update Enterprise docs for 0.16.0 (#2993)

* update Enterprise docs for 0.16.0 * Update docs/enterprise/upgrading.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * more docs, plus cross-links Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
2025-05-30 01:17:21 +02:00 · 2022-02-11 11:06:54 -06:00 · 2022-02-11 11:06:54 -06:00 · ab0b674b80
commit ab0b674b80
parent 825b3cdf0d
8 changed files with 93 additions and 2 deletions
--- a/docs/enterprise/reference/config.md
+++ b/docs/enterprise/reference/config.md
@ -23,6 +23,12 @@ A list of audiences for verifying signing key

 **Default value:** `[]`

+## authenticate-service-url
+
+URL for the authenticate service
+
+**Default value:** `none`
+
 ## bind-addr

 the address to listen on
@ -55,6 +61,12 @@ the databroker service url

 **Default value:** `http://localhost:5443`

+## debug-config-dump
+
+dump databroker configuration
+
+**Default value:** `false`
+
 ## disable-validation

 disable config validation
--- a/docs/enterprise/reference/manage.md
+++ b/docs/enterprise/reference/manage.md
@ -389,6 +389,47 @@ certificate_key:  "$HOME/.acme.sh/*.example.com/*.example.com.key"

 **Note:** Pomerium will check your system's trust/key store for valid certificates first. If your certificate solution imports into the system store, you don't need to also specify them with these configuration keys.

+## Devices
+
+Introduced in v0.16.0, the **Manage Devices** page lets administrators manage user devices for policy-based authorization.
+
+
+### Manage Devices
+
+From this page, administrators can manage new and existing device enrollments.
+Device enrollment let's you create [policies](/docs/topics/ppl.html#device-matcher) that use [device identity](/docs/topics/device-identity.md).
+- Users can [self-enroll](/guides/enroll-device.md) devices, which must then be approved in the **Devices List** for policies requiring approved devices.
+- Administrators can use the **New Enrollment** button to create a link for the user to enroll a device as pre-approved.
+
+
+### Devices List
+
+Displays the currently enrolled devices for each user, along with their current approval status.
+Administrators can inspect, approve, or delete registered devices from this table.
+
+![List of user devices](../img/console-devices.png)
+
+
+### New Enrollment
+
+The **New Enrollment** button allows administrators to create a custom link for a specific user to use to register a new device, which will automatically be approved.
+This scheme is known as [Trust on First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use).
+
+![Example device enrollment](../img/new-enrollment.png)
+
+
+#### Search Users
+
+New Enrollment URLs are only valid for the specified user.
+
+#### Redirect URL
+
+**Required**: The URL the user will be taken to after device enrollment is successful.
+
+#### Enrollment Type
+
+Specify if the user can enroll any device identity, or restrict it to a [secure enclave](/docs/topics/device-identity.md#secure-enclaves).
+
 [route-concept]: /enterprise/concepts.md#routes
 [route-reference]: /enterprise/reference/manage.md#routes
 [namespace-concept]: /enterprise/concepts.md#namespaces