Merge pull request #21468 from docker/published-update

publish updates from main

content/guides/admin-set-up/comms-and-info-gathering.md

@@ -26,7 +26,7 @@ Some companies may have more than one [Docker organization](/manuals/admin/organ
 
 Through [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md), Docker provides numerous configuration parameters that can be preset. The Docker organization owner, development lead, and infosec representative should review these settings to establish the company’s baseline configuration, including security features and [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) for Docker Desktop users. Additionally, they should decide whether to take advantage of free trials for other Docker products, such as [Docker Scout](/manuals/scout/_index.md), which is included in the subscription.
 
-To view the parameters that can be preset, see [Configure Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md#step-two-configure-the-settings-you-want-to-lock-in).
+To view the parameters that can be preset, see [Configure Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md#step-two-configure-the-settings-you-want-to-lock-in).
 
 ## Optional step four: Meet with the Docker Implementation team
 

content/manuals/compose/how-tos/environment-variables/set-environment-variables.md

@@ -93,6 +93,7 @@ The paths to your `.env` file, specified in the `env_file` attribute, are relati
     - path: ./override.env
       required: false
   ``` 
+- As of Docker Compose version 2.30.0, you can use an alternative file format for the `env_file` with the `format` attribute. For more information, see [`format`](/reference/compose-file/services.md#format).
 - Values in your `.env` file can be overridden from the command line by using [`docker compose run -e`](#set-environment-variables-with-docker-compose-run---env). 
 
 ## Set environment variables with `docker compose run --env`

content/manuals/desktop/release-notes.md

@@ -32,13 +32,14 @@ Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projec
 ### New
 
 - Existing Docker Desktop installations using the WSL2 engine on Windows are now automatically migrated to a unified single-distribution architecture for enhanced consistency and performance.
-- Enhance Container Isolation (ECI) has been improved to support images with wildcard tags.
 - Administrators can now:
-  - Allow any container to mount the Docker socket with ECI.
   - Enforce sign-in with macOS [configuration profiles](/manuals/security/for-admins/enforce-sign-in/methods.md#configuration-profiles-method-mac-only) (Early Access).
   - Enforce sign-in for more than one organization at a time (Early Access).
   - Deploy Docker Desktop for Mac in bulk with the [PKG installer](/manuals/desktop/setup/install/enterprise-deployment/pkg-install-and-configure.md) (Early Access).
   - Use Desktop Settings Management to manage and enforce defaults via admin.docker.com (Early Access).
+- Enhance Container Isolation (ECI) has been improved to:
+  - Allow admins to [turn off Docker socket mount restrictions](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md#allowing-all-containers-to-mount-the-docker-socket).
+  - Support wildcard tags when using the [`allowedDerivedImages` setting](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md#docker-socket-mount-permissions-for-derived-images).
 
 ### Upgrades
 
@@ -60,7 +61,7 @@ Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projec
 - Fixed an issue where if Docker Desktop is configured to use a proxy, it fails to start due to an internal timeout while fetching authentication tokens.
 - Added a recovery banner to retry an update if the download failed.
 - Fixed an issue where if the `umask` is set to `577` it would cause `rpmbuild` failure. Fixes [docker/for-mac#6511](https://github.com/docker/for-mac/issues/6511).
-- Fixed a bug that caused ports open on the host to 18 for containers started with `--network=host`.
+- Fixed a bug that restricted containers using `--network=host` to 18 open host ports.
 - Fixed bind mount ownership for non-root containers. Fixes [docker/for-mac#6243](https://github.com/docker/for-mac/issues/6243).
 - Docker Desktop will not unpause automatically after a manual pause. The system will stay paused until you manually resume the Docker engine. This fixes a bug where other software would accidentally trigger a resume by running a CLI command in the background. Fixes [for-mac/#6908](https://github.com/docker/for-mac/issues/6908)
 
@@ -614,7 +615,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
 
 ### New
 
-- You can now enforce Rosetta usage via [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md).
+- You can now enforce Rosetta usage via [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md).
 - [Docker socket mount restrictions](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md) with ECI is now generally available.
 - Docker Engine and CLI updated to [Moby 26.0](https://github.com/moby/moby/releases/tag/v26.0.0). This includes Buildkit 0.13, sub volumes mounts, networking updates, and improvements to the containerd multi-platform image store UX.
 - New and improved Docker Desktop error screens: swift troubleshooting, easy diagnostics uploads, and actionable remediation.
@@ -912,7 +913,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
 
 ### New
 
-- Administrators can now control access to beta and experimental features in the **Features in development** tab with [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md).
+- Administrators can now control access to beta and experimental features in the **Features in development** tab with [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md).
 - Introduced four new version update states in the footer.
 - `docker init` (Beta) now supports PHP with Apache + Composer.
 - The [**Builds** view](use-desktop/builds.md) is now GA. You can now inspect builds, troubleshoot errors, and optimize build speed.
@@ -1022,7 +1023,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
 - Rosetta is now Generally Available for all users on macOS 13 or later. It provides faster emulation of Intel-based images on Apple Silicon. To use Rosetta, see [Settings](/manuals/desktop/settings-and-maintenance/settings.md). Rosetta is enabled by default on macOS 14.1 and later.
 - Docker Desktop now detects if a WSL version is out of date. If an out dated version of WSL is detected, you can allow Docker Desktop to automatically update the installation or you can manually update WSL outside of Docker Desktop.
 - New installations of Docker Desktop for Windows now require a Windows version of 19044 or later.
-- Administrators now have the ability to control Docker Scout image analysis  in [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md).
+- Administrators now have the ability to control Docker Scout image analysis in [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md).
 
 ### Upgrades
 

content/manuals/scout/release-notes/cli.md

@@ -410,7 +410,7 @@ Discarded in favor of [1.9.1](#191).
   instance by Docker Desktop there's no need anymore to re-index it on WSL2
   side.
 - Indexing is now blocked in the CLI if it has been disabled using
-  [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md) feature.
+  [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md) feature.
 
 - Fix a panic that would occur when analyzing a single-image `oci-dir` input
 - Improve local attestation support with the containerd image store

content/manuals/security/for-admins/access-tokens.md

@@ -16,6 +16,7 @@ The organization access tokens feature is currently in [Beta](../../release-life
 >
 > - Docker Build Cloud
 > - Docker Scout
+> - Docker REST APIs
 >
 > If you use these services, you must use personal access tokens instead.
 

content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md

@@ -106,7 +106,7 @@ Enforcing sign-in ensures that your Docker Desktop developers always authenticat
 
 ##### Setup
 
-[Create and configure the `admin-settings.json` file](../settings-management/configure.md) and specify:
+[Create and configure the `admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) and specify:
 
 ```json
 {
@@ -135,6 +135,10 @@ For this to take effect:
 >
 > Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop.
 
+> [!TIP]
+>
+> You can now also configure these settings in the [Docker Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md).
+
 ### What do users see when this setting is enforced by an admin?
 
 When Enhanced Container Isolation is enabled, users see:

content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md

@@ -39,7 +39,7 @@ Starting with Docker Desktop 4.27, admins can optionally configure ECI to allow
 bind mounting the Docker Engine socket into containers, but in a controlled way.
 
 This can be done via the Docker Socket mount permissions section in the
-[admin-settings.json](../settings-management/configure.md) file. For example:
+[admin-settings.json](../settings-management/_index.md) file. For example:
 
 ```json
 {
@@ -64,6 +64,10 @@ This can be done via the Docker Socket mount permissions section in the
 }
 ```
 
+> [!TIP]
+>
+> You can now also configure these settings in the [Docker Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md).
+
 As shown above, there are two configurations for bind-mounting the Docker
 socket into containers: the `imageList` and the `commandList`. These are
 described below.

content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md

@@ -25,9 +25,11 @@ For an extra layer of security, you can also use Settings Management to enable a
 
 ## How does it work?
 
-You can configure several Docker Desktop settings using an `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or administrator privileges.
+You can configure several Docker Desktop settings using either:
+ - An `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or administrator privileges.
+ - Creating a settings policy in the Docker Admin Console 
 
-Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by developers and ensure that these cannot be modified. For more information, see [Configure Settings Management](configure.md#step-two-configure-the-settings-you-want-to-lock-in).
+Settings that are defined by an administrator override any previous values set by developers and ensure that these cannot be modified. 
 
 ## What features can I configure with Settings Management?
 
@@ -50,13 +52,15 @@ Using the `admin-settings.json` file, you can:
 - Specify which paths your developers can add file shares to
 - Configure Air-gapped containers
 
-For more details on the syntax and options, see [Configure Settings Management](configure.md).
+For more details on the syntax and options, see [Configure Settings Management](configure-json-file.md).
 
 ## How do I set up and enforce Settings Management?
 
 You first need to [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop developers authenticate with your organization. Since the Settings Management feature requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in.
 
-Next, you must either manually [create and configure the admin-settings.json file](configure.md), or use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location.
+Next, you must either:
+ - Manually [create and configure the `admin-settings.json` file](configure-json-file.md), or use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location.
+ - Fill out the **Settings policy** creation form in the [Docker Admin Console](configure-admin-console.md).
 
 Once this is done, Docker Desktop developers receive the changed settings when they either:
 - Quit, re-launch, and sign in to Docker Desktop
@@ -72,6 +76,7 @@ In addition, if Enhanced Container Isolation is enforced, developers can't use p
 
 ![Proxy settings grayed out](/assets/images/grayed-setting.png)
 
-## More resources
+## What's next?
 
-- [Video: Settings Management](https://www.youtube.com/watch?v=I9oJOJ1P9PQ)
+- [Configure Settings Management with a `.json` file](configure-json-file.md)
+- [Configure Settings Management with the Docker Admin Console](configure-admin-console.md)

content/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md

@@ -0,0 +1,81 @@
+---
+description: How to configure Settings Management for Docker Desktop using the Docker Admin Console
+keywords: admin, controls, rootless, enhanced container isolation
+title: Configure Settings Management with the Admin Console
+linkTitle: Use the Admin Console
+weight: 20
+params:
+  sidebar:
+    badge:
+      color: violet
+      text: EA
+---
+
+{{% restricted title="Early Access" %}}
+Settings Management in the Docker Admin Console is an [early access](/release-lifecycle#early-access-ea) feature and is available to Docker Business customers only.
+{{% /restricted %}}
+
+This page contains information for administrators on how to configure Settings Management with the Docker Admin Console. You can specify and lock configuration parameters to create a standardized Docker Desktop environment across your Docker company or organization.
+
+## Prerequisites
+
+- [Download and install Docker Desktop 4.36.0 or later](/manuals/desktop/release-notes.md).
+- [Verify your domain](/manuals/security/for-admins/single-sign-on/configure.md#step-one-add-and-verify-your-domain).
+- [Enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). The Settings Management feature requires a Docker Business
+subscription, therefore your Docker Desktop users must authenticate to your
+organization for configurations to take effect. 
+
+## Create a settings policy
+
+1. Within the [Docker Admin Console](https://admin.docker.com/) navigate to the company or organization you want to define a settings policy for. 
+2. Under the **Security and access** section, select **Desktop Settings Management**. 
+3. In the top-right corner, select **Create a settings policy**.
+4. Give your settings policy a name and an optional description.
+
+   > [!TIP]
+   >
+   > If you have already configured Settings Management with an `admin-settings.json` file for an organization, you can upload it using the **Upload existing settings** button which then automatically populates the form for you. 
+   >
+   > Settings policies deployed via the Docker Admin Console take precedence over manually deployed `admin-settings.json` files.
+
+5. Assign the setting policy to all your users within the company or organization, or specific users.
+
+   > [!NOTE]
+   >
+   > If a settings policy is assigned to all users, it sets the policy as the global default policy. You can only have one global settings policy at a time. 
+   > If a user already has a user-specific settings policy assigned, the user-specific policy takes precedence over a global policy. 
+
+   > [!TIP]
+   >
+   > Before setting a global settings policy, it is recommended that you first test it as a user-specific policy to make sure you're happy with the changes before proceeding. 
+
+6. Configure the settings for the policy. Go through each setting and select your chosen setting state. You can choose:
+   - **User-defined**. Your developers are able to control and change this setting. 
+   - **Always enabled**. This means the setting is turned on and your users won't be able to edit this setting from Docker Desktop or the CLI.
+   - **Enabled**. The setting is turned on and users can edit this setting from Docker Desktop or the CLI.
+   - **Always disabled**. This means the setting is turned off and your users won't be able to edit this setting from Docker Desktop or the CLI.
+   - **Disabled**. The setting is turned off and users can edit this setting from Docker Desktop or the CLI.   
+7. Select **Create**
+
+For the settings policy to take effect:
+- On a new install, users need to launch Docker Desktop and authenticate to their organization.
+- On an existing install, users need to quit Docker Desktop through the Docker menu, and then re-launch Docker Desktop. If they are already signed in, they don't need to sign in again for the changes to take effect.
+
+  > [!IMPORTANT]
+  >
+  > Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop.
+
+To avoid disrupting your users' workflows, Docker doesn't automatically require that users re-launch once a change has been made.
+
+> [!NOTE]
+>
+> Settings are synced to Docker Desktop and the CLI when a user is signed in and starts Docker Desktop, and then every 60 minutes. 
+
+If your settings policy needs to be rolled back, either delete the policy or edit the policy to set individual settings to **User-defined**.
+
+## Settings policy actions
+
+From the **Actions** menu on the **Desktop Settings Management** page in the Docker Admin Console, you can:
+- Edit or delete an existing settings policy. 
+- Export a settings policy as an `admin-settings.json` file.
+- Promote a policy that is applied to a select group of users, to be the new global default policy for all users.