HD freshness

content/manuals/enterprise/security/hardened-desktop/air-gapped-containers.md

@@ -1,11 +1,12 @@
 ---
 title: Air-gapped containers
-description: Control container network access with air-gapped containers using custom proxy rules and network restrictions
-keywords: air gapped containers, network security, proxy configuration, container isolation, docker desktop
+description: Restrict outbound container traffic using proxy rules, PAC files, and network isolation with Docker Desktop air-gapped containers
+keywords: air gapped containers, network security, proxy configuration, container isolation, docker desktop, PAC file, network isolation
 aliases:
  - /desktop/hardened-desktop/settings-management/air-gapped-containers/
  - /desktop/hardened-desktop/air-gapped-containers/
  - /security/for-admins/hardened-desktop/air-gapped-containers/
+weight: 30
 ---
 
 {{< summary-bar feature_name="Air-gapped containers" >}}
@@ -14,17 +15,13 @@ Air-gapped containers let you restrict container network access by controlling w
 
 Docker Desktop can configure container network traffic to accept connections, reject connections, or tunnel through HTTP or SOCKS proxies. You control which TCP ports the policy applies to and whether to use a single proxy or per-destination policies via Proxy Auto-Configuration (PAC) files.
 
-This page provides an overview of air-gapped containers and configuration steps.
-
 ## Who should use air-gapped containers?
 
-Air-gapped containers help organizations maintain security in restricted environments:
+Use air-gapped containers if:
 
-- Secure development environments: Prevent containers from accessing unauthorized external services
-- Compliance requirements: Meet regulatory standards that require network isolation
-- Data loss prevention: Block containers from uploading sensitive data to external services
-- Supply chain security: Control which external resources containers can access during builds
-- Corporate network policies: Enforce existing network security policies for containerized applications
+- Your organization requires containers to communicate only with approved internal services
+- You need to meet compliance standards that mandate network isolation (such as SOC 2, ISO 27001, or PCI DSS)
+- You want to prevent containers from leaking data or reaching unapproved external endpoints during builds or at runtime
 
 ## How air-gapped containers work
 
@@ -47,8 +44,7 @@ Before configuring air-gapped containers, you must have:
 
 - [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) enabled to ensure users authenticate with your organization
 - A Docker Business subscription
-- Configured [Settings Management](/manuals/enterprise/security/hardened-desktop/settings-management/_index.md) to manage organization policies
-- Downloaded Docker Desktop 4.29 or later
+- Configured [Settings Management](/manuals/enterprise/security/hardened-desktop/settings-management/_index.md) with the `admin-settings.json` file to manage organization policies
 
 ## Configure air-gapped containers
 
@@ -144,8 +140,8 @@ function FindProxyForURL(url, host) {
 
 ### General considerations
 
- - `FindProxyForURL` function URL parameter format is http://host_or_ip:port or https://host_or_ip:port
- - If you have an internal container trying to access https://docs.docker.com/enterprise/security/hardened-desktop/air-gapped-containers the docker proxy service will submit docs.docker.com for the host value and https://docs.docker.com:443 for the url value to FindProxyForURL, if you are using `shExpMatch` function in your PAC file as follows:
+ - `FindProxyForURL` function URL parameter format is `http://host_or_ip:port` or `https://host_or_ip:port`
+ - If you have an internal container trying to access `https://docs.docker.com/enterprise/security/hardened-desktop/air-gapped-containers` the Docker proxy service will submit docs.docker.com for the host value and https://docs.docker.com:443 for the url value to `FindProxyForURL`, if you are using `shExpMatch` function in your PAC file as follows:
 
    ```console
    if(shExpMatch(url, "https://docs.docker.com:443/enterprise/security/*")) return "DIRECT";
@@ -230,3 +226,7 @@ $ docker run --rm alpine wget -O- https://docker.io
 - PAC file management: Host PAC files on reliable internal infrastructure. Failed PAC downloads result in blocked container network access.
 - Performance considerations: Complex PAC files with many rules may impact container network performance. Keep rules simple and efficient.
 
+## Next steps
+
+- [Explore Enhanced Container Isolation](/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/_index.md) to further restrict what containers can do at runtime
+- [Understand how Docker Desktop handles host and container networking](/manuals/desktop/features/networking/_index.md)

content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/enable-eci.md

@@ -17,7 +17,6 @@ This page shows you how to turn on Enhanced Container Isolation (ECI) and verify
 Before you begin, you must have:
 
 - A Docker Business subscription
-- Docker Desktop 4.13 or later
 - [Enforced sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) (for administrators managing organization-wide settings only)
 
 ## Enable Enhanced Container Isolation

content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/limitations.md

@@ -142,17 +142,6 @@ $ docker image rm <image>
 $ docker pull <image>
 ```
 
-## Version compatibility
-
-ECI features have been introduced across different Docker Desktop versions:
-
-- Docker Desktop 4.36 and later: Wildcard allowlist support (`"*"`) and improved derived images handling
-- Docker Desktop 4.34 and later: Derived images support (`allowDerivedImages`)
-- Docker Desktop 4.30 and later: Docker Build protection with default driver (except WSL 2)
-- Docker Desktop 4.13 and later: Core ECI functionality
-
-For the latest feature availability, use the most recent Docker Desktop version.
-
 ## Production compatibility
 
 ### Container behavior differences

content/manuals/enterprise/security/hardened-desktop/image-access-management.md

@@ -1,15 +1,15 @@
 ---
 title: Image Access Management
 description: Control which Docker Hub images developers can access with Image Access Management for enhanced supply chain security
-keywords: image access management, docker official images, verified publisher, supply chain security, docker business, allow list
+keywords: image access management, docker official images, verified publisher, supply chain security, docker business, allow list, image restrictions, pull restrictions
 tags: [admin]
 aliases:
  - /docker-hub/image-access-management/
  - /desktop/hardened-desktop/image-access-management/
  - /admin/organization/image-access/
  - /security/for-admins/image-access-management/
  - /security/for-admins/hardened-desktop/image-access-management/
-weight: 40
+weight: 50
 ---
 
 {{< summary-bar feature_name="Hardened Docker Desktop" >}}
@@ -23,7 +23,7 @@ With Image Access Management, you can restrict access to:
 - Organization images: Your organization's private repositories
 - Community images: Public images from individual developers
 
-You can also use a repository allow list to approve specific repositories that bypass all other access controls.
+You can also use a repository allowlist to approve specific repositories that bypass all other access controls.
 
 ## Who should use Image Access Management?
 
@@ -36,7 +36,7 @@ Common security scenarios include:
 - Control access to commercial third-party images
 - Maintain consistent security standards across development teams
 
-Use the repository allow list when you need to:
+Use the repository allowlist when you need to:
 
 - Grant access to specific vetted community images
 - Allow essential third-party tools that don't fall under official categories
@@ -46,16 +46,16 @@ Use the repository allow list when you need to:
 
 Before configuring Image Access Management, you must:
 
-- [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) to ensure users authenticate with your organization
+- [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md). Image Access Management only takes effect when users are signed in to Docker Desktop with organization credentials.
 - Use [personal access tokens (PATs)](/manuals/security/access-tokens.md) for authentication (Organization access tokens aren't supported)
 - Have a Docker Business subscription
 
-> [!IMPORTANT]
->
-> Image Access Management only takes effect when users are signed in to Docker Desktop with organization credentials.
-
 ## Configure image access
 
+> [!NOTE]
+>
+> Image Access Management is turned off by default for organization members. Organization owners always have access to all images regardless of policy settings.
+
 To configure Image Access Management:
 
 1. Sign in to [Docker Home](https://app.docker.com) and select your organization from the top-left account drop-down.
@@ -66,22 +66,18 @@ To configure Image Access Management:
     - **Community images**: Images contributed by various users that may pose security risks. This category includes Docker-Sponsored Open Source images and is turned off by default.
     - **Docker Verified Publisher Images**: Images from Docker partners in the Verified Publisher program, qualified for secure supply chains.
     - **Docker Official Images**: Curated Docker repositories that provide OS repositories, best practices for Dockerfiles, drop-in solutions, and timely security updates.
-    - **Repository allow list**: A list of specific repositories that should be
+    - **Repository allowlist**: A list of specific repositories that should be
       allowed. Configure in the next step.
-1. Optionally, when **Repository allow list** is enabled in the previous step,
+1. If **Repository allowlist** is enabled in the previous step,
    you can add or remove specific repositories in the allow list:
-    - To add repositories, in the **Repository allow list** section, select
-      **Add repositories to allow list** and follow the on-screen instructions.
-    - To remove a repository, in the **Repository allow list** section, select
+    - To add repositories, in the **Repository allowlist** section, select
+      **Add repositories to allowlist** and follow the on-screen instructions.
+    - To remove a repository, in the **Repository allowlist** section, select
       the trashcan icon next to it.
 
     Repositories in the allow list are accessible to all organization members regardless of the image type restrictions configured in the previous steps.
 
-Once restrictions are applied, organization members can view the permissions page in read-only format.
-
-> [!NOTE]
->
-> Image Access Management is turned off by default. Organization owners have access to all images regardless of policy settings.
+After restrictions are applied, organization members can view the permissions page in read-only format.
 
 ## Verify access restrictions
 
@@ -103,23 +99,22 @@ Error response from daemon: image access denied: community images not allowed
 
 Image access restrictions apply to all Docker Hub operations including pulls, builds using `FROM` instructions, and Docker Compose services.
 
-## Security implementation
-
-Start with the most restrictive policy and gradually expand based on legitimate business needs:
-
-1. Start with: Docker Official Images and Organization images
-2. Add if needed: Docker Verified Publisher Images for commercial tools
-3. Carefully evaluate: Community images only for specific, vetted use cases
-4. Use the repository allow list sparingly: Only add repositories that have been thoroughly vetted and approved through your organization's security review process
-
-Other security recommendations include:
+## Best practices
 
+- Start with the most restrictive policy and gradually expand based on legitimate business needs:
+   1. Start with Docker Official Images and Organization images
+   2. If needed, add Docker Verified Publisher Images for commercial tools
+   3. Carefully evaluate community images only for specific, vetted use cases
+   4. Use the repository allowlist sparingly. Only add repositories that have been thoroughly vetted and approved through your organization's security review process
 - Monitor usage patterns: Review which images developers are attempting to pull, identify legitimate requests for additional image types, regularly audit approved image categories for continued relevance, and use Docker Desktop analytics to monitor usage patterns.
-- Regularly review the repository allow list: Periodically audit the repositories in your allow list to ensure they remain necessary and trustworthy, and remove any that are no longer needed or maintained.
-- Layer security controls: Image Access Management works best with Registry Access Management to control which registries developers can access, Enhanced Container Isolation to secure containers at runtime, and Settings Management to control Docker Desktop configuration.
+- Regularly review the repository allow list: Periodically audit the repositories in your allowlist to ensure they remain necessary and trustworthy, and remove any that are no longer needed or maintained.
 
 ## Scope and bypass considerations
 
 - Image Access Management only controls access to Docker Hub images. Images from other registries aren't affected by these policies. Use [Registry Access Management](/manuals/enterprise/security/hardened-desktop/registry-access-management.md) to control access to other registries.
 - Users can potentially bypass Image Access Management by signing out of Docker Desktop (unless sign-in is enforced), using images from other registries that aren't restricted, or using registry mirrors or proxies. Enforce sign-in and combine with Registry Access Management for comprehensive control.
 - Image restrictions apply to Dockerfile `FROM` instructions, Docker Compose services using restricted images will fail, multi-stage builds may be affected if intermediate images are restricted, and CI/CD pipelines using diverse image types may be impacted.
+
+## Next steps
+
+- Layer security controls: Image Access Management works best with [Registry Access Management](registry-access-management.md) to control which registries developers can access, [Enhanced Container Isolation](enhanced-container-isolation/_index.md) to secure containers at runtime, and [Settings Management](settings-management/_index.md) to control Docker Desktop configuration.

content/manuals/enterprise/security/hardened-desktop/namespace-access.md

@@ -4,7 +4,7 @@ linkTitle: Namespace access
 description: Control whether organization members can push content to their personal namespaces on Docker Hub
 keywords: namespace access, docker hub, personal namespace, organization security, docker business
 tags: [admin]
-weight: 50
+weight: 60
 ---
 
 {{< summary-bar feature_name="Namespace access" >}}
@@ -16,7 +16,7 @@ outside of approved, governed locations.
 
 When namespace access control is enabled, organization members can still view and pull images
 from their personal namespaces and continue accessing all existing repositories
-and content. However, they will no longer be able to create new repositories or
+and content. However, they're unable to create new repositories or
 push new images to their personal namespace.
 
 > [!IMPORTANT]
@@ -36,7 +36,7 @@ To configure namespace access control:
 4. Select **Save changes**.
 
 Once namespace access control is enabled, organization members can still view their
-personal namespace and existing repositories but they will not be able to create
+personal namespace and existing repositories but they are not able to create
 any new repositories or push any new images to existing repositories.
 
 ### Verify access restrictions

content/manuals/enterprise/security/hardened-desktop/registry-access-management.md

@@ -9,7 +9,7 @@ aliases:
  - /docker-hub/registry-access-management/
  - /security/for-admins/registry-access-management/
  - /security/for-admins/hardened-desktop/registry-access-management/
-weight: 30
+weight: 40
 ---
 
 {{< summary-bar feature_name="Registry access management" >}}
@@ -22,8 +22,8 @@ RAM works with all registry types including cloud services, on-premises registri
 
 Registry Access Management works with any container registry, including:
 
- - Docker Hub (allowed by default)
-- Cloud registries: Amazon ECR, Google Container Registry, Azure Container Registry
+- Docker Hub (allowed by default)
+- Cloud registries: Amazon ECR, Google Artifact Registry, Azure Container Registry
 - Git-based registries: GitHub Container Registry, GitLab Container Registry
 - On-premises solutions: Nexus, Artifactory, Harbor
 - Registry mirrors: Including Docker Hub mirrors
@@ -32,14 +32,10 @@ Registry Access Management works with any container registry, including:
 
 Before configuring Registry Access Management, you must:
 
-- [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) to ensure users authenticate with your organization
+- [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md). Registry Access Management only takes effect when users are signed in to Docker Desktop with organization credentials.
 - Use [personal access tokens (PATs)](/manuals/security/access-tokens.md) for authentication (Organization access tokens aren't supported)
 - Have a Docker Business subscription
 
-> [!IMPORTANT]
->
-> Registry Access Management only takes effect when users are signed in to Docker Desktop with organization credentials.
-
 ## Configure registry permissions
 
 To configure registry permissions:
@@ -52,18 +48,16 @@ in the registry list.
 a **Registry address** and **Registry nickname**.
 1. Select **Create**. You can add up to 100 registries.
 1. Verify your registry appears in the registry list and select **Save changes**.
+   >[!NOTE]
+   >
+   > Policy changes can take up to 24 hours to propagate. To apply changes immediately, ask developers to sign out and back in to Docker Desktop.
 
-Changes can take up to 24 hours to take effect. To apply them sooner,
-have developers sign out and back in to Docker Desktop.
-
-> [!IMPORTANT]
->
-> Starting with Docker Desktop 4.36, if a developer belongs to multiple organizations with different RAM policies, only the policy for the first organization in the configuration file is enforced.
+If a developer belongs to multiple organizations with different RAM policies, only the policy for the first organization in the configuration file is enforced.
 
 > [!TIP]
 >
 > RAM restrictions also apply to Dockerfile `ADD` instructions that fetch content via URL. Include trusted registry domains in your allowlist when using `ADD` with URLs.
-><br><br>
+>
 > RAM is designed for container registries, not general-purpose URLs like package mirrors or storage services. Adding too many domains may cause errors or hit system limits.
 
 
@@ -103,7 +97,7 @@ Registry Access Management has these limits and platform-specific behaviors:
 These scenarios are not restricted by Registry Access Management:
 
 - Docker buildx with Kubernetes driver
-- Docker buildx with custom docker-container driver
+- Docker buildx with custom Docker-container driver
 - Some Docker Debug and Kubernetes image pulls (even if Docker Hub is blocked)
 - Images previously cached by registry mirrors may still be blocked if the source registry is restricted
 

content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md

@@ -56,7 +56,7 @@ When multiple policies exist, Docker Desktop applies them in this order:
 1. User-specific policies: Highest priority
 1. Organization default policy: Applied when no user-specific policy exists
 1. Local `admin-settings.json` file: Lowest priority, overridden by Admin Console policies
-1. [Configuration profiles](/manuals/enterprise/security/enforce-sign-in/methods.md#configuration-profiles-method-mac-only): Super-set of Docker Admin Console policies. Available with Docker Desktop version 4.48 and later.
+1. [Configuration profiles](/manuals/enterprise/security/enforce-sign-in/methods.md#configuration-profiles-method-mac-only): Super-set of Docker Admin Console policies.
 
 ## Set up Settings Management