diff --git a/src/pages/get-started/index.mdx b/src/pages/get-started/index.mdx
index c1057ec8..ac5c2883 100644
--- a/src/pages/get-started/index.mdx
+++ b/src/pages/get-started/index.mdx
@@ -13,7 +13,10 @@ and build a secure peer-to-peer overlay network in less than ten minutes.
First, let's create your NetBird account.
-
+
+ 
+
1. Navigate to [netbird.io](https://netbird.io/) and click Get Started in the top-right corner. Or simply click [here](https://app.netbird.io/).
2. You’ll be redirected to the sign-in page, where NetBird uses your identity provider (IdP) for secure authentication.
@@ -25,14 +28,20 @@ Upon your first login, you'll be greeted by a short onboarding survey. This help
## Peer-to-Peer Network
One way of using NetBird is to create a peer-to-peer network, where you run the NetBird client on your devices to connect them directly.
-
+
+ 
+
The onboarding process will now guide you to connect your first device, also known as a peer.
For this guide, we'll select Peer-to-Peer Network. If you’re selecting the Remote Network Access option, you can see that process [here](#remote-network-access).
### Install Your First Peer
-
+
+ 
+
1. On the "Let's get your first device online" screen, click the Install NetBird button.
2. An [installation modal](https://app.netbird.io/install) will appear. Select your operating system (e.g., macOS, Windows, Linux). For this example, we're installing it on a macOS machine.
@@ -41,7 +50,10 @@ For this guide, we'll select Peer-to-Peer Network. If you’re selecting the Rem
### Connect Your First Peer
With the client installed, you now need to connect it to your network.
-
+
+ 
+
1. After installation, find the NetBird icon in your system tray or menu bar.
2. Click the icon and select **Connect**.
@@ -51,7 +63,10 @@ With the client installed, you now need to connect it to your network.
### Add a Second Peer (Headless Linux Server)
Next, let's add a second, headless peer, like a Linux server or a Raspberry Pi. For devices without a graphical interface, we use a [Setup Key](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys).
-
+
+ 
+
1. In the web UI, the onboarding flow will now prompt you to "bring in your second device." Click the link that says Install with a setup key.
2. A pop-up will explain that a one-off setup key will be created, which you can also learn more about here. Click Continue..
@@ -76,12 +91,18 @@ netbird up --setup-key
After running the second command, the terminal will confirm Connected. Your headless device is now part of your NetBird network.
-
+
+ 
+
### Verify the Connection
The onboarding UI will now display both of your connected peers. The onboarding wizard provides a simple way to test that they can communicate directly.
-
+
+ 
+
1. Copy the provided ping command from the onboarding UI. This command uses the NetBird IP address of your second peer (the Ubuntu server).
2. Open a terminal on your first peer and paste the command. Replace the example below with the NetBird IP for your machine.
@@ -95,13 +116,19 @@ ping 100.74.76.17
### Understanding Access Control
The final onboarding step introduces NetBird's powerful Access Control policies.
-
+
+ 
+
1. By default, a policy is active that allows connections between all your devices. This is why the ping command in the previous step worked.
2. The wizard demonstrates this by allowing you to toggle the policy. If you disable the "Default Policy," the ping between your devices will immediately fail with a "Request timeout" error.
3. Re-enabling the policy instantly restores the connection. This gives you a basic understanding of how you can control traffic within your network. You can learn much more about policies [here](/manage/access-control/manage-network-access).
4. Click Continue to finish.
-
+
+ 
+
In the policy example above, we allowed _IT Admins_ port specific access to peers under the _AWS Servers_ group. Policies are a key building block to access in NetBird. You can learn more about the power of policies [here](https://docs.netbird.io/manage/access-control/manage-network-access).
@@ -115,7 +142,10 @@ This machine acts as a routing peer, routing traffic to internal resources that
The onboarding process will now guide you to build our first network resource.
For this guide, we'll select Remote Network Access.
-
+
+ 
+
### Define Your Network Resource
Next, you'll define the private network you want your users to be able to access.
@@ -123,12 +153,18 @@ Next, you'll define the private network you want your users to be able to access
2. Enter the CIDR range of your private network. For example, `10.0.0.0/32`.
3. Click Create Resource. A "Network" will be created in your dashboard to contain this resource and its access rules.
-
+
+ 
+
### Add and Configure a Routing Peer
A [routing peer](https://docs.netbird.io/manage/network-routes/routing-traffic-to-private-networks) is a NetBird peer that lives inside your private network and acts as a gateway, forwarding traffic between your remote users and the internal resources.
-
+
+ 
+
1. The dashboard will now prompt you to "Add a routing peer." First, click Generate Setup Key. This creates a one-time key used to enroll the gateway machine into your NetBird account.
2. Next, click Install Routing Peer. Select the operating system of your gateway machine (the video uses Linux).
@@ -158,7 +194,10 @@ Now, set up the device you will use to connect to your private network.
### Test the Connection
With both the routing peer and your client device online, you can now test your connection to the private network. To properly test connectivity you should move the client device to a different network, for example, connecting the device using your phone's hotspot.
-
+
+ 
+
1. Open a terminal on your client device and run the test command (e.g., `ping 10.0.0.100`). Due note, the IP you ping needs to be a device on the same network that the routing peer is installed on.
2. You should see successful replies, confirming that your client device can reach internal resources through the routing peer.
@@ -167,14 +206,20 @@ With both the routing peer and your client device online, you can now test your
### Understanding Your Access Policy
The final step of the onboarding wizard explains the access rule that was automatically created for you.
-
+
+ 
+
1. A policy, named "Users to My Subnet," is enabled by default. This policy allows all authenticated users to access the resources within the subnet you define.
2. To demonstrate this, you can toggle this policy off. When disabled, the ping from your client device will begin to fail with a "Request timeout" error, showing that the connection is now blocked.
3. Re-enabling the policy will immediately restore access.
4. Click Continue to complete the setup.
-
+
+ 
+
Click Go to Dashboard to access the main NetBird admin panel. From here, you can:
diff --git a/src/pages/manage/access-control/endpoint-detection-and-response/index.mdx b/src/pages/manage/access-control/endpoint-detection-and-response/index.mdx
index e4fcd93d..a3dfdea9 100644
--- a/src/pages/manage/access-control/endpoint-detection-and-response/index.mdx
+++ b/src/pages/manage/access-control/endpoint-detection-and-response/index.mdx
@@ -1,6 +1,9 @@
# Integrate NetBird with MDM & EDR Platforms
-
+
+ 
+
## What is EDR and MDM?
Endpoint Detection and Response (EDR) is a cybersecurity technology designed to help organizations detect, investigate,
diff --git a/src/pages/manage/access-control/endpoint-detection-and-response/intune-mdm.mdx b/src/pages/manage/access-control/endpoint-detection-and-response/intune-mdm.mdx
index 08f72f59..3b46a800 100644
--- a/src/pages/manage/access-control/endpoint-detection-and-response/intune-mdm.mdx
+++ b/src/pages/manage/access-control/endpoint-detection-and-response/intune-mdm.mdx
@@ -38,7 +38,10 @@ To check your permissions:
* Expand the `Manage` tab and click on `Roles and administrators` in the left menu.
* Look for your username and verify if you're assigned any of the above roles.
-
+
+ 
+
If you don't have the required permissions, contact your Azure AD administrator to grant you the appropriate role before proceeding with the NetBird integration.
@@ -51,21 +54,33 @@ A new wizard screen will appear, offering step-by-step instructions for creating
* Name
* Account Type
-
+
+ 
+
For convenience, click on [Azure Active Directory](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview) (step 1). That will open the Azure dashboard. Navigate to `App registrations` in the left menu and then click `+New registration` as indicated below:
-
+
+ 
+
Fill in the required information:
-
+
+ 
+
After entering all required information, click the `Register` button at the bottom of the form to finalize the application registration process.
Upon successful registration, you'll be redirected to a confirmation screen similar to the following:
-
+
+ 
+
Copy and securely store the generated `Application (client) ID` and `Directory (tenant) ID` as you will need them shortly.
@@ -73,23 +88,38 @@ Copy and securely store the generated `Application (client) ID` and `Directory (
On the NetBird dashboard click the `Continue →` button. A new wizard screen will appear, this time, offering step-by-step instructions for setting up API permissions.
-
+
+ 
+
Back to Azure, in the `App registrations` screen, click on `Manage` in the left menu to expand it and then click on `API permissions`:
-
+
+ 
+
Look for the `+ Add a permission` button, located near the top of the permissions list and click on it.
-
+
+ 
+
A new pop-up window will appear, asking you to select an API. Click on `Microsoft Graph`.
-
+
+ 
+
On the next screen, click on the `Application permissions` button, which will let you select the appropriate permissions for NetBird to function correctly with your Microsoft Intune environment.
-
+
+ 
+
To assign user permissions:
@@ -97,13 +127,19 @@ To assign user permissions:
* In the search results, click on the `DeviceManagementManagedDevices` tab to expand it and view the available permissions.
* Click on the checkbox to select and enable the `DeviceManagementManagedDevices.Read.All` permission.
-
+
+ 
+
The `DeviceManagementManagedDevices.Read.All` permission allows NetBird to read the properties of all devices managed by Microsoft Intune in your organization.
Once done, click the `Add permissions` button. You will see a few warnings:
-
+
+ 
+
Locate the `Grant admin consent for [Your Organization Name]` button (you’ll find it next to `+Add a permission` button). Click on it to grant the required permissions.
@@ -111,21 +147,33 @@ A confirmation dialog will appear, asking you to verify this action. Review the
Once finished, the status of the permissions should change to `Granted for [Your Organization Name]`. Verify that all selected permissions now show a green checkmark, indicating they've been successfully granted:
-
+
+ 
+
## Create a Client Secret for Secure NetBird-Intune Authentication
Back to the NetBird dashboard, click the `Continue →` button. A new wizard screen will appear, showing instructions for generating a client secret in Entra ID.
-
+
+ 
+
On Azure, click on the `Certificates & secrets` button in the left menu to open the management page. Click on `+New client secret` as shown below. Choose an expiration time that suits your security needs and click the `Add` button.
-
+
+ 
+
A new client secret will be generated and displayed on the screen. Copy and securely store the `Value` field immediately, as you will needed in the next step.
-
+
+ 
+
## Enter Application ID and Directory ID in NetBird
@@ -133,14 +181,20 @@ Paste the secret `Value` from the previous step into NetBird and click the `Cont
Paste the values and click the `Continue →` button.
-
+
+ 
+
## Choose Groups to require Intune Agent
At this stage, specify one or more NetBird groups to which the check should apply. The check will require the peer to have a running Intune agent installed.
-
+
+ 
+
The MDM check will apply only to machines in the selected groups and will require a running Intune agent.
diff --git a/src/pages/manage/access-control/posture-checks/index.mdx b/src/pages/manage/access-control/posture-checks/index.mdx
index 9612ea8e..47411dfd 100644
--- a/src/pages/manage/access-control/posture-checks/index.mdx
+++ b/src/pages/manage/access-control/posture-checks/index.mdx
@@ -16,35 +16,53 @@ Or follow the guide with other examples below:
Log in to your NetBird dashboard and navigate to `Access Control` > `Posture Checks` in the left menu. Click `Create Posture Check` or edit an existing one.
-
+
+ 
+
A pop-up window will open with two tabs: `Checks` and `Name & Description`.
-
+
+ 
+
From here, you can manage access with posture checks based on several aspects:
### NetBird Client Version
Restrict access to peers with specific NetBird client versions, thus ensuring that all devices connecting to the network use up-to-date, secure client software.
-
+
+ 
+
### Country and Region
Limit network access based on geographical location, helping comply with data regulations or restrict access from high-risk areas. Note that you have two tabs available for this: `Allow` (green) and `Block` (red), making it easy to set up your preferred access rules..
-
+
+ 
+
When allowing access from specific locations in the network settings, all other locations are automatically blocked. Conversely, blocking certain locations means only those are blocked, while access remains open for all other locations.
#### Peer Network Range
This posture check lets you precisely control network access by specifying which IP ranges can connect to your network. You can create policies allowing only connections from approved locations, such as office networks or trusted remote work setups. Additionally, you can enhance security by blocking high-risk IP ranges working in tandem with geo-based posture checks. This granular control helps create a more secure network environment by limiting access to known, trusted sources while preventing connections from potentially risky or unauthorized IP addresses.
-
+
+ 
+
### Operating System
Restrict access based on the connecting device's OS, ensuring only approved and potentially more secure operating systems can connect.
-
+
+ 
+
The Operating System Check requires NetBird version [0.26.0](https://github.com/netbirdio/netbird/releases) or newer.
@@ -67,16 +85,25 @@ Below are some examples of OS versions for each operating system:
Furthermore, this process-based posture check allows you to create specific policies for different user groups or network segments based on their unique security needs. Working in conjunction with other posture checks in NetBird, this setting offers a comprehensive and user-friendly approach to network security.
-
+
+ 
+
## Name & Description
After enabling the desired posture check, go to the `Name & Description` tab. Here, enter a descriptive name for your newly created posture check and save it.
-
+
+ 
+
You'll notice a gray dot to the left of the posture check name, indicating it's inactive. To activate the posture check, you need to link it to an access control policy.
-
+
+ 
+
## Applying Posture Checks to Access Control Policies
@@ -88,15 +115,24 @@ To apply a posture check:
Note that you can add multiple posture checks to a single policy as needed for comprehensive security.
-
+
+ 
+
After adding the posture check, it will appear in the `POSTURE CHECKS` column. For easy management, you can click on it to edit the access control policy, allowing you to add or remove posture checks as needed.
-
+
+ 
+
If you revisit the `Posture Checks` dashboard, you'll notice a green dot next to your recently configured posture check. This color shift indicates that the posture check is now active and integrated into your network security framework, actively contributing to your system's protection.
-
+
+ 
+
Following these steps, you can effectively implement and manage NetBird's Posture Checks, significantly enhancing your network's security posture.
diff --git a/src/pages/manage/for-partners/acronis-integration.mdx b/src/pages/manage/for-partners/acronis-integration.mdx
index 6d34ab0e..94101157 100644
--- a/src/pages/manage/for-partners/acronis-integration.mdx
+++ b/src/pages/manage/for-partners/acronis-integration.mdx
@@ -36,15 +36,24 @@ For example, let's create an access policy. While the steps are the same for mac
- Set the source group to `IT Administrators` and the destination group to `Windows Workstations`
- Configure the protocol and port settings based on required access patterns (e.g., TCP 22 for SSH access to servers, TCP 80 for web servers, etc.)
-
+
+ 
+
Provide a descriptive name for the policy, such as "IT to Windows machines" that indicates its purpose, and click `Save` to create and activate the policy.
-
+
+ 
+
This access policy will automatically apply to all devices managed by Acronis Cyber Protect Cloud that belong to users in the `IT Administrators` group, providing them secure access to designated resources while preventing lateral movement to unauthorized systems. The policy enforcement occurs at the network level, complementing Acronis Cyber Protect Cloud's device-level monitoring and management capabilities.
-
+
+ 
+
Moreover, users will only gain this network access when their devices are actively monitored and maintained through Acronis Cyber Protect Cloud, creating a comprehensive security approach where device health monitoring and network access controls work together. This combination ensures that only properly managed and compliant devices can establish secure network connections to protected resources.
@@ -60,19 +69,31 @@ This section demonstrates how to create a software package in Acronis Cyber Prot
Log in to Acronis Cyber Protect Cloud, navigate to `SOFTWARE MANAGEMENT > My packages` and click the `Add package` button:
-
+
+ 
+
In the `General information` tab, provide a descriptive name for the package (e.g., "NetBird EXE Installer") and specify the vendor name. Optionally, add a package description and select the appropriate license type from the dropdown menu. Click `Next` to continue.
-
+
+ 
+
In the `Upload package` tab, enter the installer version (required field) and select the target architecture type. Click the `+ Upload` button in the top right corner to upload the NetBird installer package.
-
+
+ 
+
Select the NetBird installer file from your local system. Once the upload completes, click `Next` to proceed.
-
+
+ 
+
In the `Install / Uninstall commands` tab, configure the silent installation parameters by entering the following commands:
@@ -83,19 +104,31 @@ The `/S` parameter ensures silent installation without user prompts for NetBird'
> **Note**: If you're using NetBird's MSI installer instead of the EXE installer, use `/qn` in the **Installation options** field instead of `"{{full_path}}" /S`. The **Uninstallation options** field remains the same (`{{uninstall_cmd}} /S`) for both installer types. The `/qn` parameter provides quiet installation with no user interface for MSI packages.
-
+
+ 
+
In the `Summary` tab, review all package configuration details for accuracy. Check the required boxes to confirm your settings and accept the End User License Agreement (EULA) terms. Click `Next` to proceed.
-
+
+ 
+
The `Digital signature check` tab provides security verification options for the uploaded package. Enable digital signature checking to ensure package integrity and authenticity—this represents a security best practice for enterprise deployments. Click `Add package` to complete the package creation process.
-
+
+ 
+
Acronis will perform the digital signature verification automatically. Once completed, you'll see a `Verified` status next to the NetBird package in your software library.
-
+
+ 
+
With the NetBird package successfully added to your Acronis software library, you can now proceed to deploy it across your managed Windows machines.
@@ -107,43 +140,70 @@ Acronis Cyber Protect Cloud provides multiple deployment methods for installing
To install NetBird from the available packages, navigate to `SOFTWARE MANAGEMENT > My packages` and click the three-dot menu next to the NetBird package. Select `Install` from the dropdown options.
-
+
+ 
+
In the `Deploy software` window, click `+ Add workloads` and select your target machines from the available endpoints.
-
+
+ 
+
For this example, we selected a single endpoint called `Windows-11`. Click the `Install now` button to begin the immediate deployment process.
-
+
+ 
+
Monitor the installation progress by navigating to `MONITORING > Activities`, where you can track the deployment status across all selected machines.
-
+
+ 
+
Verify successful installation by navigating to `SOFTWARE MANAGEMENT > Software inventory`, where NetBird should appear in the installed software list for each target machine.
-
+
+ 
+
**Method 2: Bulk Selection from Device Management**
Alternatively, navigate to `DEVICES > All devices` and select the checkboxes for all target endpoints you want to include in the deployment. Click on any selected device to open the right sidebar, then select `Deploy software`. This approach opens the same `Deploy software` interface with your pre-selected workloads ready for deployment.
-
+
+ 
+
**Method 3: Scheduled Deployment Plans**
For more advanced deployment control, use Acronis' deployment plans feature. Navigate to `MANAGEMENT > Software deployment plans` and click `+ Create plan` in the upper right corner.
-
+
+ 
+
In the `Create software deployment plan` window, click the pencil icon to customize the plan name, select either `Install` or `Uninstall` under Action, and click `Select software` to add the NetBird package. Configure your preferred deployment schedule by setting the specific date and time for automated execution.
-
+
+ 
+
After configuring the plan parameters, click `Create` to save the plan for future use, or click `+ Add workloads` to immediately select target endpoints and execute the deployment.
-
+
+ 
+
The advantage of deployment plans is that they enable scheduled, repeatable installations across multiple client environments, allowing MSPs to standardize NetBird deployments during designated maintenance windows while maintaining consistent configuration management across all managed endpoints.
@@ -255,7 +315,10 @@ Next, on the right sidebar:
- If needed, Acronis lets you pass `Arguments` to the installer, such as setup keys and the management URL.
- Once done, set the script's status to `Approved` and click `Save`.
-
+
+ 
+
Using a similar procedure, you can add the following script to use the MSI installer instead of the EXE installer:
@@ -401,7 +464,10 @@ Write-Host "NetBird MSI installation completed successfully!" -ForegroundColor G
The script downloads the official `.msi` installer and uses the silent flag to install NetBird on Windows machines, just as the `.exe` installer.
-
+
+ 
+
Likewise, you can add an **Uninstall NetBird** script:
@@ -528,7 +594,10 @@ Write-Host "NetBird uninstallation process completed!" -ForegroundColor Green
The script executes `netbird_uninstall.exe` using the silent flag to remove NetBird from Windows endpoints.
-
+
+ 
+
If you need to edit or delete any script, you can do it by navigating to `MANAGEMENT > Script repository > My scripts`
@@ -540,11 +609,17 @@ As with packages, you can use different methods to deploy NetBird scripts to Win
Navigate to `MANAGEMENT > Script repository > My scripts`, click the three-dot menu on the script you want to install, and select `Script quick run`:
-
+
+ 
+
Next, you can select the workloads where you want to run the script and click the `Run now` button.
-
+
+ 
+
As before, you can follow the installation progress by navigating to `MONITORING > Activities`.
@@ -557,11 +632,17 @@ Navigate to `MANAGEMENT > Scripting plans` and click on `Create plan`. Next:
- Add the desired workloads
- Once ready, click the `Create` button.
-
+
+ 
+
From `MANAGEMENT > Scripting plans`, you can click on the three-dot menu of any plan to view its details, edit it, or manually run it.
-
+
+ 
+
## Installing NetBird in macOS using a Bash Script
@@ -588,7 +669,10 @@ Configure the following properties in the right sidebar:
* **Arguments:** If needed, you can pass parameters to the script through the `Arguments` field, such as setup keys for automated enrollment.
* Once configured, set the script's status to `Approved` and click `Save`.
-
+
+ 
+
If you need to manage your scripts, you can do it by navigating to `MANAGEMENT > Script repository > My scripts`
@@ -604,7 +688,10 @@ Once the script is saved, you can run it on-demand from `My scripts` or add it t
* Click `Run now` to deploy the script to the chosen devices.
* To track the installation status, go to `MONITORING > Activities`.
-
+
+ 
+
**Method 2: Scheduled Scripting Plans**
@@ -619,7 +706,10 @@ First, navigate to `MANAGEMENT > Scripting plans` and click `Create plan`. In t
Once all settings are configured, click `Create` to save and activate the plan.
-
+
+ 
+
Tip: You can manually trigger any plan outside its schedule. Go to `MANAGEMENT > Scripting plans`, find the plan you want to execute, click its three-dot menu, and run it.
@@ -633,4 +723,7 @@ To confirm that your Acronis-deployed Windows (or macOS) endpoints successfully
This verification step ensures that your automated deployment process has completed successfully and that devices are ready to enforce the access control policies configured for your organization's security requirements.
-
\ No newline at end of file
+
+ 
+
\ No newline at end of file
diff --git a/src/pages/manage/integrations/mdm-deployment/intune-netbird-integration.mdx b/src/pages/manage/integrations/mdm-deployment/intune-netbird-integration.mdx
index a3bd352c..e289fa8b 100644
--- a/src/pages/manage/integrations/mdm-deployment/intune-netbird-integration.mdx
+++ b/src/pages/manage/integrations/mdm-deployment/intune-netbird-integration.mdx
@@ -37,11 +37,17 @@ Let's create a policy that enables the `Development` team to access the `Servers
- Set the source group to `Development` (or the appropriate team group synchronized from Entra ID) and the destination group to `Servers`
- Configure the protocol and port settings based on required access patterns (e.g., TCP 22 for SSH access to servers)
-
+
+ 
+
Provide a descriptive name for the policy, such as "Dev Team Server Access" that indicates its purpose, and click `Save` to create and activate the policy.
-
+
+ 
+
This access policy will automatically apply to all devices enrolled in Intune that belong to users in the `Development` group (as synchronized from **Entra ID**), providing them secure access to designated resources while preventing lateral movement to unauthorized systems.
@@ -68,21 +74,33 @@ Using the Win32 method requires you to convert either NetBird's `.exe` or `.msi`
- Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com), navigate to `Apps`, and click the `Windows` button.
-
+
+ 
+
- Click the `+ Create` button to add a new Windows application
-
+
+ 
+
- In the `App type` dropdown, select `Windows app (Win32)` and click `Select`
-
+
+ 
+
- On the `Add App` screen, click `Select app package file` and browse to the location of the NetBird `.intunewin` file you created earlier
- Select the `.intunewin` file and click `OK`
-
+
+ 
+
- On the `App information` tab, configure NetBird with the following values:
@@ -97,7 +115,10 @@ Using the Win32 method requires you to convert either NetBird's `.exe` or `.msi`
You can leave the rest of the fields empty.
-
+
+ 
+
- Click `Next` to advance to the `Program` tab. Use the following commands in the install and uninstall fields:
@@ -108,14 +129,20 @@ You can leave the rest of the fields empty.
For this example, leave the rest of the configuration unchanged. Note that you can change the install behavior and users' ability to uninstall NetBird if required.
-
+
+ 
+
- Click `Next` to advance to the `Requirements` tab. Here you can specify the architecture and minimum OS version required for installing NetBird. For instance:
- **Operating system architecture:** 64-bit
- **Minimum operating system:** Windows 10 22H2
-
+
+ 
+
- Click `Next` to advance to the `Detection rules` tab. Intune lets you choose between **using a custom detection script** or **manually configuring detection rules**. Select the latter and configure it as follows:
@@ -127,7 +154,10 @@ For this example, leave the rest of the configuration unchanged. Note that you c
Click `OK` when ready.
-
+
+ 
+
For examples on registry-based detection rules, refer to [Intune documentation](https://learn.microsoft.com/en-us/intune/intune-service/apps/apps-win32-add#step-4-detection-rules)
@@ -137,19 +167,31 @@ For examples on registry-based detection rules, refer to [Intune documentation](
- On the `Assignments` tab, under `Required`, click `+ Add group`
-
+
+ 
+
- Select the appropriate group that contains your users (like the `Development` group synchronized from Entra ID) and click `Select`
-
+
+ 
+
- To continue, click `Next`. Review your configuration in the `Review + create` tab, then click `Create` to add NetBird to your Intune app catalog.
-
+
+ 
+
- To verify that NetBird was added to Intune, navigate to `Apps > All Apps` to see your Windows applications:
-
+
+ 
+
## Deploying NetBird as a Line-of-business (LOB) App
@@ -160,20 +202,32 @@ As a simpler alternative to the Win32 method described previously, you can deplo
- Download the NetBird Windows MSI installer from the [NetBird installation documentation](https://docs.netbird.io/get-started/install/windows)
- Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com), navigate to `Apps`, and click the `Windows` button.
-
+
+
+
- Click the `+ Create` button to add a new Windows application
-
+
+
+
- In the `App type` dropdown, select `Line-of-business app` and click `Select`
-
+
+ 
+
- On the `Add App` screen, click `Select app package file` and browse to the location of the NetBird MSI file you downloaded earlier
- Select the NetBird MSI installer and click `OK`
-
+
+ 
+
Click `Next` to configure NetBird with the following details:
@@ -189,27 +243,45 @@ Click `Next` to configure NetBird with the following details:
You can leave the rest of the fields empty.
-
+
+ 
+
When ready, click `Next` to proceed to the `Assignments` tab. Under `Required`, click `+ Add group`
-
+
+ 
+
- Select the appropriate group that contains your users (like the `Development` group synchronized from Entra ID) and click `Select`
-
+
+
+
- To continue, click `Next`. Review your configuration in the `Review + create` tab, then click `Create` to add NetBird to your Intune app catalog.
-
+
+ 
+
After adding NetBird, you'll see an overview screen for the NetBird app, showing deployment status and management options.
-
+
+ 
+
To verify that NetBird was added to Intune, navigate to `Home > Apps | Windows` to see all your Windows applications:
-
+
+ 
+
### Deploying NetBird to Other Platforms
diff --git a/src/pages/manage/integrations/mdm-deployment/jamf-pro-netbird-integration.mdx b/src/pages/manage/integrations/mdm-deployment/jamf-pro-netbird-integration.mdx
index b34fed6d..b8f4d52f 100644
--- a/src/pages/manage/integrations/mdm-deployment/jamf-pro-netbird-integration.mdx
+++ b/src/pages/manage/integrations/mdm-deployment/jamf-pro-netbird-integration.mdx
@@ -38,11 +38,17 @@ For this tutorial, we'll create a policy that allows the `Support` team to acces
* Set the source group to `Support` and the destination group to `Servers`.
* Configure the appropriate protocol and port settings (e.g., TCP 22 for SSH access).
-
+
+ 
+
Give the policy a descriptive name (e.g., "Support team remote access") and click `Save` to create the policy.
-
+
+ 
+
With this policy in place, any device assigned to the `Support` group will gain access to the `Servers` group as defined in the Access Control Policy.
@@ -68,7 +74,10 @@ In the `Options` tab:
Click `Save` to finish. If you see the message "Availability pending", click `Refresh` to update the package status.
-
+
+ 
+
### Creating a Policy for NetBird
@@ -84,29 +93,47 @@ In the **Trigger** options, check the following boxes:
These trigger selections ensure NetBird is installed promptly and remains current on all managed devices. Leave the remaining options as default.
-
+
+ 
+
In the `Packages` section, click `Configure` and add the corresponding NetBird package:
-
+
+ 
+
Accept the default values for **Distribution Point** and **Action**
-
+
+ 
+
In the `Scope` tab, specify the target computers (all computers, specific computers or groups, etc.). For simplicity in this example, use `All Computers`.
-
+
+ 
+
Optionally, in the `User Interaction` tab:
* Enter messages to display before and after the policy runs.
* This can help inform users about the installation process.
-
+
+ 
+
Click `Save` to finish.
-
+
+ 
+
This configuration ensures NetBird is installed as soon as any machine enrolls, maintaining security across your device fleet.
@@ -133,7 +160,10 @@ After setting up NetBird deployment policy in Jamf Pro, it's crucial to verify t
* In the device details, go to the `Management` tab and locate the `Policies` section.
* Look for the NetBird policy in the list of applied policies.
-
+
+ 
+
If you see the NetBird policy listed, that would indicate that NetBird has been successfully installed on the device.
diff --git a/src/pages/manage/integrations/mdm-deployment/kandji-netbird-integration.mdx b/src/pages/manage/integrations/mdm-deployment/kandji-netbird-integration.mdx
index 4225f6db..40683d9d 100644
--- a/src/pages/manage/integrations/mdm-deployment/kandji-netbird-integration.mdx
+++ b/src/pages/manage/integrations/mdm-deployment/kandji-netbird-integration.mdx
@@ -28,11 +28,17 @@ For instance, let's suppose you want to create a policy that allows the `Support
* Set the source group to `Support` and the destination group to `Servers`.
* Choose the appropriate protocol and port settings (e.g., TCP 22).
-
+
+ 
+
Give the policy a descriptive name (e.g., Support team remote access) and click `Save` to create the policy.
-
+
+ 
+
Now that you've configured NetBird, let's shift the focus to Kandji MDM integration and set up the automated deployment of NetBird on support team devices.
@@ -40,13 +46,19 @@ Now that you've configured NetBird, let's shift the focus to Kandji MDM integrat
Navigate to `Library` and click `Add new`. Then, find and select `Custom Apps` and click `Add & Configure` to deploy a new [Custom App](https://www.support.kandji.io/support/solutions/articles/72000559807-deploying-custom-apps).
-
+
+ 
+
Give the Custom App a descriptive name (e.g., NetBird_vX.XX_Support_Team, where X.XX is the current version of NetBird being deployed). Scroll down to **Install Details**, where you'll see different options.
Select `Installer Package` to install NetBird using the official macOS package. Using a package ensures you're installing the exact same version on all devices. This example uses the Apple Silicon package that you can download [here](https://pkgs.netbird.io/macos/arm64). Drag the file to the `Installer Package` field box to upload it to Kandji MDM.
-
+
+ 
+
Next, click on `Add Preinstall Script` and paste the following code:
@@ -141,41 +153,68 @@ For instance, you can [create tags](https://www.support.kandji.io/support/soluti
To create a tag in Kandji MDM, go to `DEVICES`, click on the hamburger menu at the top right, and select `Manage tags`:
-
+
+ 
+
A new pop-up window will appear; click `+ Add tag`, enter a name for the tag (e.g., `Support`), and click `Save`.
-
+
+ 
+
Navigate to the `BLUEPRINTS` section in Kandji and click the `New Blueprint` dropdown. Select `New Assignment Map` from the options. In the new window, you'll be presented with preconfigured templates or the option to start a new Blueprint from scratch. For this custom NetBird deployment, choose to start a new Blueprint from scratch.
-
+
+ 
+
Give the Blueprint a descriptive name (e.g., NetBird_Apple_Silicon) and click `Create Blueprint`. This action will open Kandji's visual Blueprint builder, where you'll configure the deployment logic for NetBird.
Click `Edit assignments` to start editing the Blueprint.
-
+
+ 
+
You'll see a list of apps from the library on the left, including the recently created NetBird custom app. To implement the deployment logic, hover over the `+` sign and click it to add a new conditional block. This block will determine which devices receive the NetBird installation based on specific criteria.
-
+
+ 
+
Next, click the pencil icon to edit the rules.
-
+
+ 
+
In the **Assignment Rules** window, configure the conditions for NetBird installation. Use the `Support` tag to trigger the deployment, ensuring NetBird is installed only on devices assigned to the support team. Press `Confirm` to continue.
-
+
+ 
+
Back to the visual Blueprint builder, locate the NetBird custom app and drag it into the newly created conditional block. This action associates the NetBird installation with the specified deployment criteria for the support team.
-
+
+ 
+
Click `Save` to update the Blueprint with the new logic. This action also assigns the Blueprint to the NetBird custom app, finalizing the deployment pipeline configuration.
-
+
+ 
+
## Testing and Verifying the Automated Provisioning Pipeline
@@ -183,10 +222,16 @@ Kandji checks devices every 15 minutes by default, so any device tagged with `Su
To verify the deployment pipeline, navigate to `DEVICES` in Kandji, select an enrolled device, and click `Edit device details` > `Edit tags`. Assign the `Support` tag to trigger the NetBird installation.
-
+
+ 
+
You can also confirm the process in NetBird. Log in to a NetBird account with administrative privileges, navigate to the `Peers` section, and look for the new device.
-
+
+ 
+
In this tutorial, you've learned how to integrate NetBird's VPN solution with Kandji MDM for Apple devices. By configuring NetBird Access Policies, creating Kandji MDM Blueprints, and setting up an automated deployment pipeline, you've established a robust system for managing network access across your organization.
\ No newline at end of file
diff --git a/src/pages/manage/networks/accessing-entire-domains-within-networks.mdx b/src/pages/manage/networks/accessing-entire-domains-within-networks.mdx
index 59a7b3e6..1bed8d09 100644
--- a/src/pages/manage/networks/accessing-entire-domains-within-networks.mdx
+++ b/src/pages/manage/networks/accessing-entire-domains-within-networks.mdx
@@ -47,7 +47,10 @@ To enable DNS wildcard routing in your NetBird account, follow these steps:
* Navigate to `Settings` > `Networks` within your NetBird account.
* `Enable DNS wildcard routing` by toggling the appropriate setting. This will allow your network to resolve all subdomains under a specified domain.
-
+
+ 
+
The `Enable DNS wildcard routing` is supported by routing peers and routing clients running version `0.35.0` or later.
@@ -67,13 +70,19 @@ To create a network for the developer environment:
* Give a descriptive name to the network, e.g., `Development Network`. Optionally, add a description.
* Click `Add Network` to continue.
-
+
+ 
+
### Adding Routing Peers
Click `Add Routing Peer` to make accessible the resources within this network to the developers.
-
+
+ 
+
You will see two tabs: `Routing Peers` and `Peer Group`.
@@ -81,7 +90,10 @@ You will see two tabs: `Routing Peers` and `Peer Group`.
* Select `Peer Group` to enable high availability by adding multiple peers to the network.
* Click `Continue` once ready.
-
+
+ 
+
In the `Advanced Settings` tab:
@@ -89,38 +101,56 @@ In the `Advanced Settings` tab:
* Set the `Metric` to prioritize routers, using lower values for higher priority peers.
* When ready, click `Add Routing Peer`.
-
+
+ 
+
### Adding a Wildcard Domain Resource
Click `Add Resource` to create the wildcard domain resource.
-
+
+ 
+
* Give the resource a descriptive name, e.g., `Development Wildcard Domain`
* Enter the wildcard domain for this environment, e.g., `*.dev.example.com`.
* Under `Assigned Groups`, select or create a group, e.g., `Development Domain`. This group will be used to create an access policy to allow developers access to all subdomains ending with `.dev.example.com`.
* Click `Add Resource` when ready.
-
+
+ 
+
### Creating an Access Policy
Click `Create Policy` to grant developers access to `*.dev.example.com`.
-
+
+ 
+
* Under `Protocol`, leave `ALL`.
* Under `Source` choose the group corresponding to developers, e.g., `Developers`.
* The `Destination` is automatically set to the group you used when creating the resource, e.g., `Development Domain`.
-
+
+ 
+
* Click `Continue` to set `Posture Checks`. This step is optional, meaning you can click `Continue` for this example.
* Provide a descriptive name for the policy, e.g., `Development Wildcard Domain Policy`.
* Click `Add Policy` to finish.
-
+
+ 
+
Now that the development environment is set up, you can streamline the process of creating new resources using NetBird.
@@ -132,18 +162,27 @@ Suppose you want to create the regular domain `dev.example.com`.
* Navigate to `Networks` > `Development Network` and click `Add Resource`.
-
+
+ 
+
* Provide an appropriate name for the resource, such as `Development Regular Domain`.
* In the `Address` field, enter the regular domain `dev.example.com`.
* Under `Assigned Groups` select the same group used for the wildcard domain, e.g., `Development Domain`.
* Click `Add Resource` to continue.
-
+
+ 
+
That's it! Since you used the group `Development Domain`, NetBird will automatically configure for you routing peers and access policies, granting your developers the necessary access permissions.
-
+
+ 
+
You can confirm the configuration by listing the available networks using the command `netbird networks ls` from any developer workstation. The output should resemble the following:
@@ -169,31 +208,52 @@ For our use case, data scientists operate from different network segments or div
From the `Networks` screen, click `Add Network` to set up an appropriate network for your data scientists:
-
+
+ 
+
As with developers, you can configure a single routing peer or a group of routing peers for high availability:
-
+
+ 
+
You can also set up a wildcard domain resource for this environment:
-
+
+ 
+
And establish an access policy tailored to your data scientists:
-
+
+ 
+
You will need a regular domain, too; simply create the corresponding resource. The overview of your new network might resemble the following:
-
+
+ 
+
Need a new subdomain for testing the latest model? From NetBird's Networks screen, just click `Add Resource`, name it, enter the desired subdomain, and assign it to the appropriate group for this environment:
-
+
+ 
+
In summary, you can easily add, remove, and edit network resources from the Networks dashboard.
-
+
+ 
+
With this setup, all members of the `Data Scientists` group have access to `ai.example.com` and its subdomains:
diff --git a/src/pages/manage/networks/accessing-restricted-domain-resources.mdx b/src/pages/manage/networks/accessing-restricted-domain-resources.mdx
index 054acd9a..b1b2e1ba 100644
--- a/src/pages/manage/networks/accessing-restricted-domain-resources.mdx
+++ b/src/pages/manage/networks/accessing-restricted-domain-resources.mdx
@@ -24,13 +24,19 @@ To create a new network for the accounting website subdomain:
* Give a memorable name to the network, such as `AWS EU Network`. Optionally, add a description.
* Click `Add Network` to proceed.
-
+
+ 
+
### Adding Routing Peers
Continue the process by clicking `Add Routing Peer`. This step is necessary to enable the network's resources to be accessible to other peers.
-
+
+ 
+
In the next window, you will see two tabs: `Routing Peers` and `Peer Group`.
@@ -38,7 +44,10 @@ In the next window, you will see two tabs: `Routing Peers` and `Peer Group`.
* Alternatively, you can select `Peer Group` to add multiple peers simultaneously for high availability.
* Click `Continue` once ready.
-
+
+ 
+
In the `Advanced Settings` tab:
@@ -46,26 +55,38 @@ In the `Advanced Settings` tab:
* Set the `Metric` to prioritize routers. Lower values indicate higher priority.
* Click `Add Routing Peer`.
-
+
+ 
+
### Adding Network Resources
Next, click `Add Resource` to add the accounting website resource.
-
+
+ 
+
* Give the network resource an appropriate name, e.g., `Accounting restricted subdomain`
* Enter the restricted website domain for the accounting website, in this example, `accounting.example.com`.
* Under `Assigned Groups`, select or create a group, like `Accounting Subdomain`. This group will be used to create an access policy to allow the finance team access to the restricted subdomain.
* Click `Add Resource` when done.
-
+
+ 
+
### Creating Access Policies
The last step consists of creating an access control policy. Click `Create Policy` to create a new policy for the finance team.
-
+
+ 
+
Since the finance team only needs access to the web-based app at `accounting.example.com`, this policy will restrict access to ports: `TCP/80` for `HTTP` traffic and `TCP/443` for encrypted `HTTPS` traffic.
@@ -74,13 +95,19 @@ Since the finance team only needs access to the web-based app at `accounting.exa
* The `Destination` is automatically set to the group of the newly created resource, e.g., `Accounting Subdomain`.
* Under `Ports`, enter `80` and `443`, the default ports for `HTTP` and `HTTPS` traffic.
-
+
+ 
+
* Click `Continue` to move to the `Posture Checks` tab, where you can optionally create or select posture checks for this policy.
* Click `Continue` again, and provide a descriptive name for the policy, e.g., `Accounting subdomain Policy`.
* Click `Add Policy` to finish.
-
+
+ 
+
### Setting Up Additional Resources and Access Policies
@@ -93,7 +120,10 @@ To set up a new network resource:
* Enter the domain, in our case, `example.com`.
* Under `Assigned Groups`, select or create the appropriate group such as `Webserver`. This group will be used to create a policy allowing the support team to access the TLD `example.com`.
-
+
+ 
+
Next, create an access policy for the support team. Usually, support teams only need SSH access to the website backend, meaning that they only need access to the `TCP/22` port:
@@ -103,16 +133,25 @@ Next, create an access policy for the support team. Usually, support teams only
* Under `Ports`, enter `22`, the default port for SSH.
* Click `Continue`.
-
+
+ 
+
* Optionally, select or create posture checks for this policy. Click `Continue`.
* Give a name to the policy on the final tab, such as `Restricted Website TLD Policy`.
-
+
+ 
+
This completes the network setup. You have configured two network resources, their respective access policies, and routing peers.
-
+
+ 
+
Now, you can review, select, or deselect available networks using NetBird's CLI.
diff --git a/src/pages/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments.mdx b/src/pages/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments.mdx
index 1d0f4382..f7887c24 100644
--- a/src/pages/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments.mdx
+++ b/src/pages/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments.mdx
@@ -55,7 +55,10 @@ To create an appropriate setup key for this use case:
Here's an example:
-
+
+ 
+
This configuration allows for dynamic management of your Kubernetes pods within the NetBird network. As your cluster scales up, new pods will seamlessly join the network. When pods are terminated or remain offline, they'll be automatically removed, maintaining a clean and efficient network topology.
@@ -67,7 +70,10 @@ Follow these steps to configure the network route:
In the NetBird dashboard, navigate to the `Network Routes` section and click on `Add Route` to create a new network route.
-
+
+ 
+
* In the `Network Range` field, enter the private IP range of your Kubernetes Pods. This is typically something like `10.0.0.0/16` for many Kubernetes clusters, but it may vary depending on your specific setup. If you're unsure, you can check this range in your Kubernetes configuration or consult your cluster administrator.
* Navigate to the `Peer Group` tab and select your Kubernetes cluster's group as the routing peer. This group should contain all your cluster's nodes and will automatically include all the Pods running on these nodes.
@@ -75,15 +81,24 @@ In the NetBird dashboard, navigate to the `Network Routes` section and click on
* Review your settings to ensure everything is correct. The route you're creating will allow traffic from your local machine (in the distribution group) to reach the Kubernetes Pods (in the peer group) via the specified network range.
* Once you're satisfied with the configuration, click the `Continue` button.
-
+
+ 
+
Provide a descriptive name for your route, such as `NetBird K8s Demo`.
-
+
+ 
+
This setup creates a secure pathway for your local machine to communicate with the Pods in your Kubernetes cluster through the NetBird network. As new Pods are created or removed due to autoscaling, they'll automatically be included in or excluded from this route, maintaining seamless access without manual intervention.
-
+
+ 
+
## 3. Setting Up Access Policies for Secure Communication
@@ -100,16 +115,25 @@ To create a new access policy:
Your access policy must look similar to this:
-
+
+ 
+
Click `Continue` and name your policy:
-
+
+ 
+
Once you save your policy, it is a good practice to disable or modify the default `All` group policy to prevent unrestricted access.
-
+
+ 
+
This tailored access policy ensures that only authorized devices (your local machine) can communicate with the Kubernetes cluster, significantly improving your network's security posture. As your environment scales, this policy will automatically apply to new pods, maintaining consistent access control.
@@ -216,7 +240,10 @@ kubectl apply -f quote-app.yaml
After a few seconds, the app will appear in NetBird's `Peers` dashboard. If you hover over the `Assigned Groups`, you'll notice the app automatically joined the group `Kubernetes Cluster` as expected.
-
+
+ 
+
## 5. Configuring Horizontal Pod Autoscaler (HPA)
@@ -315,19 +342,31 @@ quote-hpa Deployment/quote cpu: 1%/20% 1 3 1 32m
If you go to NetBird `Peers` dashboard, you will see new peers automatically joining the network as pods scale up.
-
+
+ 
+
As you can see, all peers join the same group, meaning all share the same access policy you defined.
-
+
+ 
+
Conversely, when scaling down, peers are removed from the group and then terminated.
-
+
+ 
+
When ready, stop the load generator by pressing `Ctrl+C` in its terminal window; eventually, you will see only one app peer in the dashboard.
-
+
+ 
+
This demonstration showcases NetBird's powerful capabilities in seamlessly managing network connections within a dynamic, autoscaling Kubernetes environment. NetBird automatically adapts to your cluster's changing topology without any manual intervention, ensuring secure and efficient connectivity as pods scale up or down. This automation saves significant time and effort in network management and enhances your environment's security posture. By integrating NetBird, you're implementing a robust, scalable networking solution that keeps pace with your application's demands while maintaining strict access controls.
diff --git a/src/pages/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access.mdx b/src/pages/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access.mdx
index 228ddd76..d64ffa46 100644
--- a/src/pages/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access.mdx
+++ b/src/pages/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access.mdx
@@ -41,15 +41,24 @@ Before onboarding remote workers, ensure your organization has appropriate [acce
Navigate to `Access Control > Policies` in the NetBird admin console, then click `Add Policy` or edit an existing one to define these restrictions. Here's a sample policy that grant any member of the `Freelancers` group access to the resources in the group `On-Premise-DB`.
-
+
+ 
+
If necessary, you can also set [posture checks](/manage/access-control/posture-checks) for this policy.
-
+
+ 
+
Moreover, it is a best practice to disable the `Default` policy to enforce only restrictive, custom-defined access controls.
-
+
+ 
+
With appropriate access policies in place, you're ready to enable NetBird's Peer Approval feature.
@@ -57,7 +66,10 @@ With appropriate access policies in place, you're ready to enable NetBird's Peer
To enable peer approval, go to `Settings > Authentication` and activate the `Peer approval` toggle, then click `Save Changes`.
-
+
+ 
+
With `Peer Approval` activated, new members will see an `Approval required` message when joining. Administrators must grant access, ensuring only vetted users enter the NetBird network, thus enhancing overall security.
@@ -65,47 +77,77 @@ With `Peer Approval` activated, new members will see an `Approval required` mess
To invite a new user to join your NetBird network, go to `Team > Users` and click the `Invite User` button.
-
+
+ 
+
A pop-up window appears for new user registration. Enter the user's name, email address, and select the `Freelancers` group from the dropdown menu. NetBird's auto-assignment feature instantly links the new user to the `Freelancers` group upon network entry, automatically applying the associated access policy you just created.
-
+
+ 
+
After clicking `Send Invitation`, you'll return to the `Users` dashboard. Here, the new user appears with a `Pending` status, awaiting their acceptance of the invitation and any required approvals.
-
+
+ 
+
## 4. Installing NetBird On The Remote Worker Device
Access the secondary email account used to mimic the freelancer. In the inbox, locate the invitation email from NetBird. This email contains a secure link to join your organization's NetBird network, initiating the freelancer's onboarding process.
-
+
+ 
+
After clicking the invitation link, you'll be directed to NetBird's secure account creation page. Follow the on-screen instructions to create a new password.
-
+
+ 
+
Upon logging in, you'll arrive at NetBird's Peers dashboard. Locate and click the `Add Peer` button to initiate the [Getting Started](/get-started) Wizard, which guides you through the process of adding a new device to the network.
-
+
+ 
+
The wizard will detect your operating system and provide detailed step-by-step instructions on how to [install NetBird](/get-started/install).
-
+
+ 
+
During your initial connection to NetBird, a system dialog will appear requesting authorization. This prompt asks for permission to access your profile and email information, which is necessary for NetBird to establish your account and network access.
-
+
+ 
+
After completing the installation, your device will appear in the Peers dashboard. Hover over the `+1` in the `Assigned Groups` column to confirm the device has automaticaclly assigned to the `Freelancers` group as expected.
-
+
+ 
+
## 5. Approving Peers
Back to your primary account, you'll notice the newly added user's status is now displayed as `Active` in the `Users` dashboard. This status update confirms that the device has successfully added to the NetBird network and is ready for secure communication.
-
+
+ 
+
However, your approval is required before the user's device can fully connect to the NetBird network. To grant network access:
@@ -114,15 +156,24 @@ However, your approval is required before the user's device can fully connect to
* Click the `Approve` button next to the device
* Confirm the action when prompted
-
+
+ 
+
After approval, the device is granted full access to network resources allocated to the `Freelancers` group. The freelancer can now view all accessible network resources in their `Peers` dashboard:
-
+
+ 
+
Likewise, as an administrator, you can click on the user's device to see which resources and peers the freelancer has access to.
-
+
+ 
+
## 6. Automating Peer Approval with EDR Integration (optional)
@@ -137,7 +188,10 @@ Key aspects of NetBird's EDR integration:
To activate this feature, navigate to `Integrations > EDR` and activate the CrowdStrike integration toggle.
-
+
+ 
+
For more information regarding NetBird's EDR integration, refer to the [documentation](/manage/access-control/endpoint-detection-and-response)
diff --git a/src/pages/manage/peers/access-infrastructure/secure-remote-webserver-access.mdx b/src/pages/manage/peers/access-infrastructure/secure-remote-webserver-access.mdx
index c9963c29..1a366ddb 100644
--- a/src/pages/manage/peers/access-infrastructure/secure-remote-webserver-access.mdx
+++ b/src/pages/manage/peers/access-infrastructure/secure-remote-webserver-access.mdx
@@ -37,7 +37,10 @@ With prerequisites in place, you'll be prepared to establish an encrypted point-
Login to NetBird and navigate to `Peers`. Ensure you see your local peer connected.
-
+
+ 
+
To add your remote web server to NetBird's peer network, first you need to generate a setup key:
@@ -46,7 +49,10 @@ To add your remote web server to NetBird's peer network, first you need to gener
* Configure the key by assigning it a descriptive name (e.g., "Remote Web Server"), setting an expiration date, and defining auto-assigned groups (if required). Read the documentation for [detailed setup key configuration](/manage/peers/register-machines-using-setup-keys).
* Copy the generated key to a secure location as you'll need it shortly
-
+
+ 
+
Next, install the NetBird agent on the VM.
@@ -98,7 +104,10 @@ Peers count: 0/0 Connected
Now, go back to NetBird's `Peers` dashboard and ensure your remote web server is connected.
-
+
+ 
+
## 2. Configuring NetBird Access Control Policies
With both peers now connected to NetBird, the next step is to configure access control rules. This step is essential to define and restrict who can access the remote server, enhancing security by limiting connections to authorized users or devices only.
@@ -118,7 +127,10 @@ For this specific use case, we've implemented a simple access policy:
This policy restricts SSH access to the `Testing Environment`, permitting only authorized members from the group `Freelancers` to connect.
-
+
+ 
+
After establishing the policy, assign peers to their respective groups. To add the remote web server to the `Testing Environment` group:
@@ -126,18 +138,27 @@ After establishing the policy, assign peers to their respective groups. To add t
* Click on the name of the peer you want to edit, in this case, `webserver`
* Find the `Assigned Groups` field and select `Testing Environment` from the dropdown list.
-
+
+ 
+
While you're there, take note of the IP addresses listed on the left. Use the quick copy buttons to get `NetBird IP-Address` and `Domain Name`. Alternatively, you can hover over the peer in the peers' list and copy the IP addresses as shown below:
-
+
+ 
+
With your remote server configured and the corresponding access policy enabled, the final step is to assign users to the appropriate group:
* Locate your user in the peers' list and click on it
* Find the `Assigned Groups` field and select `Freelancers` from the dropdown list.
-
+
+ 
+
## 3. Establishing a Secure SSH Connection to Access the Internal Web Service
@@ -145,19 +166,31 @@ NetBird streamlines secure connections without traditional firewall complexities
To verify your setup, simply ping the web server from a third-party device outside of the NetBird network using the web server's NetBird-assigned IP:
-
+
+ 
+
There is no response from the host. Now, ping the web server from your configured local machine:
-
+
+ 
+
As expected, all packets were transmitted. Now, you can securely SSH into your remote web server from your local peer, either using the NetBird-assigned domain name or IP address:
-
+
+ 
+
This straightforward test confirms your successful implementation of a secure, firewall-free connection to your remote web server via NetBird, demonstrating its power in simplifying robust network security.
-
+
+ 
+
## Get Started
diff --git a/src/pages/manage/peers/access-infrastructure/setup-keys-add-servers-to-network.mdx b/src/pages/manage/peers/access-infrastructure/setup-keys-add-servers-to-network.mdx
index 245c0e2d..0e0c593c 100644
--- a/src/pages/manage/peers/access-infrastructure/setup-keys-add-servers-to-network.mdx
+++ b/src/pages/manage/peers/access-infrastructure/setup-keys-add-servers-to-network.mdx
@@ -51,7 +51,10 @@ To seamlessly integrate virtual machines or Docker containers into your NetBird
Here's an example:
-
+
+ 
+
This setup key will serve as your secure passport for adding both your VM and Docker container to the NetBird network,
ensuring a consistent integration process.
@@ -130,7 +133,10 @@ sudo systemctl enable netbird
Finally, log into your NetBird dashboard and navigate to the `Peers` section to confirm your VM is listed and connected.
-
+
+ 
+
By using the setup key, you've securely added your VM to the NetBird network with minimal manual configuration, demonstrating the efficiency and security benefits of this approach.
@@ -174,7 +180,10 @@ Now that your VM is connected to the NetBird secure network, you can verify the
To locate the NetBird-assigned IP or domain, go to the `Peers` page in your NetBird dashboard and hover your cursor over the VM's name.
-
+
+ 
+
Verify connectivity to the VM from any NetBird-connected device using:
@@ -191,7 +200,10 @@ $ curl 100.85.148.249:8080
Alternatively, you can go to `http://VM_NETBIRD_DOMAIN:8080` using your browser:
-
+
+ 
+
Keep in mind that this tutorial used the default `All` group for simplicity. However, implementing [NetBird's Access Policy](https://docs.netbird.io/manage/access-control/manage-network-access) to restrict peer-to-peer connections to specific user groups is a best practice for gaining granular control over resource access, thus improving your network's overall security posture in various scenarios.
diff --git a/src/pages/manage/peers/auto-update.mdx b/src/pages/manage/peers/auto-update.mdx
index 6a3a9e65..aec4fe63 100644
--- a/src/pages/manage/peers/auto-update.mdx
+++ b/src/pages/manage/peers/auto-update.mdx
@@ -20,7 +20,10 @@ The Automatic Updates feature allows the NetBird client to automatically update
## Enable Automatic Updates
-
+
+ 
+
To enable client auto updates, navigate to [Settings » Clients](https://app.netbird.io/settings) and enable 'Automatic Updates'.
diff --git a/src/pages/manage/peers/site-to-site/db-workload-migration.mdx b/src/pages/manage/peers/site-to-site/db-workload-migration.mdx
index 492206c1..f2b49793 100644
--- a/src/pages/manage/peers/site-to-site/db-workload-migration.mdx
+++ b/src/pages/manage/peers/site-to-site/db-workload-migration.mdx
@@ -166,7 +166,10 @@ With the on-premise environment ready, you can install NetBird on the destinatio
Login to NetBird and navigate to `Peers`. Ensure the source instance, the one hosting the database, is connected.
-
+
+ 
+
Next, generate a setup key for enhanced security when connecting your remote workload to the NetBird network:
@@ -175,7 +178,10 @@ Next, generate a setup key for enhanced security when connecting your remote wor
* Enter a descriptive name for the setup key (e.g., "Remote Workload 01"). Also, set an expiration date and define auto-assigned groups (if required). You can find [more information regarding setup key options in the documentation](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys).
* Copy the generated key since you'll need it shortly
-
+
+ 
+
To install the NetBird agent on the remote instance, run the following command:
@@ -241,7 +247,10 @@ Peers count: 0/0 Connected
If everything goes as expected, you will see your remote workload in NetBird's `Peers` dashboard.
-
+
+ 
+
## 3. Setting Up NetBird's Access Control for Secure Data Transfer
@@ -262,7 +271,10 @@ For this use case, we disabled the `Default` policy and created the following on
This policy restricts access to the local environment where the database is running by only allowing the members of the group `Remote Workloads` to connect.
-
+
+ 
+
The next step is to assign peers to their respective groups. To add the remote instance to the `Remote Workloads` group:
@@ -270,14 +282,20 @@ The next step is to assign peers to their respective groups. To add the remote i
* Click on `remote-workload` (or any name you gave to the remote instance)
* Find the `Assigned Groups` field and select `Remote Workloads` from the dropdown list.
-
+
+ 
+
Follow a similar procedure to assign your local machine to the `On-Premise-DB` group:
* Locate and click on the local peer
* Find the `Assigned Groups` field and select `On-Premise-DB` from the dropdown list.
-
+
+ 
+
Your network configuration is complete, enabling secure communication between the remote instance and your local machine via an encrypted WireGuard tunnel. However, additional adjustments are necessary to finalize the workload migration process.
@@ -328,7 +346,10 @@ These changes allow PostgreSQL to listen on all interfaces and accept connection
To complete the migration, deploy your workload to the remote instance by recreating the local setup: establish a Python virtual environment, install the `psycopg2-binary` library, and create `employee_workload.py`. However, in the Python code, you must update the `host` parameter, replacing `localhost` with the NetBird-assigned IP address of the remote instance. You can find this IP address in your peers' list on your NetBird dashboard.
-
+
+ 
+
Optionally, you can change the label `(On-Premise)` with `(Remote)` as mentioned earlier. The Python code should look similar to this:
diff --git a/src/pages/manage/team/auto-offboard-users.mdx b/src/pages/manage/team/auto-offboard-users.mdx
index e5354184..68362d1d 100644
--- a/src/pages/manage/team/auto-offboard-users.mdx
+++ b/src/pages/manage/team/auto-offboard-users.mdx
@@ -12,39 +12,63 @@ is deleted from your Identity Provider.
In this tutorial, we will focus on `user_01`, `user_02`, and `user_03`. From NetBird's `Users` dashboard, you can see
that `user_01` is part of the `IT Administrators` group, while `user_02` and `user_03` belong to the `Staging` group.
-
+
+ 
+
To get started, access your Identity Provider (IdP) dashboard. For this example, we'll use [Microsoft Entra ID (Azure AD)](https://docs.netbird.io/manage/team/idp-sync/microsoft-entra-id-sync).
Next, locate the user you want to offboard in your IdP's user management section. Let’s say you want to revoke access to
`user_01`, in that case, you will need to select it and click the `Delete` button as shown below.
-
+
+ 
+
After deletion, click the `Refresh` button to confirm that the user is no longer active.
-
+
+ 
+
Wait for the NetBird integration to complete its next synchronization cycle, which usually takes 300 seconds. Alternatively, go to the `Integrations` screen in the NetBird admin console and click the corresponding integration button to manually trigger the synchronization.
-
+
+ 
+
Now, go to NetBird's `Users` dashboard to verify that the user is no longer listed.
-
+
+ 
+
## Revoking Group Access
Imagine a scenario where you have an access policy that grants all members of the `Staging` group access to resources in the `Servers` group.
-
+
+ 
+
Let's say the current project is finished, and you no longer want members of the `Staging` group to have access to the
`Servers` group. One way to do this is to remove the `Staging` group from your IdP.
-
+
+ 
+
Once the changes synchronize in NetBird, users and their group memberships will be updated; therefore,
[network access associated with that group](https://docs.netbird.io/manage/access-control/manage-network-access) will automatically be revoked.
-
\ No newline at end of file
+
+ 
+
\ No newline at end of file
diff --git a/src/pages/manage/team/idp-sync/google-workspace-sync.mdx b/src/pages/manage/team/idp-sync/google-workspace-sync.mdx
index 22be10b4..dcc4deae 100644
--- a/src/pages/manage/team/idp-sync/google-workspace-sync.mdx
+++ b/src/pages/manage/team/idp-sync/google-workspace-sync.mdx
@@ -18,7 +18,10 @@ data via the Admin SDK API. This service account uses OAuth 2.0 for secure, auth
Go to the `Integrations` section in the left menu to access the `Identity Provider integration`. Click the `Google Workspace` button. This will open a pop-up window featuring an intuitive wizard to guide you through the synchronization process between NetBird and Google Workspace.
-
+
+ 
+
## Prerequisites
@@ -44,7 +47,10 @@ To [check your user permissions](https://support.google.com/a/answer/7519580?hl=
Confirm that you have one of the required roles before proceeding with the integration:
-
+
+ 
+
If you lack the required permissions, please contact your workspace administrator to request them.
@@ -62,7 +68,10 @@ To [check your organization-level permissions](https://cloud.google.com/resource
> NOTE: Verifying your GCP permissions is mandatory before proceeding with the integration since you might need to disable the `iam.disableServiceAccountKeyCreation` constraint temporarily during the process.
-
+
+ 
+
If you lack the required role, contact your organization's IT department or the person who set up your Google Cloud account.
@@ -70,7 +79,10 @@ If you lack the required role, contact your organization's IT department or the
Once you have the necessary permissions, you can create the NetBird project in GCP.
-
+
+ 
+
Let's go through the required steps:
@@ -81,7 +93,10 @@ Let's go through the required steps:
* Ensure the proper organization is selected in the `Organization` field.
* Click `CREATE`.
-
+
+ 
+
To let `NetBird` authenticate and access Google Workspace, you must enable the `Admin SDK API`. Here’s how to do it:
@@ -89,19 +104,28 @@ To let `NetBird` authenticate and access Google Workspace, you must enable the `
* Navigate to [https://console.cloud.google.com/apis/library/admin.googleapis.com](https://console.cloud.google.com/apis/library/admin.googleapis.com)
* Click the `Enable` button.
-
+
+ 
+
## Creating the NetBird Service Account
Once you create the project, you can set up the `NetBird` service account. On NetBird, click `Continue →`. That will show you a summary of the required steps.
-
+
+ 
+
Here are the step-by-step instructions:
Navigate to [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials), click `CREATE CREDENTIALS` at the top menu and select `Service account` from the dropdown list.
-
+
+ 
+
Complete the form with the supplied values:
* `NerBird` for the service account name
@@ -109,43 +133,70 @@ Complete the form with the supplied values:
Click `DONE` when ready.
-
+
+ 
+
## Getting Your Service Account Email
On NetBird, click `Continue →`. You’ll need to provide the email of the service account.
-
+
+ 
+
You can copy the email from the `Credentials` page.
-
+
+ 
+
## Creating a New Service Account Key
Back on NetBird, click `Continue →`. You’ll see a summary of how to create a service account key.
-
+
+ 
+
First, click on the service account email to show its details.
-
+
+ 
+
Next, click the `Keys` tab. Open the `ADD KEY` drop-down menu and select `Create new key` from the list.
-
+
+ 
+
A new pop-up window will open, select `JSON` as indicated below:
-
+
+ 
+
The key will automatically download to your local device. The new key will also appear as `active` in the `KEYS` tab.
-
+
+ 
+
During service account key creation, you may encounter the following error:
-
+
+ 
+
If that’s the case, activate Google Cloud Shell on the top menu (shell icon) and enter the following command:
@@ -157,21 +208,33 @@ Remember to replace `ORGANIZATION_ID` with your organization ID.
Now, you can upload the service account key to NetBird. After a successful upload, you'll see the key listed in the NetBird interface.
-
+
+ 
+
## Creating a New Admin Role in Google Workspace
After creating the service account in GCP and uploading its secret key, return to NetBird and click 'Continue →'. The next steps will guide you through creating a role in Google Workspace for this service account
-
+
+ 
+
Navigate to Google Workspace [Admin Console](https://admin.google.com/ac/home). Select `Account` on the left menu and then click `Admin Roles`
-
+
+ 
+
Click `Create new role`
-
+
+ 
+
Fill in the form with the values provided in NetBird:
* Name: `User and Group Management ReadOnly`
@@ -179,13 +242,19 @@ Fill in the form with the values provided in NetBird:
When done, click `CONTINUE`
-
+
+ 
+
## Granting Role Privileges
Return to NetBird and click `Continue →`. The next screen shows the privileges needed for the Admin API.
-
+
+ 
+
Back to Google Workspace, enter `admin api` in the search bar and enable the following privileges for the Admin API:
* Users: `Read`
@@ -193,58 +262,97 @@ Back to Google Workspace, enter `admin api` in the search bar and enable the fol
Then, click `CONTINUE`
-
+
+ 
+
Review the Admin API privileges to verify they are correct and click `CREATE ROLE` when ready.
-
+
+ 
+
## Assigning Admin API Privileges to Google Cloud Service Account
In NetBird, click `Continue →`. For convenience, you can copy the service account Email from this screen and use it to grant it the necessary permissions in Google Workspace.
-
+
+ 
+
Then, in Google Workspace, click on `Assign service accounts` as shown below:
-
+
+ 
+
Paste the service account Email address and click the `ADD` button.
-
+
+ 
+
Verify the Email and click `ASSIGN ROLE` to grant the role `User and Group Management ReadOnly` to the `NetBird` service account.
-
+
+ 
+
## Entering Customer ID
Go back to NetBird and click `Continue →`. The next screen will prompt you to enter your Google Workspace Customer ID.
-
+
+ 
+
To get your customer ID, navigate to [Account Settings](https://admin.google.com/ac/accountsettings/profile?hl=en_US) and copy the corresponding ID.
-
+
+ 
+
## Synchronizing Google Workspace Groups and Users
Return to NetBird. The next two screens allow you to select which Google Workspace groups and users you want to synchronize. By default, NetBird synchronizes all groups and users. If you're okay with syncing everything, click `Continue` on both screens.
-
+
+ 
+
You can also click on `+ Add group (or user group) filter` to change this settings as you see fit. To finish the integration process, click the `Connect` button.
-
+
+ 
+
The next screen, should be similar the following one, verifying that the integration was successful:
-
+
+ 
+
To verify the integration is working correctly, you can also navigate to `Team` > `Users`. Here, you should see your synchronized Google Workspace users listed.
-
+
+ 
+
The users should be the same listed in Google Workspace Admin console:
-
+
+ 
+
diff --git a/src/pages/manage/team/idp-sync/jumpcloud-sync.mdx b/src/pages/manage/team/idp-sync/jumpcloud-sync.mdx
index 4dfaf50d..ca2b4195 100644
--- a/src/pages/manage/team/idp-sync/jumpcloud-sync.mdx
+++ b/src/pages/manage/team/idp-sync/jumpcloud-sync.mdx
@@ -27,11 +27,17 @@ Once SSO is configured, and you can successfully log in to NetBird using your Ju
To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard.
-
+
+ 
+
Click the `Connect Jumpcloud` button to begin the configuration process.
-
+
+ 
+
Click `Get Started` to launch the configuration wizard. You will be guided through several configuration options:
@@ -39,7 +45,10 @@ Click `Get Started` to launch the configuration wizard. You will be guided throu
By default, all groups assigned to the NetBird application in JumpCloud will be synchronized. If you want to synchronize only assigned groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
-
+
+ 
+
Click `Continue` to proceed to the next step.
@@ -47,7 +56,10 @@ Click `Continue` to proceed to the next step.
By default, all users from the groups assigned to the NetBird application will be synchronized. If you want to further filter and synchronize only users from specific assigned groups, you can specify those group names in the filter. The group name matching is case-sensitive.
-
+
+ 
+
Click `Continue` to generate your SCIM credentials.
@@ -55,11 +67,17 @@ Click `Continue` to generate your SCIM credentials.
NetBird will generate the SCIM credentials required to configure JumpCloud. Make note of both the **Base URL** and **Token Key** as you will need them in the next section to complete the JumpCloud configuration.
-
+
+ 
+
Click `Finish Setup` to complete the NetBird SCIM configuration.
-
+
+ 
+
You can now proceed to configure the SCIM application in JumpCloud using the credentials generated above.
@@ -76,13 +94,19 @@ In the **Configuration Settings** section, enter the following SCIM Service Prov
* **Token Key**: Paste the Bearer token you copied from NetBird
* **Test User Email**: Provide a new, unused email address for testing (e.g., `test@yourdomain.com`)
-
+
+ 
+
* Click `Test Connection` to verify the SCIM connection
If the connection is successful, you'll see a success message. Click `Activate` to enable SCIM provisioning.
-
+
+ 
+
## Assigning Groups for SCIM Synchronization
@@ -95,7 +119,10 @@ In your [JumpCloud admin console](https://console.jumpcloud.com/):
* Select the groups whose members you want to synchronize to NetBird
* Click `Save` to apply the changes
-
+
+ 
+
Once saved, JumpCloud will automatically synchronize the selected groups and their user memberships to NetBird.
@@ -104,7 +131,10 @@ Once saved, JumpCloud will automatically synchronize the selected groups and the
After assigning groups in JumpCloud, the synchronization will begin automatically. You can verify that users and groups
have been successfully synchronized by navigating to `Team > Users` in your NetBird dashboard.
-
+
+ 
+
SCIM provisioning will manage only resources that are created through Jumpcloud. Any resources created directly in NetBird will not be managed by SCIM.
diff --git a/src/pages/manage/team/idp-sync/keycloak-sync.mdx b/src/pages/manage/team/idp-sync/keycloak-sync.mdx
index 04556d95..cdf6733c 100644
--- a/src/pages/manage/team/idp-sync/keycloak-sync.mdx
+++ b/src/pages/manage/team/idp-sync/keycloak-sync.mdx
@@ -17,7 +17,10 @@ Before you begin the integration process, ensure you have the necessary permissi
Once the SCIM plugin is installed, you should see the SCIM section available in your Keycloak admin console.
-
+
+ 
+
## Setting Up SSO with Keycloak
@@ -29,11 +32,17 @@ Once SSO is configured, and you can successfully log in to NetBird using your Ke
To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard.
-
+
+ 
+
Click the `Connect Generic SCIM` button to begin the configuration process.
-
+
+ 
+
Click `Get Started` to launch the configuration wizard. You will be guided through several configuration options:
@@ -41,7 +50,10 @@ Click `Get Started` to launch the configuration wizard. You will be guided throu
By default, all groups mapped in the Keycloak SCIM client will be synchronized. If you want to synchronize only groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
-
+
+ 
+
Click `Continue` to proceed to the next step.
@@ -49,7 +61,10 @@ Click `Continue` to proceed to the next step.
By default, all users from the mapped groups will be synchronized. If you want to further filter and synchronize only users from specific groups, you can specify those group names in the filter. The group name matching is case-sensitive.
-
+
+ 
+
Click `Continue` to generate your SCIM credentials.
@@ -57,11 +72,17 @@ Click `Continue` to generate your SCIM credentials.
NetBird will generate the SCIM credentials required to configure Keycloak. Make note of both the **Base URL** and **Token Key** as you will need them in the next section to complete the Keycloak configuration.
-
+
+ 
+
Click `Finish Setup` to complete the NetBird SCIM configuration.
-
+
+ 
+
You can now proceed to configure the SCIM client in Keycloak using the credentials generated above.
@@ -71,11 +92,17 @@ To configure SCIM in Keycloak, you need to access the SCIM Administration Consol
Navigate to the SCIM Administration Console. On the first login screen, enter your realm name (e.g., `netbird`) and click `Start Login`.
-
+
+ 
+
Once logged in, navigate to the `SCIM Client` menu and click on `Remote SCIM Provider`. Then click the `+` button to add a new service provider configuration.
-
+
+ 
+
In the SCIM Remote Provider Configuration form, fill out the following sections:
@@ -89,7 +116,10 @@ In the SCIM Remote Provider Configuration form, fill out the following sections:
* **Base URL**: Paste the Base URL you copied from NetBird (e.g., `https://api.netbird.io/api/scim/v2`)
* **Hostname-Verifier Enabled**: Enable this checkbox
-
+
+ 
+
**Authentication:**
* **Authentication Type**: Select `Long Life Bearer Token Authentication`
@@ -97,20 +127,32 @@ In the SCIM Remote Provider Configuration form, fill out the following sections:
Click `Add` to save the configuration.
-
+
+ 
+
After adding the configuration, click `Save Configuration` and then click `Use default Configuration` to apply the settings.
The default schema for the SCIM provider will be created automatically.
-
+
+ 
+
Next, assign the SCIM provider to your realm. Click the `Realm Assignment` tab to view all available realms.
-
+
+ 
+
Find your realm (e.g., `netbird`) and click `Assign to Realm` to enable SCIM synchronization for that realm.
-
+
+ 
+
## Configure Resource Filtering
@@ -120,7 +162,10 @@ To control which specific groups and users should be synchronized, you need to c
Under the `SCIM Client` menu section, click on `Remote SCIM Provider`, then click `Edit` in the NetBird provider row.
Select the `Resource Filtering Rules` tab.
-
+
+ 
+
**User Filtering**
@@ -140,7 +185,10 @@ To synchronize only groups that match specific criteria, configure the group fil
* **Comparator**: Select `Contains`
* **Comparison Value**: Enter the text that should be contained in the group name
-
+
+ 
+
By default, Keycloak SCIM will not automatically push existing users and groups after the initial configuration.
@@ -153,7 +201,10 @@ Groups where you can manually trigger the initial sync.
After configuring mappings in Keycloak, the synchronization will begin based on your schedule settings. You can verify that users and groups
have been successfully synchronized by navigating to `Team > Users` in your NetBird dashboard.
-
+
+ 
+
SCIM provisioning will manage only resources that are created through Keycloak. Any resources created directly in
diff --git a/src/pages/manage/team/idp-sync/microsoft-entra-id-scim-sync.mdx b/src/pages/manage/team/idp-sync/microsoft-entra-id-scim-sync.mdx
index 423b8435..151e86f1 100644
--- a/src/pages/manage/team/idp-sync/microsoft-entra-id-scim-sync.mdx
+++ b/src/pages/manage/team/idp-sync/microsoft-entra-id-scim-sync.mdx
@@ -21,7 +21,10 @@ Before you begin the integration process, ensure you have the necessary admin pe
To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard.
-
+
+ 
+
Before starting the Entra ID SCIM integration you will need to be logged in via Microsoft Login.
@@ -31,7 +34,10 @@ To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity
Click the `Connect Microsoft Entra ID` button to begin the configuration process.
This action will trigger a pop-up window that will present you with a user-friendly wizard, guiding you through the synchronization process between NetBird and Entra ID.
-
+
+ 
+
## Configure SCIM Provisioning in Microsoft Entra ID
@@ -39,16 +45,25 @@ This action will trigger a pop-up window that will present you with a user-frien
Click on the `Get Started` button to initiate the integration process.
A new wizard screen will appear, offering step-by-step instructions for creating and configuring your Microsoft Entra ID application. To simplify the process, the wizard also provides quick-copy buttons for essential information:
-
+
+ 
+
In the [Azure portal](https://portal.azure.com), navigate to `Azure Active Directory` → `Enterprise applications`.
-
+
+ 
+
Click `New application` to create a new enterprise application.
-
+
+ 
+
Click `Create your own application`.
@@ -57,20 +72,32 @@ Fill out the application form with the following details:
* **What's the name of your app?**: `NetBird SCIM`
* **What are you looking to do with your application?**: Select `Integrate any other application you don't find in the gallery (Non-gallery)`
-
+
+ 
+
Click `Create`.
-
+
+ 
+
### Enable Provisioning
On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for enabling provisioning.
-
+
+ 
+
Once the application is created, you'll be redirected to a getting started page. Click `Get started` in the `Provision User Accounts` section.
-
+
+ 
+
Under the `Create configuration` section, click `connect your application`.
@@ -80,39 +107,60 @@ Fill out the `New provisioning configuration` form with the following details:
* **Tenant URL**: `https://api.netbird.io/api/scim/v2` (paste the Base URL you copied from NetBird)
* **Secret token**: Paste the Token Key you copied from the Entra ID SCIM Setup process in the NetBird integration
-
+
+ 
+
Click `Test Connection` to verify the SCIM connection. If the connection is successful, click `Create` to save the configuration.
-
+
+ 
+
### Configure Attribute Mapping
On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for configuring attribute mapping.
-
+
+ 
+
After creating the provisioning configuration, you need to configure the attribute mapping to ensure the `externalId` is mapped to the user's `objectId`.
Navigate to the `Attribute mapping` section and click `Provision Microsoft Entra ID Users`.
-
+
+ 
+
In the attribute mappings list, locate the `externalId` row and click `Edit`.
Change the **Source attribute** from `mailNickname` to `objectId`.
-
+
+ 
+
Click `Ok` to save the change, then click `Save` to apply the new attribute mapping configuration.
-
+
+ 
+
## Assign Users and Groups
On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for assigning users and groups.
-
+
+ 
+
To enable SCIM synchronization of users and groups to NetBird, you need to assign them to the NetBird enterprise application.
@@ -124,18 +172,27 @@ In the Azure portal, navigate to your NetBird enterprise application:
* Select the users and groups you want to synchronize to NetBird
* Click `Assign` to save the assignments
-
+
+ 
+
## Start Provisioning
On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for starting the provisioning.
-
+
+ 
+
After assigning users and groups, navigate back to the provisioning configuration and click the `Start provisioning` button to enable automatic synchronization. The first sync will begin shortly after provisioning is started.
-
+
+ 
+
Once started, Microsoft Entra ID will automatically synchronize the assigned users and groups to NetBird.
@@ -159,20 +216,29 @@ have been successfully synchronized by navigating to `Team > Users` in your NetB
You can access some configuration settings inside the NetBird Dashboard. E.g. if you want to regenerate the authentication token or want to filter users and groups based on a specific prefix.
Simply go to the Integrations page and click the settings icon of your integration.
-
+
+ 
+
### Regenerate Auth Token
If your authentication token has expired or you need to update it, click **Regenerate Auth Token** in the configuration window to generate a new token.
-
+
+ 
+
### Groups to be synchronized
By default, all groups assigned to the NetBird application in Entra will be synchronized. If you want to synchronize only assigned groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
-
+
+ 
+
Click `Continue` to proceed to the next step.
@@ -180,4 +246,7 @@ Click `Continue` to proceed to the next step.
By default, all users from the groups assigned to the NetBird application in Entra will be synchronized. If you want to further filter and synchronize only users from specific assigned groups, you can specify those group names in the filter. The group name matching is case-sensitive.
-
+
+ 
+
diff --git a/src/pages/manage/team/idp-sync/microsoft-entra-id-sync.mdx b/src/pages/manage/team/idp-sync/microsoft-entra-id-sync.mdx
index 4dffe1fa..6aa7ef16 100644
--- a/src/pages/manage/team/idp-sync/microsoft-entra-id-sync.mdx
+++ b/src/pages/manage/team/idp-sync/microsoft-entra-id-sync.mdx
@@ -15,7 +15,10 @@ To get started, navigate to [Integrations](https://app.netbird.io/integrations)
`Identity Provider` integration. Click the `Entra ID (Azure AD)` button. This action will trigger a pop-up window that will
present you with a user-friendly wizard, guiding you through the synchronization process between NetBird and Azure AD.
-
+
+ 
+
## Prerequisites
@@ -33,7 +36,10 @@ To check your permissions:
* Expand the `Manage` tab and click on `Roles and administrators` in the left menu.
* Look for your username and verify if you're assigned any of the above roles.
-
+
+ 
+
If you don't have the required permissions, contact your Azure AD administrator to grant you the appropriate role before proceeding with the NetBird integration.
@@ -48,21 +54,33 @@ A new wizard screen will appear, offering step-by-step instructions for creating
* Redirect Type
* Redirect URI
-
+
+ 
+
For convenience, click on [Azure Active Directory](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview) (step 1). That will open the Azure dashboard. Navigate to `App registrations` in the left menu and then click `+New registration` as indicated below:
-
+
+ 
+
Fill in the required information:
-
+
+ 
+
After entering all required information, click the `Register` button at the bottom of the form to finalize the application registration process.
Upon successful registration, you'll be redirected to a confirmation screen similar to the following:
-
+
+ 
+
Copy and securely store the generated `Application (client) ID` and `Directory (tenant) ID` as you will need them shortly.
@@ -70,23 +88,38 @@ Copy and securely store the generated `Application (client) ID` and `Directory (
On the NetBird dashboard click the `Continue →` button. A new wizard screen will appear, this time, offering step-by-step instructions for setting up API permissions.
-
+
+ 
+
Back to Azure, in the `App registrations` screen, click on `Manage` in the left menu to expand it and then click on `API permissions`:
-
+
+ 
+
Look for the `+ Add a permission` button, located near the top of the permissions list and click on it.
-
+
+ 
+
A new pop-up window will appear, asking you to select an API. Click on `Microsoft Graph`.
-
+
+ 
+
On the next screen, click on the `Application permissions` button, which will let you select the appropriate permissions for NetBird to function correctly with your Microsoft Entra ID environment.
-
+
+ 
+
To assign user permissions:
@@ -94,17 +127,26 @@ To assign user permissions:
* In the search results, click on the `User` tab to expand it and view the available permissions.
* Click on the checkbox to select and enable the `User.Read.All` permission.
-
+
+ 
+
The `User.Read.All` permission allows NetBird to read the full set of profile properties, group memberships, and reports of the signed-in user and other users in your organization.
Next, repeat the procedure. This time, search for `Group.Read.All` and click on the checkbox to enable it as shown below:
-
+
+ 
+
Once done, click the `Add permissions` button. You will see a few warnings:
-
+
+ 
+
Locate the `Grant admin consent for [Your Organization Name]` button (you’ll find it next to `+Add a permission` button). Click on it to grant the required permissions.
@@ -112,21 +154,33 @@ A confirmation dialog will appear, asking you to verify this action. Review the
Once finished, the status of the permissions should change to `Granted for [Your Organization Name]`. Verify that all selected permissions now show a green checkmark, indicating they've been successfully granted:
-
+
+ 
+
## Create a Client Secret for Secure NetBird-Entra ID Authentication
Back to the NetBird dashboard, click the `Continue →` button. A new wizard screen will appear, showing instructions for generating a client secret in Entra ID.
-
+
+ 
+
On Azure, click on the `Certificates & secrets` button in the left menu to open the management page. Click on `+New client secret` as shown below. Choose an expiration time that suits your security needs and click the `Add` button.
-
+
+ 
+
A new client secret will be generated and displayed on the screen. Copy and securely store the `Value` field immediately, as you will needed in the next step.
-
+
+ 
+
## Enter Application ID and Directory ID in NetBird
@@ -134,7 +188,10 @@ Paste the secret `Value` from the previous step into NetBird and click the `Cont
Paste the values and click the `Continue →` button.
-
+
+ 
+
## Choose Groups to Synchronize from Entra ID
At this stage, NetBird is set to synchronize all groups from your Microsoft Entra ID by default. You have two options:
@@ -142,7 +199,10 @@ At this stage, NetBird is set to synchronize all groups from your Microsoft Entr
* If you want to synchronize all groups, simply click the `Continue →` button.
* To synchronize only specific groups, click the `+ Add group filter` button, which will open a new panel where you can set criteria to include or exclude groups.
-
+
+ 
+
## Choose Users to Synchronize from Entra ID
After configuring group synchronization, you'll now set up user synchronization. Similar than before, NetBird is configured to synchronize all users from your Microsoft Entra ID by default.
@@ -154,7 +214,10 @@ After configuring group synchronization, you'll now set up user synchronization.
You can modify these synchronization settings later if necessary.
-
+
+ 
+
After configuring user and group synchronization, the setup wizard will finalize the process and you'll automatically return to the main Identity Provider screen.
@@ -173,14 +236,20 @@ These indicators confirm that:
You can manually trigger a sync or adjust settings by clicking on the Microsoft Entra ID section in the Identity Provider screen
-
+
+ 
+
## Verify the Integration
To verify the synchronization, navigate to `Teams > Users` in the left menu.
You should see all the users and groups from your Microsoft Entra ID environment listed in the NetBird dashboard.
-
+
+ 
+
You can now proceed to configure [access control policies](/manage/access-control/manage-network-access#creating-policies) using the synchronized groups to allow or deny access to the
synchronized users.
\ No newline at end of file
diff --git a/src/pages/manage/team/idp-sync/okta-sync.mdx b/src/pages/manage/team/idp-sync/okta-sync.mdx
index 414e50eb..23cdb16f 100644
--- a/src/pages/manage/team/idp-sync/okta-sync.mdx
+++ b/src/pages/manage/team/idp-sync/okta-sync.mdx
@@ -21,7 +21,10 @@ to synchronize users and groups smoothly.
To set up SSO, go to `Integrations` in the NetBird admin console's left menu to access the Identity Provider integration page. Click the `Connect Okta` button to get started with the Okta-NetBird integration. This will open a pop-up window with detailed instructions on synchronizing NetBird and Okta.
-
+
+ 
+
## Prerequisites
@@ -41,14 +44,20 @@ To check your user permissions in Okta:
Confirm that you have one of the required roles before proceeding with the integration.
-
+
+ 
+
## Installing the NetBird Integration
Once you have the necessary permissions, you can set up the NetBird application. First, on NetBird, click `Continue →` to show a summary of the necessary steps.
-
+
+ 
+
Let's go through them one by one:
@@ -57,27 +66,42 @@ Let's go through them one by one:
* Click the `Browse App Catalog` button.
-
+
+ 
+
In the app catalog, enter "NetBird" in the search bar. Then, click the `Add Integration` button.
-
+
+ 
+
Accept the default application name and click the `Done` button. On the next screen, click the `Assign` dropdown and select `Assign to People`.
-
+
+ 
+
You will see a list of users. Find your user account, click `Assign`, and save the changes. Verify your user is assigned to the NetBird app and click `Done`.
-
+
+ 
+
After that, you will see your user listed in the NetBird application.
-
+
+ 
+
## Configuring SSO in Okta
@@ -86,7 +110,10 @@ The next step is to configure Okta-NetBird SSO integration.
In NetBird, click the `Continue →` button. A new wizard screen will appear, offering the instructions for retrieving Okta’s OpenID Connect credentials. You can click `Close` and navigate to Okta.
-
+
+ 
+
* Click on the `Sign On` tab on Okta. Look for `OpenID Connect` under `Sign on methods` in the `Settings` section.
* Copy the `Client ID` value.
@@ -95,18 +122,27 @@ In NetBird, click the `Continue →` button. A new wizard screen will appear, of
Store these credentials securely, as you will need them soon.
-
+
+ 
+
* Click `Edit` in the `Settings` section.
* In `Credential Details`, change the `Application username format` from `Okta username` to `Email`.
* Click the `Save` button
-
+
+ 
+
* On the top right, click on your username
* Copy your [Okta account domain](https://developer.okta.com/docs/guides/find-your-domain/main/) as shown below:
-
+
+ 
+
The final step is to [send an email to the NetBird team](support@netbird.io) with the authentication information you just retrieved:
@@ -123,23 +159,38 @@ This completes the first stage, enabling Single Sign-On (SSO) from NetBird's log
In NetBird, go to `Integrations > Identity Provider` and click on the `Connect to Okta` button.
-
+
+ 
+
You will see a reminder of the permissions your user will require in Okta. Click the `Get Started →` button to continue.
-
+
+ 
+
If you haven't already, you'll need to set up SSO in Okta. If you've completed the previous section, skip this step and click the `Continue →` button.
-
+
+ 
+
The next screen will show you how to enable NetBird API credentials in Okta. Copy the value of the `Authorization (Bearer)` token.
-
+
+ 
+
Navigate to the NetBird app in your Okta admin dashboard. Click the `Provisioning` tab, then select `Configure API Integration`.
-
+
+ 
+
Follow these steps:
@@ -147,21 +198,33 @@ Follow these steps:
* Enter your NetBird API Token.
* Click `Test API Credentials` to verify the SCIM connection.
-
+
+ 
+
If everything works as expected, you'll see the message: "NetBird was verified successfully!" as shown below. Click `Save` to continue.
-
+
+ 
+
## Configuring SCIM Provisioning to NetBird
On NetBird, click `Continue →`. You'll see instructions for configuring SCIM provisioning to NetBird.
-
+
+ 
+
Back to Okta, click `Edit` as shown below.
-
+
+ 
+
Enable Okta to create, update, and deactivate NetBird users by checking the corresponding boxes:
@@ -171,45 +234,69 @@ Enable Okta to create, update, and deactivate NetBird users by checking the corr
When done, click `Save`.
-
+
+ 
+
## Assigning NetBird Application to Okta Groups
In NetBird, click `Continue →`, you'll see the steps for assigning the NetBird integration to Okta groups.
-
+
+ 
+
* Navigate to the `Assignments` tab.
* Similar than before when you assigned your user to NetBird app, click the `Assign` button
* This time, select `Assign to Groups`.
* Select Okta groups that you want to assign to the NetBird app.
-
+
+ 
+
Once you assign the desired groups, click `Done`. You'll see the selected groups listed in Okta.
-
+
+ 
+
## Push Okta Groups to NetBird
One more time, go to NetBird and click `Continue →`. You'll see the final instructions to push Okta groups to NetBird.
-
+
+ 
+
* In Okta, navigate to `Push Groups` tab
* Click the `Push Groups` button
* Select `Find groups by name`
* Search for specific groups to push to NetBird.
-
+
+ 
+
Once you finish, go back to NetBird and click `Finish Setup`. You can verify the synchronization by navigating to `Team > Users`
-
+
+ 
+
The users listed in NetBird should match those you created in Okta.
-
+
+ 
+
SCIM provisioning will manage only resources that are created through Okta. Any resources created directly in NetBird will not be managed by SCIM.