goauthentik · dewi-tik · Dec 3, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 5, 2025
@@ -0,0 +1,15 @@
+---
+title: Endpoint stage
+---
+
+This stage integrates with [Endpoint Device](../../../../endpoint-devices/index.mdx) functionality and allows authentik to verify whether the device executing a flow is registered.
+
+The Endpoint stage fetches [device facts](../../../../endpoint-devices/device-compliance/device-reporting.md#device-facts) via a configured [connector](../../../../endpoint-devices/device-compliance/connectors.md) and injects them into the flow context. These device facts can be used by other stages and policies to make device compliance decisions.
+
+## Connector
+
+Select the [connector](../../../../endpoint-devices/device-compliance/connectors.md) that the Endpoint stage will use to obtain device facts.
+
+## Mode
+
+Select whether the presence of a registered endpoint device is required for the stage to succeed.
@@ -0,0 +1,14 @@
+---
+title: Deployment
+sidebar_label: Deployment
+---
+
+import DocCardList from "@theme/DocCardList";
+
+You can deploy the authentik Agent on [Linux](./linux.md), [macOS](./macos.md), and [Windows](./windows.md) devices.
+
+Documentation for large-scale deployments using [Mobile Device Management (MDM)](./mdm.mdx) tools is also available.
+
+Select a topic below to continue:
+
+<DocCardList />
@@ -0,0 +1,86 @@
+---
+title: Deploy authentik Agent on Linux
+sidebar_label: Linux
+tags: [authentik Agent, linux, deploy, packages]
+---
+
+## What it can do
+
+- Retrieves information about the host and reports it to authentik, see [Device Compliance](../../device-compliance/index.mdx).
+- Authorize Sudo elevation, see [Sudo authorization](../../device-authentication/sudo-authorization.md).
+- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
+- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).
+
+## Prerequisites
+
+You must [configure your authentik deployment](../configuration.md) to support the authentik Agent.
+
+## Install the authentik Agent on Linux
+
+(TODO - guide via UI)
+
+Follow these steps to install the authentik Agent on your Linux device:
+
+1. Open a Terminal session and install the required GPG key:
+
+```sh
+curl -fsSL https://pkg.goauthentik.io/keys/gpg-key.asc | sudo gpg --dearmor -o /usr/share/keyrings/authentik-keyring.gpg
+```
+
+2. Add the repository:
+
+```sh
+echo "deb [signed-by=/usr/share/keyrings/authentik-keyring.gpg] https://pkg.goauthentik.io stable main" | sudo tee /etc/apt/sources.list.d/authentik.list
+```
+
+3. Update your repositories and install the authentik Agent packages:
+
+```sh
+sudo apt update
+sudo apt install authentik-cli authentik-agent authentik-sysd
+```
+
+4. Confirm that the authentik Agent is installed:
+```sh
+ak
+You should see a response that starts with: `authentik CLI v<version_number>`
+
+## Enable device authentication
+
+To enable [device authentication features](../../device-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
+
+1. Open a Terminal session and run the following command:
+
+```sh
+ak config setup --authentik-url https://authentik.company
+```
+
+2. A browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
+
+## Enable device compliance and SSH access
+
+To enable [device compliance features](../../device-compliance/index.mdx) and the device [accepting SSH connections](../../device-authentication/ssh-authentication.mdx), you must join the device to an authentik domain. This can be done via the CLI or by editing a configuration file.
+
+### CLI
+
+1. Open a Terminal session and run the following command:
+
+```sh
+ak-sysd domains join <deployment_name> --authentik-url https://authentik.company
+```
+
+- `deployment_name` is the name that will be used to identify the authentik deployment on the device.
+- `https://authentik.company` is the fully qualified domain name of the authentik deployment.
+
+2. (TODO)
+
+### Configuration file
+
+1. Create the following file: `/etc/authentik/domains/ak.json`
+2. Paste the following values into the file:
+
+(TODO) JSON codeblock
+
+## Logging
+
+authentik Agent logs are available via the system journal (`systemd`) or `syslog`, depending on the distribution.
@@ -0,0 +1,72 @@
+---
+title: Deploy authentik Agent on macOS
+sidebar_label: macOS
+tags: [authentik Agent, mac, macos, deploy]
+---
+
+## What it can do
+
+- Retrieves information about the host for use in authentik, see [Device Compliance](../../device-compliance/index.mdx).
+- Authorize Sudo elevation, see [Sudo authorization](../../device-authentication/sudo-authorization.md). (TODO - needs testing)
+- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
+- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).
+
+## Prerequisites
+
+You must [configure your authentik deployment](../configuration.md) to support the authentik Agent.
+
+## Install the authentik Agent
+
+(TODO - guide via UI)
+
+Follow these steps to install the authentik Agent on your macOS device:
+
+1. Open the [authentik Platform Packages](https://pkg.goauthentik.io) page.
+2. Under **Desktop packages** click on **macOS** to download the macOS package.
+3. Once the download is complete, attempt to install the package. Default Apple security settings should block the install.
+    - This can be avoided by Option + Right Clicking the package and clicking **Open**.
+    - Alternatively use the following command to remove the package from quarantine: `xattr -r -d com.apple.quarantine "$HOME/Downloads/authentik agent installer.pkg"`
+4. If prompted, enter your login password and click OK. You should now be able to install the package.
+5. Continue through the installation wizard steps.
+6. Confirm that the authentik Agent is installed by opening a Terminal window and entering the following command: `ak`
+   You should see a response that starts with: `authentik CLI v<version_number>`
+
+## Enable device authentication
+
+To enable [device authentication features](../../device-authentication/index.mdx), you must connect the device to an authentik deployment. To do so, follow these steps:
+
+1. Open a Terminal session and run the following command:
+
+```sh
+ak config setup --authentik-url https://authentik.company
+```
+
+2. A browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
+
+## Enable device compliance
+
+To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain. This can be done via the CLI or by editing a configuration file.
+
+### CLI
+
+1. Open a Terminal session and run the following command:
+
+```sh
+ak-sysd domains join <deployment_name> --authentik-url https://authentik.company
+```
+
+- `deployment_name` is the name that will be used to identify the authentik deployment on the device.
+- `https://authentik.company` is the fully qualified domain name of the authentik deployment.
+
+2. (TODO)
+
+### Configuration file
+
+1. Create the following file: `/etc/authentik/domains/ak.json`
+2. Paste the following values into the file:
+
+(TODO) JSON codeblock
+
+## Logging
+
+The authentik Agent uses macOS's native logging abilities. To retrieve the logs, open the Console application and then filter for authentik-related processes such as `authentik-agent` or `authentik-sysd`.
@@ -0,0 +1,23 @@
+---
+title: Deploy authentik Agent via MDM
+sidebar_label: MDM
+tags: [authentik Agent, mdm, fleet, deploy]
+---
+
+authentik Agent can be deployed at scale to multiple devices via Mobile Device Management (MDM) tools. (TODO)
+
+## Prerequisites
+
+You must [configure your authentik deployment](../configuration.md) to support the authentik Agent.
+
+## Windows
+
+(TODO)
+
+## Linux
+
+(TODO)
+
+## macOS
+
+(TODO)
@@ -0,0 +1,110 @@
+---
+title: Deploy authentik Agent on Windows
+sidebar_label: Windows
+tags: [authentik Agent, windows]
+---
+
+## What it can do
+
+- Retrieves information about the host for use in authentik, see [Device Compliance](../../device-compliance/index.mdx).
+- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
+- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).
+
+:::warn Supported Windows Versions
+The authentik Agent is currently only tested on Windows 11 and Windows Server 2022. Other versions may work but are untested.
+:::
+
+## Prerequisites
+
+You must [configure your authentik deployment](../configuration.md) to support the authentik Agent.
+
+## Install the authentik Agent
+
+(TODO - guide via UI)
+
+Follow these steps to install the authentik Agent on your Windows device:
+
+1. Open the [authentik Platform Packages](https://pkg.goauthentik.io) page.
+2. Under **Desktop packages** click on **Windows** to download the Windows MSI file.
+3. Once the download is complete, install the MSI file.
+4. _(Optional)_ During installation, select [Windows Credential Provider](#windows-credential-provider) if you want to log in to the Windows device using authentik credentials.
+
+5. Confirm that the authentik Agent is installed by opening a PowerShell or Terminal window and entering the following command: `ak`
+   You should see a response that starts with: `authentik CLI v<version_number>`
+
+## Enable device authentication
+
+To enable [device authentication features](../../device-authentication/index.mdx), you must connect the device to an authentik deployment. To do so, follow these steps:
+
+1. Open a Terminal and run the following command:
+
+```sh
+ak config setup --authentik-url https://authentik.company
+```
+
+2. A browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.
+
+## Enable device compliance
+
+To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain. This can be done via the CLI or by editing a configuration file.
+
+### CLI
+
+1. Open a Terminal session and run the following command:
+
+```sh
+ak-sysd domains join <deployment_name> --authentik-url https://authentik.company
+```
+
+- `deployment_name` is the name that will be used to identify the authentik deployment on the device.
+- `https://authentik.company` is the fully qualified domain name of the authentik deployment.
+
+2. (TODO)
+
+### Configuration file
+
+1. Create the following file: (TODO) windows filepath
+2. Paste the following values into the file:
+
+(TODO) JSON codeblock
+
+## Windows Credential Provider
+
+Windows Credential Provider (WCP) is a component of the authentik Agent that allows logging in to Windows workstations using authentik credentials.
+
+It currently only supports local login; RDP login is not supported.
+
+:::warning
+
+- When WCP is enabled, the password of the Windows user account that's used to login is set to a random string.
+- WCP can cause issues with user encrypted directories.
+- Support with Active directory has not been confirmed yet.
+- Offline login is currently not supported.
+  :::
+
+#### Configure Windows Credential Provider
+
+You'll need to add a registry entry for WCP to work:
+
+1. On the Windows device, open the Notepad application.
+2. Paste the following block of text into Notepad:
+
+```powershell
+Windows Registry Editor Version 5.00
+
+[HKEY_CLASSES_ROOT\CLSID\{7BCC7941-18BA-4A8E-8E0A-1D0F8E73577A}]
+"URL"="https://authentik.company"
+"ClientID"="authentik-cli"
+```
+
+Where `URL` is the FQDN of your authentik deployment and `ClientID` is the Client ID of the [`authentik-cli` provider](../configuration.md#create-an-application-and-provider-in-authentik-for-cli).
+
+3. Save the file as `authentik.reg` and ensure that **Save as type** is set to **All Files**.
+4. Locate the `authentik.reg` file in File Explorer, right-click it and select **Merge**.
+5. Approve the admin prompt.
+
+## Logging
+
+The authentik Agent primarily outputs logs to Windows Event Viewer.
+
+WCP logs to the `wcp.log` located in `C:\Program Files\Authentik Security Inc\wcp`.