diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,16 @@
+## 2017-05-12  - Release 0.4.2
+
+### Summary
+
+- Added a `node_manager` face for classifier API
+- Added ability to manage node_groups using SSL or token authentication
+- Added ability to manage node_groups from a remote client
+- Set `https` provider as default
+
+#### Bugfixes
+
+- `classes` attribute Hash is now deep-sorted to maintain idempotency
+
 ## 2017-03-31 - Release 0.4.1
 
 ### Summary

diff --git a/HTTPS.md b/HTTPS.md
diff --git a/README.md b/README.md
@@ -4,11 +4,13 @@
 
 1. [Overview](#overview)
 1. [Requirements](#requirements)
+1. [Authentication](#authentication)
 1. [Types](#types)
     * [Node_group](#node_group)
     * [Puppet_environment](#puppet_environment)
 1. [Functions](#functions)
     * [node_groups()](#node_groups)
+1. [Face](#face)
 1. [Things to do](#things-to-do)
 
 ## Overview
@@ -19,9 +21,7 @@ Create and manage PE node groups as resources.
 
 * \*nix operating system
 * Puppet >= 3.7.1
-* [puppetclassify](https://github.com/puppetlabs/puppet-classify) gem
-* [puppetlabs/pe_gem module](https://forge.puppetlabs.com/puppetlabs/pe_gem)
-* NOTE: new `https` provider which doesn't need gem dependency at [HTTPS.md](HTTPS.md)
+* New `https` provider which doesn't need `puppetclassify` gem
 
 ## Classes
 
@@ -30,6 +30,33 @@ Create and manage PE node groups as resources.
 The node_manager class facilitates the deployment of the puppetclassify gem
 simply include node_manager in your node definition or add it to the pe_master node group
 
+## Authentication
+
+### PE Console server
+
+Using the types and functions on the PE Console server will read the configuration at
+`/etc/puppetlabs/puppet/classifier.yaml` which contains the default server information
+and SSL certificate paths.  No extra configuration is necessary.
+
+### Remote client or custom information
+
+In order to manage node groups from a remote client, you'll need to [whitelist a certificate](https://docs.puppet.com/pe/latest/nc_forming_requests.html#whitelisted-certificate)
+or [generate a token](https://docs.puppet.com/pe/latest/nc_forming_requests.html#authentication-token) with permissions to edit node groups.
+Create a file at `/etc/puppetlabs/puppet/node_manager.yaml` in the following format:
+
+```
+server: master.puppetlabs.vm             # Defaults to $settings::server
+port: 4433                               # Defaults to 4433
+# Supply certs
+hostcert: /root/certs/client.pem
+hostprivkey: /root/certs/client_key.pem
+localcacert: /root/certs/ca.pem
+# Or token
+token: AJLqDQxalbVSMWrZcX03aGtixvk_S2xGZfQizY9YvzVk
+```
+
+_NOTE:_ The token will be favored if both SSL and a token is provided.
+
 ## Types
 
 ### Node_group
@@ -90,34 +117,14 @@ node_group { 'PE MCollective':
 
   The UID for the data group. Can be specified by group name or UID.
 
-  Default: `default`
+  Default: `All Nodes`
 
 * `rules`
 
   An array of classification rules.
 
   Default (empty array): `[]`
 
-### Puppet_environment
-
-Enumerate all puppet environments:
-
-* `puppet resource puppet_environment`
-
-Example output for `puppet resource puppet_environment production`
-
-```puppet
-puppet_environment { 'production':
-  ensure => 'present',
-}
-```
-
-#### Puppet_environment parameters
-
-* `name`
-
-  (namevar) Name of the Puppet environment on disk, i.e. the directory name in `$environmentpath`.
-
 ## Functions
 
 ### node_groups()
@@ -128,10 +135,10 @@ Retrieve all or one node_group and its data.
 
 ```puppet
 {
-  "default"=>{
+  "All Nodes"=>{
     "environment_trumps"=>false,
     "parent"=>"00000000-0000-4000-8000-000000000000",
-    "name"=>"default",
+    "name"=>"All Nodes",
     "rule"=>["and", ["~", "name", ".*"]],
     "variables"=>{}, "id"=>"00000000-0000-4000-8000-000000000000",
     "environment"=>"production",
@@ -151,14 +158,14 @@ Retrieve all or one node_group and its data.
 }
 ```
 
-`node_groups('default')` will return:
+`node_groups('All Nodes')` will return:
 
 ```puppet
 {
-  "default"=>{
+  "All Nodes"=>{
     "environment_trumps"=>false,
     "parent"=>"00000000-0000-4000-8000-000000000000",
-    "name"=>"default",
+    "name"=>"All Nodes",
     "rule"=>["and", ["~", "name", ".*"]],
     "variables"=>{}, "id"=>"00000000-0000-4000-8000-000000000000",
     "environment"=>"production",
@@ -169,10 +176,37 @@ Retrieve all or one node_group and its data.
 
 _Type:_ rvalue
 
+## Face
+
+The `node_manager` face allows you to interact with endpoints other than
+the groups endpoint using the type or function. Use the `--help` flag
+to explore functionaliy of each action.
+
+```
+# puppet node_manager --help
+
+USAGE: puppet node_manager <action>
+
+Interact with node classifier API
+
+OPTIONS:
+  --render-as FORMAT             - The rendering format to use.
+  --verbose                      - Whether to log verbosely.
+  --debug                        - Whether to log debug information.
+
+ACTIONS:
+  classes         List class information
+  classified      List classification information
+  environments    Query environment sync status
+  groups          List group information
+  unpin           Unpin a node from all groups
+
+See 'puppet man node_manager' or 'man puppet-node_manager' for full help.
+```
+
 ## Things to do
 
-* Remove `puppetclassify` dependency
-* Get feedback on `https` provider, new [HTTPS.md](HTTPS.md)
+* Remove `puppetclassify` classes
 
 ## Maintainers
 

diff --git a/lib/puppet/application/node_manager.rb b/lib/puppet/application/node_manager.rb
@@ -0,0 +1,5 @@
+require 'puppet/face'
+require 'puppet/application/face_base'
+
+class Puppet::Application::Node_manager < Puppet::Application::FaceBase
+end