update Enterprise docs for 0.16.0 (#2993)

* update Enterprise docs for 0.16.0

* Update docs/enterprise/upgrading.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* more docs, plus cross-links

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
This commit is contained in:
Alex Fornuto 2022-02-11 11:06:54 -06:00 committed by GitHub
parent 825b3cdf0d
commit ab0b674b80
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 93 additions and 2 deletions

View file

@ -23,6 +23,12 @@ A list of audiences for verifying signing key
**Default value:** `[]`
## authenticate-service-url
URL for the authenticate service
**Default value:** `none`
## bind-addr
the address to listen on
@ -55,6 +61,12 @@ the databroker service url
**Default value:** `http://localhost:5443`
## debug-config-dump
dump databroker configuration
**Default value:** `false`
## disable-validation
disable config validation

View file

@ -389,6 +389,47 @@ certificate_key: "$HOME/.acme.sh/*.example.com/*.example.com.key"
**Note:** Pomerium will check your system's trust/key store for valid certificates first. If your certificate solution imports into the system store, you don't need to also specify them with these configuration keys.
## Devices
Introduced in v0.16.0, the **Manage Devices** page lets administrators manage user devices for policy-based authorization.
### Manage Devices
From this page, administrators can manage new and existing device enrollments.
Device enrollment let's you create [policies](/docs/topics/ppl.html#device-matcher) that use [device identity](/docs/topics/device-identity.md).
- Users can [self-enroll](/guides/enroll-device.md) devices, which must then be approved in the **Devices List** for policies requiring approved devices.
- Administrators can use the **New Enrollment** button to create a link for the user to enroll a device as pre-approved.
### Devices List
Displays the currently enrolled devices for each user, along with their current approval status.
Administrators can inspect, approve, or delete registered devices from this table.
![List of user devices](../img/console-devices.png)
### New Enrollment
The **New Enrollment** button allows administrators to create a custom link for a specific user to use to register a new device, which will automatically be approved.
This scheme is known as [Trust on First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use).
![Example device enrollment](../img/new-enrollment.png)
#### Search Users
New Enrollment URLs are only valid for the specified user.
#### Redirect URL
**Required**: The URL the user will be taken to after device enrollment is successful.
#### Enrollment Type
Specify if the user can enroll any device identity, or restrict it to a [secure enclave](/docs/topics/device-identity.md#secure-enclaves).
[route-concept]: /enterprise/concepts.md#routes
[route-reference]: /enterprise/reference/manage.md#routes
[namespace-concept]: /enterprise/concepts.md#namespaces