diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/mdm.mdx b/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx
similarity index 96%
rename from website/docs/endpoint-devices/authentik-agent/agent-deployment/mdm.mdx
rename to website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx
index 554646ea9d36..1cf5e6fbcc30 100644
--- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/mdm.mdx
+++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx
@@ -1,10 +1,10 @@
---
-title: Deploy authentik Agent via MDM
-sidebar_label: MDM
+title: Automated authentik Agent deployment
+sidebar_label: Automated
tags: [authentik Agent, mdm, fleet, deploy]
---
-authentik Agent can be deployed at scale to multiple devices via Mobile Device Management (MDM) tools.
+authentik Agent can be deployed at scale to multiple devices via Mobile Device Management (MDM) and automation tools.
## Prerequisites
diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/index.mdx b/website/docs/endpoint-devices/authentik-agent/agent-deployment/index.mdx
index 91cd961e54c8..b0d71ed6e883 100644
--- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/index.mdx
+++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/index.mdx
@@ -5,9 +5,9 @@ sidebar_label: Deployment
import DocCardList from "@theme/DocCardList";
-You can deploy the authentik Agent on [Linux](./linux.md), [macOS](./macos.md), and [Windows](./windows.md) devices.
+You can deploy the authentik Agent on [Linux](./linux.mdx), [macOS](./macos.md), and [Windows](./windows.md) devices.
-Documentation for large-scale deployments using [Mobile Device Management (MDM)](./mdm.mdx) tools is also available.
+Documentation for large-scale deployments using [Mobile Device Management (MDM) and automated](./automated.mdx) tools is also available.
Select a topic below to continue:
diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.md b/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx
similarity index 70%
rename from website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.md
rename to website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx
index 187cbdfa3ff0..951d3b8a644c 100644
--- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.md
+++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx
@@ -4,6 +4,9 @@ sidebar_label: Linux
tags: [authentik Agent, linux, deploy, packages]
---
+import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
+
## What it can do
- Retrieves information about the host and reports it to authentik, see [Device Compliance](../../device-compliance/index.mdx).
@@ -26,12 +29,15 @@ If you have already created have an enrollment token, skip to the [next section]
- **Device group _(optional)_**: select a device access group for the device to be added to after completing enrollment
- **Expiring _(optional)_**: set whether or not the enrollment token will expire
5. Click **Create**.
-6. _(Optional)_ Click the **Copy** icon in the **Actions** column to copy the enrollment token. This value will be required if [enabling a device for device compliance](#enable-device-compliance-and-ssh-access).
+6. _(Optional)_ Click the **Copy** icon in the **Actions** column to copy the enrollment token. This value will be required if [enabling a device for device compliance](#enable-device-compliance-ssh-server-authentication-and-local-device-login).
## Install the authentik Agent on Linux
Follow these steps to install the authentik Agent on your Linux device:
+
+
+
1. Open a Terminal session and install the required GPG key:
```sh
@@ -54,26 +60,43 @@ sudo apt install authentik-cli authentik-agent authentik-sysd
4. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak`
You should see a response that starts with: `authentik CLI v`
-## Enable device authentication
-
-To enable [device authentication features](../../device-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
+
+
+
+1. Open a Terminal session and run the following command to add the authentik repo and associated GPG key:
+
+```bash
+# This overwrites any existing configuration in /etc/yum.repos.d/authentik.repo
+cat <`
+
+
+
-## Enable device compliance and SSH access
+## Enable device compliance, SSH server authentication, and local device login
To enable [device compliance features](../../device-compliance/index.mdx) and the device [accepting SSH connections](../../device-authentication/ssh-authentication.mdx), you must join the device to an authentik domain.
1. Open a Terminal session and run the following command:
```sh
-ak-sysd domains join --authentik-url https://authentik.company
+sudo ak-sysd domains join --authentik-url https://authentik.company
```
- `deployment_name` is the name that will be used to identify the authentik deployment on the device.
@@ -82,6 +105,18 @@ ak-sysd domains join --authentik-url https://authentik.company
2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token).
3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed.
+## Enable SSH client authentication and CLI application authentication
+
+To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
+
+1. Open a Terminal session and run the following command:
+
+```sh
+ak config setup --authentik-url https://authentik.company
+```
+
+2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
+
## Logging
authentik Agent logs are available via the system journal (`systemd`) or `syslog`, depending on the distribution.
diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md b/website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md
index 4545c9121d7e..cafb1eed42b8 100644
--- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md
+++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md
@@ -30,6 +30,10 @@ If you have already created have an enrollment token, skip to the [next section]
## Install the authentik Agent on macOS
+:::info Automated deployment is recommended
+It's recommended to deploy the Agent via [MDM or automatiation tools](./automated.mdx) instead of manually configuring it.
+:::
+
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Endpoint Devices** > **Connectors**.
3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik agent.
@@ -40,18 +44,6 @@ If you have already created have an enrollment token, skip to the [next section]
6. Confirm that the authentik Agent is installed by opening a Terminal window and entering the following command: `ak`
You should see a response that starts with: `authentik CLI v`
-## Enable device authentication
-
-To enable [device authentication features](../../device-authentication/index.mdx), you must connect the device to an authentik deployment. To do so, follow these steps:
-
-1. Open a Terminal session and run the following command:
-
-```sh
-ak config setup --authentik-url https://authentik.company
-```
-
-2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
-
## Enable device compliance
To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain.
@@ -68,6 +60,18 @@ sudo "/Applications/authentik Agent.app/Contents/MacOS/ak-sysd" domains join **Connectors**.
3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik agent.
@@ -57,33 +62,33 @@ If you have already created have an enrollment token, skip to the [next section]
7. Confirm that the authentik Agent is installed by opening a PowerShell or Terminal window and entering the following command: `ak`
You should see a response that starts with: `authentik CLI v`
-## Enable device authentication
+## Enable device compliance and local device login
-To enable [device authentication features](../../device-authentication/index.mdx), you must connect the device to an authentik deployment. To do so, follow these steps:
+To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain.
-1. Open a Terminal and run the following command:
+1. Open a Terminal session as Administrator and run the following command:
```sh
-ak config setup --authentik-url https://authentik.company
+ak-sysd domains join --authentik-url https://authentik.company
```
-2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
+- `deployment_name` is the name that will be used to identify the authentik deployment on the device.
+- `https://authentik.company` is the fully qualified domain name of the authentik deployment.
+
+2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token).
+3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed.
-## Enable device compliance
+## Enable SSH client authentication and CLI application authentication
-To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain.
+To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
1. Open a Terminal session and run the following command:
```sh
-ak-sysd domains join --authentik-url https://authentik.company
+ak config setup --authentik-url https://authentik.company
```
-- `deployment_name` is the name that will be used to identify the authentik deployment on the device.
-- `https://authentik.company` is the fully qualified domain name of the authentik deployment.
-
-2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token).
-3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed.
+2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
## Logging
diff --git a/website/docs/endpoint-devices/authentik-agent/authentik-cli.mdx b/website/docs/endpoint-devices/authentik-agent/authentik-cli.mdx
index acb3db09efa0..ca1641f63568 100644
--- a/website/docs/endpoint-devices/authentik-agent/authentik-cli.mdx
+++ b/website/docs/endpoint-devices/authentik-agent/authentik-cli.mdx
@@ -98,7 +98,16 @@ ak-sysd agent
`-d` for debug
`--disable-component` to disable a component, can be used multiple times.
-TODO @BeryJu document the ids of components
+
+**Components**:
+
+- `agent_starter`: Responsible for starting the authentik user agent
+- `auth`: Authentication components for interactive and token-based authentication
+- `ctrl`: Provides a control socket for the CLI to join domains, etc
+- `device`: Handles device compliance checkins and validations
+- `directory`: Provides directory services on linux system
+- `ping`: Provides a ping service for healthchecking
+- `session`: Handles sessions created with local device authentication/SSH
### completion
diff --git a/website/docs/endpoint-devices/authentik-agent/index.mdx b/website/docs/endpoint-devices/authentik-agent/index.mdx
index 02821ae70f72..e46bdf49944e 100644
--- a/website/docs/endpoint-devices/authentik-agent/index.mdx
+++ b/website/docs/endpoint-devices/authentik-agent/index.mdx
@@ -21,18 +21,22 @@ The authentik Agent consists of several components:
| Platform | Component | Description | Dependencies |
| ------------------------- | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
| **Linux, macOS, Windows** | `authentik-cli` | Provides CLI commands for interacting with `authentik-agent`. | `authentik-agent` |
-| **Linux, macOS, Windows** | `authentik-agent` | User service. | `authentik-sysd` |
-| **Linux, macOS, Windows** | `authentik-sysd` | System service. | None |
+| **Linux, macOS, Windows** | `authentik-agent` | Authentication in a users' context, for CLI tools. service. | `authentik-sysd` |
+| **Linux, macOS, Windows** | `authentik-sysd` | Responsible for handling device-level authentication and compliance checks. service. | None |
| **Linux only** | `libpam-authentik` | PAM Module for token-based and interactive authentication via authentik. Used for [SSH authentication](../device-authentication/ssh-authentication.mdx) and [local device login](../device-authentication/local-device-login/index.mdx). | `authentik-sysd` |
| **Linux only** | `libnss-authentik` | NSS Module that makes Linux aware of authentik users. All authentik users will be visible to Linux - but won't be able to login unless configured via device access groups. Provides a consistent `uid` and `gid` for users on all Endpoint Devices. | `authentik-sysd`, `libpam-authentik` |
| **Windows only** | `Windows Credential Provider` (WCP) | Enables logging in to Windows devices using authentik credentials. | `authentik-sysd` |
## Technical information
-All authentik Agent components communicate via gRPC and Unix domain sockets.
+All authentik Agent components communicate via gRPC and Unix domain sockets/Windows named pipes.
-- `sys.sock` for general communication
-- `sys-ctrl.sock` for domain join
+**Linux**: `/var/run/authentik/sys.sock` and `/var/run/authentik/sys-ctrl.sock`
+**macOS**: `/var/run/authentik-sysd.sock` and `/var/run/authentik-sysd-ctrl.sock`
+**Windows**: `\\.\pipe\authentik\sysd` and `\\.\pipe\authentik\sysd-ctrl`
+
+- `sys.sock`/`*sysd.sock` for general communication
+- `*-ctrl.sock` for domain join
## Important considerations
diff --git a/website/docs/endpoint-devices/device-authentication/cli-app-authentication/aws.mdx b/website/docs/endpoint-devices/device-authentication/cli-app-authentication/aws.mdx
index 7ae4eab84443..f85cf1377885 100644
--- a/website/docs/endpoint-devices/device-authentication/cli-app-authentication/aws.mdx
+++ b/website/docs/endpoint-devices/device-authentication/cli-app-authentication/aws.mdx
@@ -29,17 +29,67 @@ To support the integration of authentik Agent with AWS CLI, you need to create a
3. Click **Submit** to save the new application and provider.
-## Authenticate to AWS CLI with the authentik Agent
+## AWS configuration
-To authenticate to the AWS CLI with the authentik agent, use the following command:
+To support the integration of AWS with the authentik Agent, you need to configure authentik CLI as an IDP and setup permission roles in AWS.
-```bash
-ak auth aws
+### Configure authentik CLI as an IDP in AWS
+
+1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers.
+2. Open the [IAM Console](https://console.aws.amazon.com/iam/) and in the left sidebar under **Access Management**, click **Identity providers**.
+3. Click **Add provider** and configure the following fields:
+ - **Provider type**: `OpenID Connect`
+ - **Provider URL**: `https://authentik.company/application/o//`
+ - **Audience**: `authentik-aws-cli`
+4. Click **Add provider**
+5. On the **Identity providers** page, click on the name of the provider that you just added.
+
+### Configure permissions in AWS
+
+1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers.
+2. Open the [IAM Console](https://console.aws.amazon.com/iam/) and in the left sidebar under **Access Management**, click **Roles**.
+3. Either create or edit a role that you want authentik users to be able to use.
+4. Open the **Trust relationships** tab.
+5. Click **Edit trust policy** and add the following, replacing `` with your AWS Account ID:
+
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "Federated": "arn:aws:iam:::oidc-provider/authentik.company/application/o/authentik-aws-cli/"
+ },
+ "Action": "sts:AssumeRoleWithWebIdentity",
+ "Condition": {
+ "StringEquals": {
+ "authentik.company/application/o/authentik-aws-cli/:aud": "authentik-aws-cli"
+ }
+ }
+ }
+ ]
+}
```
-**Available flags:**
+6. Click **Update policy**.
+7. Take note of the role ARN as it will be required in the next section.
+
+### Configure AWS CLI to authenticate with authentik CLI
+
+On the device running AWS CLI, update the `~/.aws/credentials` file with the following, replacing `` with the ARN of the role above:
-- `-c, --client-id ` - Client ID
-- `-e, --region ` - AWS region (default: `eu-central-1`)
-- `-r, --role-arn ` - IAM Role ARN
-- `-h, --help` - Display help information
+```
+[default]
+credential_process = ak auth aws --client-id authentik-aws-cli --role-arn
+```
+
+To verify, run `aws sts get-caller-identity`, which should output something like this
+
+```json
+{
+ "UserId": "xxxxxx",
+ "Account": "",
+ "Arn": "arn:aws:sts:::assumed-role//"
+}
+```
diff --git a/website/docs/endpoint-devices/device-authentication/cli-app-authentication/k8s.mdx b/website/docs/endpoint-devices/device-authentication/cli-app-authentication/k8s.mdx
index 59803d448084..7eb83440b219 100644
--- a/website/docs/endpoint-devices/device-authentication/cli-app-authentication/k8s.mdx
+++ b/website/docs/endpoint-devices/device-authentication/cli-app-authentication/k8s.mdx
@@ -18,11 +18,11 @@ To support the integration of authentik Agent with `kubectl`, you need to create
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- - **Application**: provide a descriptive name (e.g. `authentik-kubernetes`), an optional group for the type of application, the policy engine mode, and optional UI settings.
+ - **Application**: provide a descriptive name (e.g. `kubernetes-cluster`), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **Client type** to `Public`.
- - Set the **Client ID** to `authentik-kubernetes`.
+ - Set the **Client ID** to `kubernetes-cluster`.
- Select any available signing key.
- Under **Machine-to-Machine authentication settings** add the `authentik-cli` provider as a **Federated OIDC Provider**.
- **Configure Bindings** _(optional)_: you can create a [binding](../../../../add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage access to the application.
@@ -31,23 +31,34 @@ To support the integration of authentik Agent with `kubectl`, you need to create
## Kubernetes configuration
-To integrate the authentik Agent with your kubernetes deployment, you'll need to configure kubeadm.
+These instructions depend on how you're running Kubernetes and are specifically for kubeadm. The same instructions can't be applied to a hosted/cloud Kubernetes platform where you don't have control over the Kubernetes API server.
+
+:::info Reverse proxy for Kubernetes API servers
+[kube-oidc-proxy](https://github.com/TremoloSecurity/kube-oidc-proxy) is a useful project that provides a reverse proxy to authenticate to managed Kubernetes API servers via OIDC.
+:::
+
+To integrate the authentik Agent with your Kubernetes deployment, you'll need to configure kubeadm.
### Configure kubeadm settings
-Add the following `extraArgs` to your `kubeadm_config.yml` file:
+Update your kubeadm config file using the template below:
```yaml
-- name: oidc-client-id
- value: authentik-kubernetes
-- name: oidc-groups-claim
- value: groups
-- name: oidc-groups-prefix
- value: "oidc:"
-- name: oidc-issuer-url
- value: https://authentik.company/application/o//
-- name: oidc-username-claim
- value: email
+apiVersion: kubeadm.k8s.io/v1beta4
+kind: ClusterConfiguration
+apiServer:
+ # [...]
+ extraArgs:
+ - name: oidc-client-id
+ value: kubernetes-cluster
+ - name: oidc-groups-claim
+ value: groups
+ - name: oidc-groups-prefix
+ value: "oidc:"
+ - name: oidc-issuer-url
+ value: https://authentik.company/application/o//
+ - name: oidc-username-claim
+ value: email
```
Run the following command to apply the changes to an existing Kubernetes cluster:
@@ -62,19 +73,24 @@ kubeadm upgrade apply --config=kubeadm_config.yml
Where `` matches the target Kubernetes version specified in your config file.
-:::info Example config file
-An example `kubeadm_config.yml` is available on the [authentik Platform GitHub repository](https://github.com/BeryJu/infrastructure/blob/main/roles/beryjuio_kube/templates/kubeadm_config.yml#L11-L20).
-:::
+### Configure kubectl to authenticate with authentik CLI
-## Authenticate to kubectl with the authentik Agent
+Update your kubeconfig file (~/.kube/config) to use the `ak` command to authenticate
-To authenticate to kubectl with the authentik agent, use the following command:
-
-```bash
-ak auth kubectl
+```yaml
+users:
+ - name: kubernetes-cluster
+ user:
+ exec:
+ apiVersion: client.authentication.k8s.io/v1
+ args:
+ - auth
+ - kubectl
+ - --client-id=kubernetes-cluster
+ command: ak
+ env: null
+ interactiveMode: IfAvailable
+ provideClusterInfo: false
```
-**Available flags:**
-
-- `-c, --client-id ` - Client ID
-- `-h, --help` - Display help information
+To verify, run `kubectl auth whoami`, which should output your authentik email address as a username.
diff --git a/website/docs/endpoint-devices/device-authentication/local-device-login/linux.md b/website/docs/endpoint-devices/device-authentication/local-device-login/linux.md
index 8b2875b947ac..b7942ad91276 100644
--- a/website/docs/endpoint-devices/device-authentication/local-device-login/linux.md
+++ b/website/docs/endpoint-devices/device-authentication/local-device-login/linux.md
@@ -4,6 +4,6 @@ sidebar_label: Linux
tags: [authentik Agent, device login, device authentication, linux]
---
-Local device login is currently only supported on Windows.
+
Linux support is possible but not yet implemented. Configuration and testing with various Linux login managers (SDDM, GDM, etc.) and PAM implementations is pending.
diff --git a/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx b/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx
index 94f710ef3081..8ed329344734 100644
--- a/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx
+++ b/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx
@@ -6,7 +6,7 @@ tags: [ssh, authentik Agent]
You can use the [authentik Agent](../authentik-agent/index.mdx) to authenticate SSH connections ubetween endpoint devices using authentik credentials.
-Currently, only [Linux](../authentik-agent/agent-deployment/linux.md) devices can serve as SSH endpoints. See [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section for more details.
+Currently, only [Linux](../authentik-agent/agent-deployment/linux.mdx) devices can serve as SSH endpoints. See [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section for more details.
When connected to an endpoint device in this way, sudo authorization can be handled by the authentik agent.
@@ -17,7 +17,7 @@ When connected to an endpoint device in this way, sudo authorization can be hand
## How to SSH to an endpoint device
-To SSH to a configured [Linux host](../authentik-agent/agent-deployment/linux.md) using the authentik Agent:
+To SSH to a configured [Linux host](../authentik-agent/agent-deployment/linux.mdx) using the authentik Agent:
1. Open a Terminal session and run the following command:
diff --git a/website/docs/endpoint-devices/device-compliance/browser-extension.mdx b/website/docs/endpoint-devices/device-compliance/browser-extension.mdx
index 242bd0d6afe7..18ce19c402d9 100644
--- a/website/docs/endpoint-devices/device-compliance/browser-extension.mdx
+++ b/website/docs/endpoint-devices/device-compliance/browser-extension.mdx
@@ -7,7 +7,7 @@ tags: [device compliance, compliance, browser extension, extension, Endpoint SSO
import TabItem from "@theme/TabItem";
import Tabs from "@theme/Tabs";
-The authentik Endpoint SSO browser extension is required for device compliance functionality, and is currently available for Chrome-based and Firefox-based browsers.
+The authentik Endpoint SSO browser extension is required for device compliance functionality, and is currently available via the Chrome Web Store, the Firefox Add-ons site, and the Edge Add-ons site.
The browser extension connects to the [authentik Agent](../authentik-agent/index.mdx). It supplies [device facts](./device-reporting.md#device-facts) that [stages](../../add-secure-apps/flows-stages/stages/index.md) and [policies](../../customize/policies/index.md) can use during execution of authentik [flows](../../add-secure-apps/flows-stages/flow/index.md). This enables device compliance functionality such as limiting access to applications based on operating system, see [device compliance policy](./device-compliance-policy.md) for more details.
@@ -16,13 +16,13 @@ The browser extension connects to the [authentik Agent](../authentik-agent/index
-1. Open Google Chrome.
+1. Open your Chromium-based browser.
2. Go to the the [authentik Endpoint SSO browser extension page](https://chromewebstore.google.com/detail/authentik-endpoint-sso/dklfpnaeklldfpmhkbfjbmbnmkfafdma) in the Chrome Web Store.
3. Click **Add to Chrome**.
4. Review the permissions and click **Add extension**.
@@ -30,7 +30,7 @@ The browser extension connects to the [authentik Agent](../authentik-agent/index
-1. Open Firefox.
+1. Open your Firefox-based browser.
2. Go to the the [authentik Endpoint SSO browser extension page](https://addons.mozilla.org/en-US/firefox/addon/authentik-platform-sso/) on the Firefox Add-ons site.
3. Click **Add to Firefox**.
4. Review the permissions and click **Add** (or **Install**).
diff --git a/website/docs/endpoint-devices/device-compliance/device-compliance-policy.md b/website/docs/endpoint-devices/device-compliance/device-compliance-policy.md
index fe3d5d87e3d7..39c7e46e786a 100644
--- a/website/docs/endpoint-devices/device-compliance/device-compliance-policy.md
+++ b/website/docs/endpoint-devices/device-compliance/device-compliance-policy.md
@@ -22,9 +22,11 @@ To access device facts within a flow, the flow must include an [Endpoint stage](
The following example shows how to use these facts within an expression policy.
```python
-flow_plan = request.context.get("flow_plan") #set a flow_plan object
-device = flow_plan.context.get("device") #set a device object
-name = device.name #the name of the device
+flow_plan = request.context.get("flow_plan") # set a flow_plan object
+device = flow_plan.context.get("device") # set a device object
+name = device.name # the name of the device
+facts = device.cached_facts.data
+ak_logger.debug("device facts", facts=facts)
```
## Examples
@@ -87,6 +89,7 @@ The following example will only allow authentication via Apple devices.
device = flow_plan.context.get("device")
if device.manufacturer.lower() != "apple":
return True
+ return False
```
:::info Deny stage
Because this is a deny stage, the policy must evaluate true when a requirement is not met.
diff --git a/website/docs/endpoint-devices/device-compliance/device-reporting.md b/website/docs/endpoint-devices/device-compliance/device-reporting.md
index 4a060e1f5b5d..b5a233e11928 100644
--- a/website/docs/endpoint-devices/device-compliance/device-reporting.md
+++ b/website/docs/endpoint-devices/device-compliance/device-reporting.md
@@ -23,12 +23,18 @@ When a device registered with authentik reports its [device facts](#device-facts
## Device facts
-Device facts are informational snippets about a device, such as its operating system, serial number, installed applications, running processes, and more. These facts can are supplied to authentik flows via the [authentik browser extension](browser-extension.mdx) to be used in making policy decisions. For example, you can create a policy that only allows endpoint devices that are running a recent OS version to access an application.
+Device facts are informational snippets about a device, such as its operating system, serial number, installed applications, running processes, and more. These facts are supplied to authentik flows via the [authentik browser extension](browser-extension.mdx) to be used in making policy decisions. For example, you can create a policy that only allows endpoint devices that are running a recent OS version to access an application.
+
+JL: the facts are supplied either by ak-sysd or from other connectors, and the browser extension is only used to associate the device the user is using with the device in the authentik database
### Advanced device facts :ak-enterprise
This feature is still in development and will be announced soon.
+## Example facts
+
+For an example of the facts provided for a Linux device, see [here](./facts-linux.json).
+
## Endpoint devices in event logs
Authentication events involving endpoint devices are included in the [event logs](../../sys-mgmt/events/logging-events.md). For example:
diff --git a/website/docs/endpoint-devices/device-compliance/facts-linux.json b/website/docs/endpoint-devices/device-compliance/facts-linux.json
new file mode 100644
index 000000000000..0f828562ca1a
--- /dev/null
+++ b/website/docs/endpoint-devices/device-compliance/facts-linux.json
@@ -0,0 +1,64 @@
+{
+ "os": {
+ "family": "linux",
+ "name": "Ubuntu",
+ "version": "24.04.3 LTS (Noble Numbat)",
+ "arch": "amd64"
+ },
+ "disks": [
+ {
+ "name": "/dev/dm-0",
+ "mountpoint": "/",
+ "capacity_total_bytes": 123472097280,
+ "capacity_used_bytes": 44141334528,
+ "encryption_enabled": false
+ }
+ ],
+ "network": {
+ "hostname": "linux-test",
+ "firewall_enabled": true,
+ "interfaces": [
+ {
+ "name": "ens34",
+ "hardware_address": "00:0c:29:bc:94:7e",
+ "ip_addresses": ["10.120.20.57/24"],
+ "dns_servers": ["127.0.0.53"]
+ }
+ ]
+ },
+ "hardware": {
+ "model": "VMware20,1",
+ "manufacturer": "VMware, Inc.",
+ "serial": "VMware-56 4d 14 e0 58 14 f5 dd-c0 ed 84 af dd bc 94 7e",
+ "cpu_name": "Intel(R) Core(TM) i5-10500T CPU @ 2.30GHz",
+ "cpu_count": 4,
+ "memory_bytes": 16769568768
+ },
+ "software": null,
+ "processes": [
+ {
+ "id": 1,
+ "name": "/usr/lib/systemd/systemd --system --deserialize=82",
+ "user": "root"
+ }
+ ],
+ "users": [
+ {
+ "id": "0",
+ "username": "root",
+ "name": "root",
+ "home": "/root"
+ }
+ ],
+ "groups": [
+ {
+ "id": "0",
+ "name": "root"
+ }
+ ],
+ "vendor": {
+ "goauthentik.io/platform": {
+ "agent_version": "0.35.2-dev-b1a5"
+ }
+ }
+}
diff --git a/website/docs/endpoint-devices/manage-devices.mdx b/website/docs/endpoint-devices/manage-devices.mdx
index fd763dbfebbc..4fd36ced385c 100644
--- a/website/docs/endpoint-devices/manage-devices.mdx
+++ b/website/docs/endpoint-devices/manage-devices.mdx
@@ -35,4 +35,8 @@ Lists the processes that were running on the device when its last check-in occur
### Users
+Lists all users on the system, along with their username, display name and home directory.
+
### Groups
+
+Lists all groups on the system.
diff --git a/website/docs/sidebar.mjs b/website/docs/sidebar.mjs
index 08224504912b..b699d160aa81 100644
--- a/website/docs/sidebar.mjs
+++ b/website/docs/sidebar.mjs
@@ -710,7 +710,7 @@ const items = [
id: "endpoint-devices/authentik-agent/agent-deployment/index",
},
items: [
- "endpoint-devices/authentik-agent/agent-deployment/mdm",
+ "endpoint-devices/authentik-agent/agent-deployment/automated",
"endpoint-devices/authentik-agent/agent-deployment/linux",
"endpoint-devices/authentik-agent/agent-deployment/macos",
"endpoint-devices/authentik-agent/agent-deployment/windows",