Home Explore Blog Models CI



docker
2nd chunk of `content/manuals/security/for-admins/enforce-sign-in/methods.md`
266d648a7cb492e480cbb7adfc78a4af0442d0867e66d9190000000100000fff
8. Test the GPO on a small set of machines first to ensure it behaves as expected. You can use the `gpupdate /force` command on a test machine to manually refresh its group policy settings and check the registry to confirm the changes.
9. Once verified, you can proceed with broader deployment. Monitor the deployment to ensure the settings are applied correctly across the organization's computers.

## Configuration profiles method (Mac only)

{{< summary-bar feature_name="Config profiles" >}}

Configuration profiles are a feature of macOS that let you distribute
configuration information to the Macs you manage. It is the safest method to
enforce sign-in on macOS because the installed configuration profiles are
protected by Apples' System Integrity Protection (SIP) and therefore can't be
tampered with by the users.

1. Save the following XML file with the extension `.mobileconfig`, for example
   `docker.mobileconfig`:

   ```xml
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
      <dict>
        <key>PayloadContent</key>
        <array>
          <dict>
            <key>PayloadType</key>
            <string>com.docker.config</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadIdentifier</key>
            <string>com.docker.config</string>
            <key>PayloadUUID</key>
            <string>eed295b0-a650-40b0-9dda-90efb12be3c7</string>
            <key>PayloadDisplayName</key>
            <string>Docker Desktop Configuration</string>
            <key>PayloadDescription</key>
            <string>Configuration profile to manage Docker Desktop settings.</string>
            <key>PayloadOrganization</key>
            <string>Your Company Name</string>
            <key>allowedOrgs</key>
            <string>first_org;second_org</string>
          </dict>
        </array>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadIdentifier</key>
        <string>com.yourcompany.docker.config</string>
        <key>PayloadUUID</key>
        <string>0deedb64-7dc9-46e5-b6bf-69d64a9561ce</string>
        <key>PayloadDisplayName</key>
        <string>Docker Desktop Config Profile</string>
        <key>PayloadDescription</key>
        <string>Config profile to enforce Docker Desktop settings for allowed organizations.</string>
        <key>PayloadOrganization</key>
        <string>Your Company Name</string>
      </dict>
    </plist>
   ```

2. Change the placeholders `com.yourcompany.docker.config` and `Your Company Name` to the name of your company.

3. Add your organization name. The names of the allowed organizations are stored in the `allowedOrgs`
   property. It can contain either the name of a single organization or a list of organization names,
   separated by a semicolon:

   ```xml
            <key>allowedOrgs</key>
            <string>first_org;second_org</string>
   ```

4. Use a MDM solution to distribute your modified `.mobileconfig` file to your macOS clients. 

5. Verify that the profile is added to **Device (Managed)** profiles list (**System Settings** > **General** > **Device Management**) on your macOS clients.

## plist method (Mac only)

> [!NOTE]
>
> The `plist` method is available with Docker Desktop version 4.32 and later.

To enforce sign-in for Docker Desktop on macOS, you can use a `plist` file that defines the required settings. The following steps guide you through the process of creating and deploying the necessary `plist` file to enforce this policy:

1. Create the file `/Library/Application Support/com.docker.docker/desktop.plist`.
2. Open `desktop.plist` in a text editor and add the following content, where `myorg` is replaced with your organization’s name all lowercase:

   ```xml
   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
Title: Enforcing Sign-In for Docker Desktop on macOS: Configuration Profiles and plist Method
Summary
This section details two methods for enforcing sign-in on Docker Desktop specifically for macOS: using configuration profiles and the plist method. Configuration profiles, distributed via MDM, offer robust protection against tampering and involve creating a .mobileconfig file with organization details. The plist method, available from Docker Desktop 4.32, requires creating and modifying a desktop.plist file in a specific directory, adding the organization's name in lowercase.