website/docs: endpoint devices: more updates (#19971)

* Add notes about headless servers

* Edits

* Spacing

* WIP

* WIP

* WIP

* Fix link

* Reporting issues

* Apply suggestions from code review

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

---------

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>

website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx

@@ -10,6 +10,10 @@ authentik Agent can be deployed at scale to multiple devices via Mobile Device M
 
 You must [configure your authentik deployment](../configuration.md) to support the authentik Agent.
 
+:::info Serial number required
+The Agent requires a serial number be presented by the system. Some hypervisors don't set serial numbers. When deploying on a virtual machine, ensure that it has a serial number set.
+:::
+
 ## Create an enrollment token
 
 If you have already created have an enrollment token, skip to the next section.

website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx

@@ -58,7 +58,17 @@ sudo apt install authentik-cli authentik-agent authentik-sysd
 ```
 
 4. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak`
-   You should see a response that starts with: `authentik CLI v<version_number>`
+
+    You should see a response that starts with: `authentik CLI v<version_number>`
+
+:::note Headless server
+On a headless server, the system agent (sysd) does not start the user agent (ak-agent). You will need to manually start the user agent with this command:
+
+```bash
+systemctl start --user ak-agent
+```
+
+:::
 
 </TabItem>
 <TabItem value="RedHat-based">
@@ -84,7 +94,17 @@ sudo yum install -y authentik-cli authentik-agent authentik-sysd
 ```
 
 3. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak`
-   You should see a response that starts with: `authentik CLI v<version_number>`
+
+    You should see a response that starts with: `authentik CLI v<version_number>`
+
+:::note Headless server
+On a headless server, the system agent (sysd) does not start the user agent (ak-agent). You will need to manually start the user agent with this command:
+
+```bash
+systemctl start --user ak-agent
+```
+
+:::
 
 </TabItem>
 </Tabs>
@@ -105,6 +125,35 @@ sudo ak-sysd domains join <deployment_name> --authentik-url https://authentik.co
 2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token).
 3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed.
 
+### Local device login on Debian-based systems
+
+On non-Debian Linux distributions, you currently need to manually configure NSS and PAM:
+
+1. Edit `etc/nsswitch.conf` to include `authentik` for `passwd`, `group`, and `shadow`:
+
+```bash title="etc/nsswitch.conf"
+...
+passwd:         files systemd authentik
+group:          files systemd authentik
+shadow:         files systemd authentik
+gshadow:        files systemd
+...
+```
+
+2. Edit the following two files in the `etc/pam.d/` directory. The order matters, both of these lines should be located above `pam_unix` in the respective files.
+
+```bash title="etc/pam.d/common-auth"
+...
+auth    [success=2 default=ignore]      pam_authentik.so
+...
+```
+
+```bash title="etc/pam.d/common-session"
+...
+session required                        pam_authentik.so
+...
+```
+
 ## Enable SSH client authentication and CLI application authentication
 
 To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
@@ -128,3 +177,7 @@ ak version
 ## Logging
 
 authentik Agent logs are available via the system journal (`systemd`) or `syslog`, depending on the distribution.
+
+## Reporting issues
+
+Please report issues and bugs via the [authentik Platform GitHub repository](https://github.com/goauthentik/platform).

website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md

@@ -46,7 +46,8 @@ The Agent requires a serial number be presented by macOS. Some hypervisors don't
     - This can be avoided by Option + Right Clicking the package and clicking **Open**.
     - Alternatively use the following command to remove the package from quarantine: `xattr -r -d com.apple.quarantine "$HOME/Downloads/authentik agent installer.pkg"`
 6. Confirm that the authentik Agent is installed by opening a Terminal window and entering the following command: `ak`
-   You should see a response that starts with: `authentik CLI v<version_number>`
+
+    You should see a response that starts with: `authentik CLI v<version_number>`
 
 ## Enable device compliance
 
@@ -87,3 +88,7 @@ ak version
 ## Logging
 
 The authentik Agent uses macOS's native logging abilities. To retrieve the logs, open the Console application and then filter for authentik-related processes such as `authentik-agent` or `authentik-sysd`.
+
+## Reporting issues
+
+Please report issues and bugs via the [authentik Platform GitHub repository](https://github.com/goauthentik/platform).

website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md

@@ -64,7 +64,8 @@ The Agent requires a serial number be presented by Windows. Some hypervisors don
 5. Once the download is complete, install the MSI file.
 6. _(Optional)_ During installation, select [Windows Credential Provider](#windows-credential-provider) if you want to log in to the Windows device using authentik credentials.
 7. Confirm that the authentik Agent is installed by opening a PowerShell or Terminal window and entering the following command: `ak`
-   You should see a response that starts with: `authentik CLI v<version_number>`
+
+    You should see a response that starts with: `authentik CLI v<version_number>`
 
 ## Enable device compliance and local device login
 
@@ -105,3 +106,7 @@ ak version
 ## Logging
 
 All components of the authentik Agent output logs to the "authentik" log in the Windows Event Viewer.
+
+## Reporting issues
+
+Please report issues and bugs via the [authentik Platform GitHub repository](https://github.com/goauthentik/platform).

website/docs/endpoint-devices/authentik-agent/index.mdx

@@ -18,14 +18,14 @@ The authentik Agent is a service that can be installed on Linux, macOS, and Wind
 
 The authentik Agent consists of several components:
 
-| Platform                  | Component                           | Description                                                                                                                                                                                                                                          | Dependencies                         |
-| ------------------------- | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
-| **Linux, macOS, Windows** | `authentik-cli`                     | Provides CLI commands for interacting with `authentik-agent`.                                                                                                                                                                                        | `authentik-agent`                    |
-| **Linux, macOS, Windows** | `authentik-agent`                   | Authentication in a users' context, for CLI tools. service.                                                                                                                                                                                          | `authentik-sysd`                     |
-| **Linux, macOS, Windows** | `authentik-sysd`                    | Responsible for handling device-level authentication and compliance checks. service.                                                                                                                                                                 | None                                 |
-| **Linux only**            | `libpam-authentik`                  | PAM Module for token-based and interactive authentication via authentik. Used for [SSH authentication](../device-authentication/ssh-authentication.mdx) and [local device login](../device-authentication/local-device-login/index.mdx).             | `authentik-sysd`                     |
-| **Linux only**            | `libnss-authentik`                  | NSS Module that makes Linux aware of authentik users. All authentik users will be visible to Linux - but won't be able to login unless configured via device access groups. Provides a consistent `uid` and `gid` for users on all Endpoint Devices. | `authentik-sysd`, `libpam-authentik` |
-| **Windows only**          | `Windows Credential Provider` (WCP) | Enables logging in to Windows devices using authentik credentials.                                                                                                                                                                                   | `authentik-sysd`                     |
+| Platform                  | Component                           | Description                                                                                                                                                                                                                                          | Dependencies      |
+| ------------------------- | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
+| **Linux, macOS, Windows** | `authentik-cli`                     | Provides CLI commands for interacting with `authentik-agent`.                                                                                                                                                                                        | `authentik-agent` |
+| **Linux, macOS, Windows** | `authentik-agent`                   | Authentication within a users' context, for CLI tools.                                                                                                                                                                                               | `authentik-sysd`  |
+| **Linux, macOS, Windows** | `authentik-sysd`                    | Responsible for handling device-level authentication and compliance checks.                                                                                                                                                                          | None              |
+| **Linux only**            | `libpam-authentik`                  | PAM Module for token-based and interactive authentication via authentik. Used for [SSH authentication](../device-authentication/ssh-authentication.mdx) and [local device login](../device-authentication/local-device-login/index.mdx).             | `authentik-sysd`  |
+| **Linux only**            | `libnss-authentik`                  | NSS Module that makes Linux aware of authentik users. All authentik users will be visible to Linux - but won't be able to login unless configured via device access groups. Provides a consistent `uid` and `gid` for users on all Endpoint Devices. | `authentik-sysd`  |
+| **Windows only**          | `Windows Credential Provider` (WCP) | Enables logging in to Windows devices using authentik credentials.                                                                                                                                                                                   | `authentik-sysd`  |
 
 ## Technical information
 
@@ -42,6 +42,10 @@ All authentik Agent components communicate via gRPC and Unix domain sockets/Wind
 
 Sentry reporting is currently enabled by default and cannot be disabled. This will be configurable in a future release.
 
+## Reporting issues
+
+Please report issues and bugs via the [authentik Platform GitHub repository](https://github.com/goauthentik/platform).
+
 ## More information
 
 For more information refer to each of the topics below:

website/docs/endpoint-devices/device-authentication/device-access-groups.mdx

@@ -4,7 +4,7 @@ sidebar_label: Device access groups
 tags: [authentik Agent, device authentication, device login, device groups]
 ---
 
-Device access groups control access to endpoint devices. You can organize devices into groups and bind users, user groups, and policies to determine access.
+Device access groups control access to endpoint devices. You can organize devices into groups and bind users, user groups, and policies to determine which users can access the device.
 
 ## Creating a device access group
 

website/docs/endpoint-devices/device-authentication/local-device-login/linux.md

@@ -19,10 +19,14 @@ You need to have deployed the authentik Agent on the Linux device, see [Deploy t
 
 ## How to log in to a Linux device
 
+:::note
+When configured correctly, when logging in you should see a prompt for **authentik Password** rather than just **Password**.
+:::
+
 1. On the Linux login screen, you enter your authentik credentials.
 2. Once authenticated, you will be logged in to the Linux device.
 
 ## Known issues
 
-- On non-Debian Linux distributions, you will need to manually configure PAM.
-- MFA is supported except for Webauthn.
+- Only Webauthn MFA is supported.
+- On non-Debian Linux distributions, you currently need to [manually configure NSS and PAM](../../authentik-agent/agent-deployment/linux.mdx#local-device-login-on-debian-based-systems).

website/docs/endpoint-devices/device-authentication/local-device-login/windows.md

@@ -9,7 +9,7 @@ authentik_enterprise: true
 
 Windows Credential Provider (WCP) is a component of the authentik Agent that allows logging in to Windows devices using authentik credentials.
 
-It currently only supports local login; RDP login is not supported.
+Currently, only local login is supported; RDP login is not yet available and is under development.
 
 :::warning
 

website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx

@@ -12,7 +12,7 @@ When connected to an endpoint device in this way, sudo authorization can be hand
 
 ## Prerequisites
 
-- The [authentik Agent must be deployed](../authentik-agent/agent-deployment/index.mdx) on both the source and SSH target devices.
+- The [authentik Agent must be deployed](../authentik-agent/agent-deployment/index.mdx) on both the source and SSH target devices to use the `ak ssh` command. Alternatively, if you're using the standard SSH client (`ssh user@host`) instead of `ak ssh`, the authentik Agent is not required to be deployed on the source and you'll need to authenticate interactively.
 - The target device needs to be configured, see the [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section below.
 
 ## How to SSH to an endpoint device

website/docs/endpoint-devices/device-compliance/connectors.md

@@ -2,11 +2,10 @@
 title: Connectors
 sidebar_label: Connectors
 tags: [device compliance, compliance, connectors, authentik Agent, fleet]
+toc_max_heading_level: 4
 ---
 
-Connectors allow device information to be reported to authentik.
-
-They can be used standalone or alongside the [authentik Agent](../authentik-agent/index.mdx).
+Connectors allow device information to be reported to authentik. They can be used standalone or alongside the [authentik Agent](../authentik-agent/index.mdx).
 
 Currently, the only supported connector is the [authentik Agent](#authentik-agent).
 

website/docs/endpoint-devices/device-compliance/device-compliance-policy.md

@@ -7,13 +7,11 @@ toc_max_heading_level: 4
 
 Device compliance policies are used to limit access to authentik and applications based on [Device Compliance](./index.mdx) information.
 
-Device compliance policies are currently in development and inaccessible.
-
-However, similar functionality can be achieved with existing stages and policies.
+Device compliance policies are currently in development and inaccessible. However, similar functionality can be achieved with existing stages and policies.
 
 ## Prerequisites
 
-You must have [configured compliance](./configuration.md) in authentik and on the endpoint device.
+You must have [configured compliance](./configuration.md) in authentik and on the endpoint device ([Linux](../../authentik-agent/agent-deployment/linux/#enable-device-compliance-ssh-server-authentication-and-local-device-login), [Windows](../../authentik-agent/agent-deployment/windows/#enable-device-compliance-and-local-device-login), [macOS](../../authentik-agent/agent-deployment/macos/#enable-device-compliance)).
 
 ## Accessing device facts within a flow
 

website/docs/endpoint-devices/index.mdx

@@ -34,17 +34,23 @@ Devices can be registered by installing the [authentik Agent](./authentik-agent/
 
 Alternatively, [Connectors](./device-compliance/connectors.md) allow authentik to be integrated with third party services such as Fleet. This allows for device information to be reported to authentik for [Device compliance](./device-compliance/index.mdx) purposes.
 
+## Why use endpoint devices?
+
+Endpoint devices offers administrators an alternative to traditional device authentication systems like LDAP for Linux or Active Directory for Windows, while supporting modern MFA methods like FIDO2. This feature set allows authentik to act as a unified authentication platform for devices, servers, and applications.
+
+Meanwhile, Device Compliance allows administrators to make informed decisions about access to applications by verifying device security requirements, like operating system and application versions, before granting access to applications.
+
 ## Features overview
 
-| Feature                                                   | Linux          | Windows        | macOS          | Status                                                        |
-| --------------------------------------------------------- | -------------- | -------------- | -------------- | ------------------------------------------------------------- |
-| **Local device login**                                    | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview on Windows and Linux.             |
-| **SSH authentication**                                    | Open source    | Open source    | Open source    | Available for early preview. Only supports Linux SSH targets. |
-| **Device compliance**                                     | Open source    | Open source    | Open source    | Available for early preview.                                  |
-| **Advanced device compliance**                            | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development.                                               |
-| **authentik Agent**                                       | Open source    | Open source    | Open source    | Available for early preview.                                  |
-| **Fleet Connectors**                                      | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview.                                  |
-| **Other Connectors** (Entra, Intune, Cloudflare WARP etc) | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development.                                               |
+| Feature                                                                        | Linux          | Windows        | macOS          | Status                                                        |
+| ------------------------------------------------------------------------------ | -------------- | -------------- | -------------- | ------------------------------------------------------------- |
+| [**Local device login**](./device-authentication/local-device-login/index.mdx) | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview on Windows and Linux.             |
+| [**SSH authentication**](./device-authentication/ssh-authentication.mdx)       | Open source    | Open source    | Open source    | Available for early preview. Only supports Linux SSH targets. |
+| [**Device compliance**](./device-compliance/index.mdx)                         | Open source    | Open source    | Open source    | Available for early preview.                                  |
+| **Advanced device compliance**                                                 | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development.                                               |
+| [**authentik Agent**](./authentik-agent/index.mdx)                             | Open source    | Open source    | Open source    | Available for early preview.                                  |
+| [**Fleet Connector** ](./device-compliance/connectors/)                        | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview.                                  |
+| **Other Connectors** (Entra, Intune, Cloudflare WARP etc)                      | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development.                                               |
 
 ## How to provide feedback and report bugs