Skip to content

website/docs: endpoint devices #18634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
dewi-tik wants to merge 54 commits into
base: main
Choose a base branch
from
+1,456 −0
Draft

website/docs: endpoint devices #18634

Show file tree
Hide file tree
Changes from 31 commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
767251d
Initial
dewi-tik Dec 3, 2025
9aae663
WIP
dewi-tik Dec 4, 2025
0af80b0
WIP
dewi-tik Dec 4, 2025
f882e7e
WIP
dewi-tik Dec 5, 2025
851428d
WIP
dewi-tik Dec 5, 2025
8914a44
WIP
dewi-tik Dec 5, 2025
1fda132
WIP
dewi-tik Dec 9, 2025
8aaad46
WIP
dewi-tik Dec 9, 2025
56abb58
WIP
dewi-tik Dec 10, 2025
a809faa
WIP
dewi-tik Dec 10, 2025
3a6b578
WIP
dewi-tik Dec 11, 2025
d837365
WIP
dewi-tik Dec 11, 2025
b265f85
WIP
dewi-tik Dec 11, 2025
6b54784
WIP
dewi-tik Dec 11, 2025
d737f31
WIP
dewi-tik Dec 11, 2025
1c6a43c
WIP
dewi-tik Dec 11, 2025
d6950f5
WIP
dewi-tik Dec 11, 2025
6c1bcb2
WIP
dewi-tik Dec 11, 2025
533c0e7
WIP
dewi-tik Dec 12, 2025
250c9b0
WIP
dewi-tik Dec 12, 2025
2303dd0
WIP
dewi-tik Dec 12, 2025
0adfe1d
WIP
dewi-tik Dec 12, 2025
20671ef
WIP
dewi-tik Dec 12, 2025
c8ce5fb
WIP
dewi-tik Dec 12, 2025
27a3945
WIP
dewi-tik Dec 12, 2025
7ba8799
WIP
dewi-tik Dec 12, 2025
8e65955
WIP
dewi-tik Dec 12, 2025
6c5ec1f
Apply suggestions from code review
dewi-tik Dec 14, 2025
81f6780
Apply suggestions from code review
dewi-tik Dec 14, 2025
53d1776
Apply suggestions
dewi-tik Dec 14, 2025
e0123a1
Apply suggestions
dewi-tik Dec 14, 2025
c9e1137
Apply suggestions from code review
dewi-tik Dec 15, 2025
8ebb4f5
Apply suggestions from code review
dewi-tik Dec 15, 2025
38b8f25
WIP
dewi-tik Dec 15, 2025
d0d96af
Apply suggestions from code review
dewi-tik Dec 16, 2025
fcb87d6
WIP
dewi-tik Dec 16, 2025
d6ffae5
WIP
dewi-tik Dec 16, 2025
c4ecd15
WIP
dewi-tik Dec 16, 2025
7d3a154
WIP
dewi-tik Dec 16, 2025
dac2974
WIP
dewi-tik Dec 16, 2025
6e4cd1f
WIP
dewi-tik Dec 16, 2025
eebfd45
WIP
dewi-tik Dec 16, 2025
699f1c4
fixes
BeryJu Dec 17, 2025
807de9c
WIP
dewi-tik Dec 17, 2025
81cc182
Optimised images with calibre/image-actions
authentik-automation[bot] Dec 17, 2025
bc90f47
Optimised images with calibre/image-actions
authentik-automation[bot] Dec 17, 2025
6a0340a
Optimised images with calibre/image-actions
authentik-automation[bot] Dec 17, 2025
dfc2c85
Optimised images with calibre/image-actions
authentik-automation[bot] Dec 17, 2025
8f8ed87
Optimised images with calibre/image-actions
authentik-automation[bot] Dec 17, 2025
a9bb042
Optimised images with calibre/image-actions
authentik-automation[bot] Dec 17, 2025
a405e42
Optimised images with calibre/image-actions
authentik-automation[bot] Dec 17, 2025
ed62da6
Fix anchor
dewi-tik Dec 17, 2025
eea81f3
Update website/docs/endpoint-devices/index.mdx
dewi-tik Dec 18, 2025
56aec96
WIP
dewi-tik Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions website/docs/add-secure-apps/flows-stages/stages/endpoint/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
title: Endpoint stage
---

This stage integrates with [Endpoint Device](../../../../endpoint-devices/index.mdx) functionality, allowing you to verify whether a device executing a flow is registered with authentik.

The Endpoint stage fetches [device facts](../../../../endpoint-devices/device-compliance/device-reporting.md#device-facts) via a configured [connector](../../../../endpoint-devices/device-compliance/connectors.md) for use in the flow. These device facts can be used by other stages and policies to make device compliance decisions.

### Connector
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, this page has no section why not just make it H2s?


Select the [connector](../../../../endpoint-devices/device-compliance/connectors.md) that the Endpoint stage should use to obtain device information.

### Mode
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And here


Select whether an endpoint device is required for the stage to succeed or not.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Select whether an endpoint device is required for the stage to succeed or not.
Select whether an endpoint device is required for the stage to succeed.

14 changes: 14 additions & 0 deletions website/docs/endpoint-devices/authentik-agent/agent-deployment/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
title: Deployment
sidebar_label: Deployment
---

import DocCardList from "@theme/DocCardList";

You can deploy the authentik Agent on [Linux](./linux.md), [macOS](./macos.md), and [Windows](./windows.md) devices.

Documentation for large-scale deployments via [Mobile Device Management (MDM)](./mdm.mdx) tools is also available.
Copy link
Contributor

@tanberry tanberry Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Documentation for large-scale deployments via [Mobile Device Management (MDM)](./mdm.mdx) tools is also available.
Large-scale deployments via [Mobile Device Management (MDM)](./mdm.mdx) tools is also supported.


For more information, pick a topic below:
Copy link
Contributor

@tanberry tanberry Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For more information, pick a topic below:
For more information, select a topic below:

Copy link
Contributor

@tanberry tanberry Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or "refer to a topic.." but "pick" feels too slangy, imo.


<DocCardList />
84 changes: 84 additions & 0 deletions website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
---
title: Deploy authentik Agent on Linux
sidebar_label: Linux
tags: [authentik Agent, linux, deploy, packages]
---

## What can it do
Copy link
Contributor

@tanberry tanberry Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## What can it do
## What the authentik agent does

Copy link
Contributor

@tanberry tanberry Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or "What does the authentik agent do?"

Copy link
Contributor

@tanberry tanberry Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still torn about the capitalization of the word "agent". A parallel is the term "Endpoint stage"... in whihc we capitalize the proper name (Endpoint) but not the word "stage". I think the same applies here, just so happens that authentik is lower-case.


- Retrieves information about the host for use in authentik, see [Device Compliance](../../device-compliance/index.mdx).
Copy link
Contributor

@tanberry tanberry Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Retrieves information about the host for use in authentik, see [Device Compliance](../../device-compliance/index.mdx).
- Retrieves information about the host (known as "device facts") for use by authentik; see [Device Compliance](../../device-compliance/index.mdx) for more information.

- Authorize Sudo elevation, see [Sudo authorization](../../device-authentication/sudo-authorization.md).
- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).

## Prerequisites

You must [configure your authentik deployment](../configuration.md) to support the authentik Agent.

## Install the authentik Agent in Linux

(TODO - guide via UI)

Follow these steps to install the authentik Agent on your Linux device:

1. Open a Terminal session and install the required GPG key:

```sh
curl -fsSL https://pkg.goauthentik.io/keys/gpg-key.asc | sudo gpg --dearmor -o /usr/share/keyrings/authentik-keyring.gpg
```

2. Add the repository:

```sh
echo "deb [signed-by=/usr/share/keyrings/authentik-keyring.gpg] https://pkg.goauthentik.io stable main" | sudo tee /etc/apt/sources.list.d/authentik.list
```

3. Update your repositories and install the authentik Agent packages:

```sh
sudo apt update
sudo apt install authentik-cli authentik-agent authentik-sysd
```

4. Confirm that the authentik Agent is installed by entering the following command: `ak`
You should see a response that starts with: `authentik CLI v<version_number>`

## Enable device authentication

To enable [device authentication features](../../device-authentication/index.mdx), you must connect the device to an authentik deployment. To do so, follow these steps:

1. Open a Terminal session and run the following command:

```sh
ak config setup --authentik-url <authentik_FQDN>
```

2. A browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.

## Enable device compliance and accepting SSH connections

To enable [device compliance features](../../device-compliance/index.mdx) and the device [accepting SSH connections](../../device-authentication/ssh-authentication.mdx), you must join the device to an authentik domain. This can be done via the CLI or by editing a configuration file.

### CLI

1. Open a Terminal session and run the following command:

```sh
ak-sysd domains join <name_for_authentik_domain> -a <authentik_FQDN>
```

- `name_for_authentik_domain` is the name that will be used to identify the authentik deployment on the device.
- `authentik_FQDN` is the fully qualified domain name of the authentik deployment.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `authentik_FQDN` is the fully qualified domain name of the authentik deployment.
- `https://authentik.company` is the fully qualified domain name of the authentik deployment.


2. (TODO)

### Configuration file

1. Create the following file: `/etc/authentik/domains/ak.json`
2. Paste the following values into the file:

(TODO) JSON codeblock

## Logging

All authentik Agent related logs output to the Linux system logging service, `syslog`.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
All authentik Agent related logs output to the Linux system logging service, `syslog`.
authentik Agent logs are available via the system journal (`systemd`) or `syslog`, depending on the distribution.

systemd is the default for logs pretty much everywhere i think?

depending on the distribution <--- can be removed, tbd idk

72 changes: 72 additions & 0 deletions website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
---
title: Deploy authentik Agent on macOS
sidebar_label: macOS
tags: [authentik Agent, mac, macos, deploy]
---

## What it can do

- Retrieves information about the host for use in authentik, see [Device Compliance](../../device-compliance/index.mdx).
- Authorize Sudo elevation, see [Sudo authorization](../../device-authentication/sudo-authorization.md). (TODO - needs testing)
- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).

## Prerequisites

You must [configure your authentik deployment](../configuration.md) to support the authentik Agent.

## Install the authentik Agent

(TODO - guide via UI)

Follow these steps to install the authentik Agent on your macOS device:

1. Open the [authentik Platform Packages](https://pkg.goauthentik.io) page.
2. Under **Desktop packages** click on **macOS** to download the macOS package.
3. Once the download is complete, attempt to install the package. Default Apple security settings should block the install.
- This can be avoided by Option + Right Clicking the package and clicking **Open**.
- Alternatively use the following command to remove the package from quarantine: `xattr -r -d com.apple.quarantine "$HOME/Downloads/authentik agent installer.pkg"`
4. If prompted, enter your login password and click OK. You should now be able to install the package.
5. Continue through the installation wizard steps.
6. Confirm that the authentik Agent is installed by opening a Terminal window and entering the following command: `ak`
You should see a response that starts with: `authentik CLI v<version_number>`

## Enable device authentication

To enable [device authentication features](../../device-authentication/index.mdx), you must connect the device to an authentik deployment. To do so, follow these steps:

1. Open a Terminal session and run the following command:

```sh
ak config setup --authentik-url <authentik_FQDN>
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use full url for authentik fqdn

```

2. A browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.

## Enable device compliance

To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain. This can be done via the CLI or by editing a configuration file.

### CLI

1. Open a Terminal session and run the following command:

```sh
ak-sysd domains join <name_for_authentik_domain> -a <authentik_FQDN>
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as linux doc

```

- `name_for_authentik_domain` is the name that will be used to identify the authentik deployment on the device.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as linux doc

- `authentik_FQDN` is the fully qualified domain name of the authentik deployment.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as linux doc


2. (TODO)

### Configuration file

1. Create the following file: `/etc/authentik/domains/ak.json`
2. Paste the following values into the file:

(TODO) JSON codeblock

## Logging

The authentik Agent uses macOS's native logging abilities. To retrieve the logs, open the Console application and then filter for the relevant authentik Agent component (for example, `==sysd`).
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The authentik Agent uses macOS's native logging abilities. To retrieve the logs, open the Console application and then filter for the relevant authentik Agent component (for example, `==sysd`).
The authentik Agent uses macOS's native logging abilities. To retrieve the logs, open the Console application and then filter for authentik-related processes such as `authentik-agent` or `authentik-sysd`.

i think???

23 changes: 23 additions & 0 deletions website/docs/endpoint-devices/authentik-agent/agent-deployment/mdm.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
title: Deploy authentik Agent via MDM
sidebar_label: MDM
tags: [authentik Agent, mdm, fleet, deploy]
---

authentik Agent can be deployed at scale to multiple devices via Mobile Device Management (MDM) tools. (TODO)

## Prerequisites

You must [configure your authentik deployment](../configuration.md) to support the authentik Agent.

## Windows

(TODO)

## Linux

(TODO)

## macOS

(TODO)
110 changes: 110 additions & 0 deletions website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
---
title: Deploy authentik Agent on Windows
sidebar_label: Windows
tags: [authentik Agent, windows]
---

## What can it do
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## What can it do
## What it can do


- Retrieves information about the host for use in authentik, see [Device Compliance](../../device-compliance/index.mdx).
- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).

:::info Windows Versions
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
:::info Windows Versions
:::warn Supported Windows Versions

The authentik Agent is currently only tested on Windows 11 and Windows Server 2022.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The authentik Agent is currently only tested on Windows 11 and Windows Server 2022.
The authentik Agent is currently only tested on Windows 11 and Windows Server 2022. Other versions may work but are untested.

:::

## Prerequisites

You must [configure your authentik deployment](../configuration.md) to support the authentik Agent.

## Install the authentik Agent

(TODO - guide via UI)

Follow these steps to install the authentik Agent on your Windows device:

1. Open the [authentik Platform Packages](https://pkg.goauthentik.io) page.
2. Under **Desktop packages** click on **Windows** to download the Windows MSI file.
3. Once the download is complete, install the MSI file.
4. _(Optional)_ During installation, select [Windows Credential Provider](#windows-credential-provider) if you want to log in to the Windows device using authentik credentials.

5. Confirm that the authentik Agent is installed by opening a PowerShell or Terminal window and entering the following command: `ak`
You should see a response that starts with: `authentik CLI v<version_number>`

## Enable device authentication

To enable [device authentication features](../../device-authentication/index.mdx), you must connect the device to an authentik deployment. To do so, follow these steps:

1. Open a Terminal and run the following command:

```sh
ak config setup --authentik-url <authentik_FQDN>
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as other docs

```

2. A browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.

## Enable device compliance

To enable [device compliance features](../../device-compliance/index.mdx), you must join the device to an authentik domain. This can be done via the CLI or by editing a configuration file.

### CLI

1. Open a Terminal session and run the following command:

```sh
ak-sysd domains join <name_for_authentik_domain> -a <authentik_FQDN>
```

- `name_for_authentik_domain` is the name that will be used to identify the authentik deployment on the device.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as other doc

- `authentik_FQDN` is the fully qualified domain name of the authentik deployment.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as other doc


2. (TODO)

### Configuration file

1. Create the following file: (TODO) windows filepath
2. Paste the following values into the file:

(TODO) JSON codeblock

## Windows Credential Provider

Windows Credential Provider (WCP) is a component of the authentik Agent that allows logging in to Windows workstations using authentik credentials.

It currently only supports local login; RDP login is not supported.

:::warning

- When WCP is enabled, the password of the Windows user account that's used to login is set to a random string.
- WCP can cause issues with user encrypted directories.
- Support with Active directory has not been confirmed yet.
- Offline login is currently not supported.
:::

#### Configure Windows Credential Provider

You'll need to add a registry entry for WCP to work:

1. On the Windows device, open the Notepad application
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. On the Windows device, open the Notepad application
1. On the Windows device, open the Notepad application.

2. Paste the following block of text into Notepad:

```powershell
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7BCC7941-18BA-4A8E-8E0A-1D0F8E73577A}]
"URL"="https://authentik.company"
"ClientID"="authentik-cli"
```

Where `URL` is the FQDN of your authentik deployment and `ClientID` is the Client ID of the [`authentik-cli` provider](../configuration.md#create-an-application-and-provider-in-authentik-for-cli).

3. Save the file as `authentik.reg` and ensure that **Save as type** is set to **All Files**.
4. Locale the `authentik.reg` file in File Explorer, right-click it and select **Merge**.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. Locale the `authentik.reg` file in File Explorer, right-click it and select **Merge**.
4. Locate the `authentik.reg` file in File Explorer, right-click it and select **Merge**.

5. Approve the admin prompt.

## Logging

The authentik Agent primarily outputs logs to Windows Event Viewer.

WCP logs to the `wcp.log` file in `C:\Program Files\Authentik Security Inc\wcp`.
Copy link
Member

@dominic-r dominic-r Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
WCP logs to the `wcp.log` file in `C:\Program Files\Authentik Security Inc\wcp`.
WCP logs to the `wcp.log` located in `C:\Program Files\Authentik Security Inc\wcp`.

Loading
Loading