sbx: document sign-in enforcement for sandboxes#25263
Merged
Merged
Conversation
Add an admin-facing guide for organization sign-in enforcement (G-6), deployed via endpoint management (macOS configuration profile, Windows registry, Linux config file). Cross-link from the governance overview and generalize the security page's organization-control section. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Use the source-path form (_index.md) so Hugo resolves the internal link; the published-URL form left the /manuals prefix unstripped and failed the htmltest link check. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
docker-agent
reviewed
Jun 4, 2026
dvdksn
commented
Jun 4, 2026
dvdksn
commented
Jun 4, 2026
- Remove bold "Term." lead-ins from the consequences list (STYLE.md reserves bold for UI elements) - Reorder the page before the API reference (weight 22, grouped with organization policy) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
smnovick
reviewed
Jun 4, 2026
smnovick
reviewed
Jun 4, 2026
smnovick
suggested changes
Jun 4, 2026
- Frame the feature as part of the AI Governance offering (not a separate paid subscription) - Drop "Hub" from organization/API references to avoid confusion - Remove the manual-logout fallback sentence - Remove the login-time-only / fail-closed / consequences section - Trim the MDM example list to Jamf and Intune (drop unused vocab terms) - Remove the Windows registry-path intro and the Linux weaker-enforcement note Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
docker-agent
reviewed
Jun 5, 2026
| {{< tab name="Windows" >}} | ||
|
|
||
| Deploy it through Group Policy, Intune, or any endpoint management tool that can | ||
| write registry values. |
There was a problem hiding this comment.
[MEDIUM] Windows tab omits the registry key path from deployment prose
The macOS and Linux tabs both state the configuration path upfront in prose before showing the config. The Windows tab says "Deploy it through Group Policy, Intune, or any endpoint management tool that can write registry values" but never names the registry key path (HKLM:\SOFTWARE\Policies\Docker\SBX) in the introductory text or the table — it only appears later in the "test locally" PowerShell snippet.
An IT admin configuring enforcement via Group Policy or Intune would need the registry path to set up the GPO template or Intune registry policy. Since the PowerShell block is framed as a local test rather than the primary deployment instruction, the path is easy to miss.
Consider adding a sentence like: "Write the values to HKLM:\SOFTWARE\Policies\Docker\SBX." before or within the table.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an admin-facing guide for Docker Sandboxes organization sign-in enforcement: admins deploy an enforcement configuration via endpoint management (macOS configuration profile, Windows registry, Linux root-owned JSON file) specifying allowed Docker Hub org slugs, and
sbx loginverifies membership and revokes credentials on failure.New page
content/manuals/ai/sandboxes/governance/sign-in-enforcement.mdcovers how it works (login-time-only, fail-closed, auto-login behavior), the configuration schema, per-platform deployment, and error messages. Also cross-links from the governance overview and generalizes the security page's organization-control section so it makes a single point about admin-level controls rather than enumerating each feature.Learnings
sbxsign-in enforcement config is entirely endpoint/file-based (com.docker.sbxmanaged prefs,HKLM\SOFTWARE\Policies\Docker\SBX,/etc/docker-sbx/config.json) with no Admin Console UI — distinct from sandbox org policy (network/filesystem), which is Admin Console + API driven. Worth keeping these two admin mechanisms separate in the docs.Generated by Claude Code