Skip to content

draft: auto provisioning #22471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

draft: auto provisioning #22471

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e6ccc09
auto provisioning docs
sarahsanders-docker Apr 22, 2025
d15dfa1
Update intro
sarahsanders-docker Apr 22, 2025
e7c5f8e
fix link issue
sarahsanders-docker Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 64 additions & 8 deletions content/manuals/security/for-admins/domain-audit.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
description: Learn how to audit your domains for uncaptured users.
keywords: domain audit, security, identify users, manage users
title: Domain audit
title: Domain management
aliases:
- /docker-hub/domain-audit/
- /admin/company/settings/domains/
Expand All @@ -11,20 +11,39 @@

{{< summary-bar feature_name="Domain audit" >}}

Domain audit identifies uncaptured users in an organization. Uncaptured users are Docker users who have authenticated to Docker using an email address associated with one of your verified domains, but they're not a member of your organization in Docker. You can audit domains on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/).
Domain management identifies uncaptured users in an organization. Uncaptured

Check failure on line 14 in content/manuals/security/for-admins/domain-audit.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'uncaptured'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'uncaptured'?", "location": {"path": "content/manuals/security/for-admins/domain-audit.md", "range": {"start": {"line": 14, "column": 30}}}, "severity": "ERROR"}

Check failure on line 14 in content/manuals/security/for-admins/domain-audit.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Uncaptured'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Uncaptured'?", "location": {"path": "content/manuals/security/for-admins/domain-audit.md", "range": {"start": {"line": 14, "column": 67}}}, "severity": "ERROR"}
users are Docker users who have logged into Docker using an email address
associated with one of your verified domains, but are not a member of your
organization in Docker. To manage your organization, domain management allows
you to:

Uncaptured users who access Docker Desktop in your environment may pose a security risk because your organization's security settings, like Image Access Management and Registry Access Management, aren't applied to a user's session. In addition, you won't have visibility into the activity of uncaptured users. You can add uncaptured users to your organization to gain visibility into their activity and apply your organization's security settings.
- Audit domains for uncaptured users

Check failure on line 20 in content/manuals/security/for-admins/domain-audit.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'uncaptured'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'uncaptured'?", "location": {"path": "content/manuals/security/for-admins/domain-audit.md", "range": {"start": {"line": 20, "column": 21}}}, "severity": "ERROR"}
- Auto-provision users to an organization

Uncaptured users who access Docker Desktop may pose a security risk because

Check failure on line 23 in content/manuals/security/for-admins/domain-audit.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Uncaptured'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Uncaptured'?", "location": {"path": "content/manuals/security/for-admins/domain-audit.md", "range": {"start": {"line": 23, "column": 1}}}, "severity": "ERROR"}
your organization's security settings, like Image Access
Management and Registry Access Management, aren't applied to a user's session.
In addition, you won't have visibility into the activity of uncaptured users.

Check failure on line 26 in content/manuals/security/for-admins/domain-audit.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'uncaptured'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'uncaptured'?", "location": {"path": "content/manuals/security/for-admins/domain-audit.md", "range": {"start": {"line": 26, "column": 61}}}, "severity": "ERROR"}
You can add uncaptured users to your organization to gain visibility into their

Check failure on line 27 in content/manuals/security/for-admins/domain-audit.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'uncaptured'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'uncaptured'?", "location": {"path": "content/manuals/security/for-admins/domain-audit.md", "range": {"start": {"line": 27, "column": 13}}}, "severity": "ERROR"}
activity and apply your organization's security settings.

Domain audit can't identify the following Docker users in your environment:

- Users who access Docker Desktop without authenticating
- Users who authenticate using an account that doesn't have an email address associated with one of your verified domains
- Users who authenticate using an account that doesn't have an email address
associated with one of your verified domains

Although domain audit can't identify all Docker users in your environment, you can enforce sign-in to prevent unidentifiable users from accessing Docker Desktop in your environment. For more details about enforcing sign-in, see [Configure registry.json to enforce sign-in](../for-admins/enforce-sign-in/_index.md).
Although domain audit can't identify all Docker users in your environment, you
can enforce sign-in to prevent unidentifiable users from accessing Docker
Desktop in your environment. For more details about enforcing sign-in, see
[Enforce sign-in for Docker Desktop](../for-admins/enforce-sign-in/_index.md).

> [!TIP]
>
> You can use endpoint management (MDM) software to identify the number of Docker Desktop instances and their versions within your environment. This can provide accurate license reporting, help ensure your machines use the latest version of Docker Desktop, and enable you to [enforce sign-in](enforce-sign-in/_index.md).
> You can use endpoint management (MDM) software to identify the number of
Docker Desktop instances and their versions within your environment. This can
provide accurate license reporting, help ensure your machines use the latest
version of Docker Desktop, and enable you to [enforce sign-in](enforce-sign-in/_index.md).
> - [Intune](https://learn.microsoft.com/en-us/mem/intune/apps/app-discovered-apps)
> - [Jamf](https://docs.jamf.com/10.25.0/jamf-pro/administrator-guide/Application_Usage.html)
> - [Kandji](https://support.kandji.io/support/solutions/articles/72000559793-view-a-device-application-list)
Expand All @@ -33,9 +52,11 @@

## Prerequisites

Before you audit your domains, review the following required prerequisites:
Before managing domains, review the following required prerequisites:

- Your organization must be part of a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../../subscription/change.md).
- Your organization must be part of a Docker Business subscription. To upgrade
your existing account to a Docker Business subscription, see
[Upgrade your subscription](../../subscription/change.md).
- You must [add and verify your domains](./single-sign-on/configure/_index.md#step-one-add-and-verify-your-domain).

> [!IMPORTANT]
Expand All @@ -59,3 +80,38 @@
{{< /tab >}}
{{< /tabs >}}

## Auto-provisioning

Auto-provisioning adds users to your organization when they sign in with an
email address that matches a verified domain. This relies on domain
verification, which confirms that your organization controls the domain. Once
a domain is verified, Docker can automatically associate matching users with
your organization. For more information on verifying a domain, see
[Verify your domain](/manuals/security/for-admins/single-sign-on/configure.md#step-two-verify-your-domain).

This simplifies user management, helps apply organization-level security
settings consistently, and reduces the risk of uncaptured users accessing

Check failure on line 93 in content/manuals/security/for-admins/domain-audit.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'uncaptured'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'uncaptured'?", "location": {"path": "content/manuals/security/for-admins/domain-audit.md", "range": {"start": {"line": 93, "column": 48}}}, "severity": "ERROR"}
Docker services without visibility or controls.

> [!IMPORTANT]
>
> For domains that are part of an SSO connection, Just-in-Time (JIT) overrides auto-provisioning to add users to an organization.

### Enable auto-provisioning

1. Open the [Admin Console](https://app.docker.com/admin).
2. Select **Domain management** from the left-hand navigation.
3. Select the **Actions menu** next to your user.
4. Select **Enable auto-provisioning**.
5. Optional. If enabling auto-provisioning at the company level, select an organization for the user.
6. Select **Enable** to confirm.

The **Auto-provisioning** column will update to **Enabled**.

### Disable auto-provisioning

1. Open the [Admin Console](https://app.docker.com/admin).
2. Select **Domain management** from the left-hand navigation.
3. Select the **Actions menu** next to your user.
4. Select **Disable auto-provisioning**.
5. Select **Disable**.