-minute update timing, MDM-authoritative semantics), and complete policy keys reference with types and semantic descriptions.
Windows policy definitions and delivery public/docs-static/files/netbird.admx, public/docs-static/files/netbird.adml, public/docs-static/files/netbird-policy.reg.ps1, src/pages/client/mdm-integration.mdx	ADMX/ADML policy schema defining foundational (ManagementURL, PreSharedKey), networking (auto-connect, route behavior, inbound blocking, SSH allowance, Rosenpass, WireGuard port, split-tunnel), and UI feature visibility policies; PowerShell script for clearing and importing .reg files with audit logging; Windows policy path documentation and delivery methods (Group Policy, Intune ADMX/OMA-URI, .reg import, JumpCloud).
macOS policy templates and delivery public/docs-static/files/io.netbird.client.plist, public/docs-static/files/netbird-macos.mobileconfig, public/docs-static/files/netbird-macos.sh, src/pages/client/mdm-integration.mdx	Bare plist template for NetBird MDM preferences with management URL and enforcement key examples, mobileconfig profile wrapper for MDM distribution, Bash script for generating, validating, and installing the managed-preferences plist with optional daemon reload; macOS policy path documentation, managed-preferences reboot behavior warnings, custom configuration profile workflow, and JumpCloud MDM-enrolled/non-enrolled device options.
Verification and troubleshooting src/pages/client/mdm-integration.mdx	Verification workflow using netbird debug config output and mDMManagedFields correlation with locked fields in the client UI; troubleshooting steps for policy not applying, key visibility discrepancies, field-change restrictions, macOS managed-preference loss on reboot, and handling unsupported MDM providers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• braginini
• SunsetDrifter

Poem

🐰 Through policy forests, the rabbit bounds,
MDM magic on Windows and Mac grounds—
Templates, scripts, and schemas so bright,
Fleet configuration locked down tight!
~✨🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding documentation for Windows and macOS MDM integration. It is clear, specific, and directly reflects the core purpose of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mdm_integration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/components/NavigationDocs.jsx`:
- Line 749: ESLint is crashing when loading the next/core-web-vitals config due
to a circular structure in the exported config; open eslint.config.mjs and
remove any direct require/import that injects complex module objects into the
exported config (e.g., spreading a require(...) result or exporting non-plain
objects), and instead reference the Next config by name in a plain extends array
(use extends: ['next/core-web-vitals'] or the equivalent flat-config entry) so
the exported default is a simple serializable object; also ensure you aren’t
exporting functions or Next internals and that eslint-config-next /
eslint-plugin-next versions are compatible, then rerun npm run lint to confirm
the crash is resolved.

In `@src/pages/client/mdm-integration.mdx`:
- Around line 119-199: The MDX references to docs assets (netbird.admx,
netbird.adml, netbird-policy.reg, netbird-policy.reg.ps1) are broken in
src/pages/client/mdm-integration.mdx; either add the missing files to the docs/
directory with those exact names or update the links in mdm-integration.mdx to
point to the actual locations (e.g., repo paths that currently contain the
ADMX/ADML and .reg/.ps1 samples); specifically check and fix occurrences of
"docs/netbird.admx", "docs/netbird.adml", "docs/netbird-policy.reg", and
"docs/netbird-policy.reg.ps1" so they resolve to existing files in the repo.
- Around line 221-306: The MDX page src/pages/client/mdm-integration.mdx
references three non-existent template files (docs/netbird-macos.mobileconfig,
docs/io.netbird.client.plist, docs/netbird-macos.sh); either add the missing
template files under docs/ with the expected names and contents, or update the
references in mdm-integration.mdx to point to the actual existing
filenames/paths in the repo (and adjust the JumpCloud instructions to reference
the correct plist name if different); ensure the chosen fix is consistent across
the text (all mentions of netbird-macos.mobileconfig, io.netbird.client.plist,
and netbird-macos.sh) and confirm the site builds with the updated links.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d0a66cd0-4de3-416a-885d-c6277a484f9e

📥 Commits

Reviewing files that changed from the base of the PR and between a8c86c4 and b7aeec1.

📒 Files selected for processing (2)

• src/components/NavigationDocs.jsx
• src/pages/client/mdm-integration.mdx

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@public/docs-static/files/netbird-macos.sh`:
- Around line 135-143: The emit_int function accepts any non-negative integer
without range validation, allowing invalid wireguardPort and splitTunnelMode
values to be written to the plist. Add validation constraints before writing
plist entries: wireguardPort must be validated to ensure it falls within the
valid port range of 1-65535, and splitTunnelMode must be validated to ensure it
is either "allow" or "disallow". Implement these validations in emit_int by
adding additional condition checks (similar to the existing decimal validation
check), and log appropriate skip messages when values fail validation. This
ensures that only valid policy values are written to the plist file.

In `@public/docs-static/files/netbird-policy.reg.ps1`:
- Around line 86-88: The reg.exe query command on line 88 executes
unconditionally and can produce false error messages in logs when the registry
key does not exist, which is expected behavior for the header-only .reg unsets
policy scenario. Guard the reg.exe query $RegKey /s call with a Test-Path check
to verify the registry key exists first, and if the key does not exist, output
an explicit Write-Host message indicating that no values are present instead of
allowing reg.exe to emit a not-found error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 39b6fe13-63f8-4202-9e51-18328bed7897

📥 Commits

Reviewing files that changed from the base of the PR and between b7aeec1 and 1e6a964.

📒 Files selected for processing (8)

• public/docs-static/files/io.netbird.client.plist
• public/docs-static/files/netbird-macos.mobileconfig
• public/docs-static/files/netbird-macos.sh
• public/docs-static/files/netbird-policy.reg
• public/docs-static/files/netbird-policy.reg.ps1
• public/docs-static/files/netbird.adml
• public/docs-static/files/netbird.admx
• src/pages/client/mdm-integration.mdx

✅ Files skipped from review due to trivial changes (2)

• public/docs-static/files/netbird.adml
• src/pages/client/mdm-integration.mdx