goauthentik · dewi-tik · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026
@@ -1,10 +1,10 @@
 ---
-title: Deploy authentik Agent via MDM
-sidebar_label: MDM
+title: Automated authentik Agent deployment
+sidebar_label: Automated
 tags: [authentik Agent, mdm, fleet, deploy]
 ---
 
-authentik Agent can be deployed at scale to multiple devices via Mobile Device Management (MDM) tools.
+authentik Agent can be deployed at scale to multiple devices via Mobile Device Management (MDM) and automation tools.
 
 ## Prerequisites
 

@@ -5,9 +5,9 @@ sidebar_label: Deployment
 
 import DocCardList from "@theme/DocCardList";
 
-You can deploy the authentik Agent on [Linux](./linux.md), [macOS](./macos.md), and [Windows](./windows.md) devices.
+You can deploy the authentik Agent on [Linux](./linux.mdx), [macOS](./macos.md), and [Windows](./windows.md) devices.
 
-Documentation for large-scale deployments using [Mobile Device Management (MDM)](./mdm.mdx) tools is also available.
+Documentation for large-scale deployments using [Mobile Device Management (MDM) and automated](./automated.mdx) tools is also available.
 
 Select a topic below to continue:
 

@@ -4,6 +4,9 @@ sidebar_label: Linux
 tags: [authentik Agent, linux, deploy, packages]
 ---
 
+import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
+
 ## What it can do
 
 - Retrieves information about the host and reports it to authentik, see [Device Compliance](../../device-compliance/index.mdx).
@@ -26,12 +29,15 @@ If you have already created have an enrollment token, skip to the [next section]
     - **Device group _(optional)_**: select a device access group for the device to be added to after completing enrollment
     - **Expiring _(optional)_**: set whether or not the enrollment token will expire
 5. Click **Create**.
-6. _(Optional)_ Click the **Copy** icon in the **Actions** column to copy the enrollment token. This value will be required if [enabling a device for device compliance](#enable-device-compliance-and-ssh-access).
+6. _(Optional)_ Click the **Copy** icon in the **Actions** column to copy the enrollment token. This value will be required if [enabling a device for device compliance](#enable-device-compliance-ssh-server-authentication-and-local-device-login).
 
 ## Install the authentik Agent on Linux
 
 Follow these steps to install the authentik Agent on your Linux device:
 
+<Tabs defaultValue="Debian-based">
+<TabItem value="Debian-based">
+
 1. Open a Terminal session and install the required GPG key:
 
 ```sh
@@ -54,26 +60,43 @@ sudo apt install authentik-cli authentik-agent authentik-sysd
 4. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak`
    You should see a response that starts with: `authentik CLI v<version_number>`
 
-## Enable device authentication
-
-To enable [device authentication features](../../device-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
+</TabItem>
+<TabItem value="RedHat-based">
+
+1. Open a Terminal session and run the following command to add the authentik repo and associated GPG key:
+
+```bash
+# This overwrites any existing configuration in /etc/yum.repos.d/authentik.repo
+cat <<EOF | sudo tee /etc/yum.repos.d/authentik.repo
+[authentik]
+name=authentik
+baseurl=https://pkg.goauthentik.io
+enabled=1
+gpgcheck=1
+gpgkey=https://pkg.goauthentik.io/keys/gpg-key.asc
+EOF
+```
 
-1. Open a Terminal session and run the following command:
+2. Run the following commands to refresh metadata and install the authentik Agent packages:
 
-```sh
-ak config setup --authentik-url https://authentik.company
+```bash
+sudo yum install -y authentik-cli authentik-agent authentik-sysd
 ```
 
-2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
+3. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak`
+   You should see a response that starts with: `authentik CLI v<version_number>`
+
+</TabItem>
+</Tabs>
 
-## Enable device compliance and SSH access
+## Enable device compliance, SSH server authentication, and local device login
 
 To enable [device compliance features](../../device-compliance/index.mdx) and the device [accepting SSH connections](../../device-authentication/ssh-authentication.mdx), you must join the device to an authentik domain.
 
 1. Open a Terminal session and run the following command:
 
 ```sh
-ak-sysd domains join <deployment_name> --authentik-url https://authentik.company
+sudo ak-sysd domains join <deployment_name> --authentik-url https://authentik.company
 ```
 
 - `deployment_name` is the name that will be used to identify the authentik deployment on the device.
@@ -82,6 +105,18 @@ ak-sysd domains join <deployment_name> --authentik-url https://authentik.company
 2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token).
 3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed.
 
+## Enable SSH client authentication and CLI application authentication
+
+To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
+
+1. Open a Terminal session and run the following command:
+
+```sh
+ak config setup --authentik-url https://authentik.company
+```
+
+2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
+
 ## Logging
 
 authentik Agent logs are available via the system journal (`systemd`) or `syslog`, depending on the distribution.
@@ -30,6 +30,10 @@ If you have already created have an enrollment token, skip to the [next section]
 
 ## Install the authentik Agent on macOS
 
+:::info Automated deployment is recommended
+It's recommended to deploy the Agent via [MDM or automatiation tools](./automated.mdx) instead of manually configuring it.
+:::
+
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Endpoint Devices** > **Connectors**.
 3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik agent.
@@ -40,18 +44,6 @@ If you have already created have an enrollment token, skip to the [next section]
 6. Confirm that the authentik Agent is installed by opening a Terminal window and entering the following command: `ak`
    You should see a response that starts with: `authentik CLI v<version_number>`
 
-## Enable device authentication
-
-To enable [device authentication features](../../device-authentication/index.mdx), you must connect the device to an authentik deployment. To do so, follow these steps:
-
-1. Open a Terminal session and run the following command:
-
-```sh
-ak config setup --authentik-url https://authentik.company
-```
-
-2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
-
 ## Enable device compliance
 
 To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain.
@@ -68,6 +60,18 @@ sudo "/Applications/authentik Agent.app/Contents/MacOS/ak-sysd" domains join <de
 2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token).
 3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed.
 
+## Enable SSH client authentication and CLI application authentication
+
+To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
+
+1. Open a Terminal session and run the following command:
+
+```sh
+ak config setup --authentik-url https://authentik.company
+```
+
+2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
+
 ## Logging
 
 The authentik Agent uses macOS's native logging abilities. To retrieve the logs, open the Console application and then filter for authentik-related processes such as `authentik-agent` or `authentik-sysd`.
@@ -26,7 +26,8 @@ It currently only supports local login; RDP login is not supported.
 - WCP can cause issues with user encrypted directories.
 - Support with Active directory has not been confirmed yet.
 - Offline login is currently not supported.
-  :::
+
+:::
 
 ## Prerequisites
 
@@ -44,10 +45,14 @@ If you have already created have an enrollment token, skip to the [next section]
     - **Device group _(optional)_**: select a device access group for the device to be added to after completing enrollment
     - **Expiring _(optional)_**: set whether or not the enrollment token will expire
 5. Click **Create**.
-6. _(Optional)_ Click the **Copy** icon in the **Actions** column to copy the enrollment token. This value will be required if [enabling a device for device compliance](#enable-device-compliance).
+6. _(Optional)_ Click the **Copy** icon in the **Actions** column to copy the enrollment token. This value will be required if [enabling a device for device compliance](#enable-device-compliance-and-local-device-login).
 
 ## Install the authentik Agent on Windows
 
+:::info Automated deployment is recommended
+It's recommended to deploy the Agent via [MDM or automatiation tools](./automated.mdx) instead of manually configuring it.
+:::
+
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Endpoint Devices** > **Connectors**.
 3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik agent.
@@ -57,33 +62,33 @@ If you have already created have an enrollment token, skip to the [next section]
 7. Confirm that the authentik Agent is installed by opening a PowerShell or Terminal window and entering the following command: `ak`
    You should see a response that starts with: `authentik CLI v<version_number>`
 
-## Enable device authentication
+## Enable device compliance and local device login
 
-To enable [device authentication features](../../device-authentication/index.mdx), you must connect the device to an authentik deployment. To do so, follow these steps:
+To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain.
 
-1. Open a Terminal and run the following command:
+1. Open a Terminal session as Administrator and run the following command:
 
 ```sh
-ak config setup --authentik-url https://authentik.company
+ak-sysd domains join <deployment_name> --authentik-url https://authentik.company
 ```
 
-2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
+- `deployment_name` is the name that will be used to identify the authentik deployment on the device.
+- `https://authentik.company` is the fully qualified domain name of the authentik deployment.
+
+2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token).
+3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed.
 
-## Enable device compliance
+## Enable SSH client authentication and CLI application authentication
 
-To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain.
+To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
 
 1. Open a Terminal session and run the following command:
 
 ```sh
-ak-sysd domains join <deployment_name> --authentik-url https://authentik.company
+ak config setup --authentik-url https://authentik.company
 ```
 
-- `deployment_name` is the name that will be used to identify the authentik deployment on the device.
-- `https://authentik.company` is the fully qualified domain name of the authentik deployment.
-
-2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token).
-3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed.
+2. Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
 
 ## Logging
 

@@ -98,7 +98,16 @@ ak-sysd agent
 
 `-d` for debug
 `--disable-component` to disable a component, can be used multiple times.
-TODO @BeryJu document the ids of components
+
+**Components**:
+
+- `agent_starter`: Responsible for starting the authentik user agent
+- `auth`: Authentication components for interactive and token-based authentication
+- `ctrl`: Provides a control socket for the CLI to join domains, etc
+- `device`: Handles device compliance checkins and validations
+- `directory`: Provides directory services on linux system
+- `ping`: Provides a ping service for healthchecking
+- `session`: Handles sessions created with local device authentication/SSH
 
 ### completion
 

@@ -21,18 +21,22 @@ The authentik Agent consists of several components:
 | Platform                  | Component                           | Description                                                                                                                                                                                                                                          | Dependencies                         |
 | ------------------------- | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
 | **Linux, macOS, Windows** | `authentik-cli`                     | Provides CLI commands for interacting with `authentik-agent`.                                                                                                                                                                                        | `authentik-agent`                    |
-| **Linux, macOS, Windows** | `authentik-agent`                   | User service.                                                                                                                                                                                                                                        | `authentik-sysd`                     |
-| **Linux, macOS, Windows** | `authentik-sysd`                    | System service.                                                                                                                                                                                                                                      | None                                 |
+| **Linux, macOS, Windows** | `authentik-agent`                   | Authentication in a users' context, for CLI tools. service.                                                                                                                                                                                          | `authentik-sysd`                     |
+| **Linux, macOS, Windows** | `authentik-sysd`                    | Responsible for handling device-level authentication and compliance checks. service.                                                                                                                                                                 | None                                 |
 | **Linux only**            | `libpam-authentik`                  | PAM Module for token-based and interactive authentication via authentik. Used for [SSH authentication](../device-authentication/ssh-authentication.mdx) and [local device login](../device-authentication/local-device-login/index.mdx).             | `authentik-sysd`                     |
 | **Linux only**            | `libnss-authentik`                  | NSS Module that makes Linux aware of authentik users. All authentik users will be visible to Linux - but won't be able to login unless configured via device access groups. Provides a consistent `uid` and `gid` for users on all Endpoint Devices. | `authentik-sysd`, `libpam-authentik` |
 | **Windows only**          | `Windows Credential Provider` (WCP) | Enables logging in to Windows devices using authentik credentials.                                                                                                                                                                                   | `authentik-sysd`                     |
 
 ## Technical information
 
-All authentik Agent components communicate via gRPC and Unix domain sockets.
+All authentik Agent components communicate via gRPC and Unix domain sockets/Windows named pipes.
 
-- `sys.sock` for general communication
-- `sys-ctrl.sock` for domain join
+**Linux**: `/var/run/authentik/sys.sock` and `/var/run/authentik/sys-ctrl.sock`
+**macOS**: `/var/run/authentik-sysd.sock` and `/var/run/authentik-sysd-ctrl.sock`
+**Windows**: `\\.\pipe\authentik\sysd` and `\\.\pipe\authentik\sysd-ctrl`
+
+- `sys.sock`/`*sysd.sock` for general communication
+- `*-ctrl.sock` for domain join
 
 ## Important considerations