website/docs: improve endpoint devices docs (#19007)

* Remove sudo auth sections

* Add firefox extension link

* Add chrome extension

* Update release notes

* Remove link

* Fix link

* Fix release note wording

website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.md

@@ -7,7 +7,6 @@ tags: [authentik Agent, linux, deploy, packages]
 ## What it can do
 
 - Retrieves information about the host and reports it to authentik, see [Device Compliance](../../device-compliance/index.mdx).
-- Authorize Sudo elevation, see [Sudo authorization](../../device-authentication/sudo-authorization.md).
 - SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
 - Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).
 

website/docs/endpoint-devices/authentik-agent/index.mdx

@@ -12,7 +12,6 @@ The authentik Agent is a service that can be installed on Linux, macOS, and Wind
 - [Device Compliance](../device-compliance/index.mdx) by reporting information about Endpoint Devices to authentik
 - [Local device login](../device-authentication/local-device-login/index.mdx) with authentik credentials
 - [Connecting via SSH to Endpoint Devices](../device-authentication/ssh-authentication.mdx) with authentik credentials
-- [Sudo authorization](../device-authentication/sudo-authorization.md) with authentik credentials
 - [Authenticating to CLI applications](../device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials
 
 ## authentik Agent components

website/docs/endpoint-devices/device-authentication/index.mdx

@@ -9,7 +9,6 @@ The [authentik Agent](../authentik-agent/index.mdx) supports multiple types of a
 
 - [Local device login](./local-device-login/index.mdx) - Log in to Windows endpoint devices.
 - [SSH authentication](./ssh-authentication.mdx) - Connect from one endpoint device to another via SSH.
-- [Sudo authorization](./sudo-authorization.md) - Authorize sudo elevation on an endpoint device.
 - [Authenticate CLI applications](./cli-app-authentication/index.mdx) - Authenticate CLI based applications like `aws` and `kubectl`.
 
 [Device access groups](./device-access-groups.mdx) allow you to control which users have access to a device.

website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx

@@ -8,6 +8,8 @@ You can use the [authentik Agent](../authentik-agent/index.mdx) to authenticate
 
 Currently, only [Linux](../authentik-agent/agent-deployment/linux.md) devices can serve as SSH endpoints. See [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section for more details.
 
+When connected to an endpoint device in this way, sudo authorization can be handled by the authentik agent.
+
 ## Prerequisites
 
 - The [authentik Agent must be deployed](../authentik-agent/agent-deployment/index.mdx) on both the source and SSH target devices.

website/docs/endpoint-devices/device-authentication/sudo-authorization.md

@@ -1,43 +0,0 @@
----
-title: Sudo authorization
-sidebar_label: Sudo authorization
-tags: [sudo, authentik Agent]
----
-
-You can use the [authentik Agent](../authentik-agent/index.mdx) to authorize sudo elevation when connected to a [Linux endpoint device via SSH](./ssh-authentication.mdx).
-
-When you run a sudo command in this situation, the sudo authorization will be handled by the authentik Agent.
-
-## Prerequisites
-
-- [authentik Agent needs to be deployed](../authentik-agent/agent-deployment/index.mdx) on the device.
-- Sudo authorization needs to be configured on the device, see the [Configure sudo authorization on an endpoint device](#configure-sudo-authorization-on-an-endpoint-device) section below.
-
-## Configure sudo authorization on an endpoint device
-
-If you want a Linux Endpoint Device to support authorizing using authentik credentials, you will need to install the `libpam-authentik` package in addition to the authentik Agent. This is a PAM Module, which provides token-based and interactive authentication via authentik.
-
-Authorization is only possible if the Linux device is aware of the authentik user which is attempting to authorize. This can be achieved in one of two ways:
-
-1. **Provision user accounts** - Create users on the Linux device with usernames that match authentik users that need to authorize sudo to the device. This can be done manually or via automation tools like Ansible.
-2. **`libnss-authentik`** - This is a package that can be installed on the Linux device. It is an NSS module that makes the Linux device aware of authentik users. Similar to adding a Linux device to an Active Directory or LDAP domain.
-
-### Install the `libpam-authentik` package _(required)_
-
-:::info Prerequisites
-You must have already deployed and configured the authentik Agent on the device.
-:::
-
-Run the following command to install the `libpam-authentik` package:
-
-```sh
-sudo apt install libpam-authentik
-```
-
-### Install the `libnss-authentik` package _(optional)_
-
-Run the following command to install the `libnss-authentik` package:
-
-```sh
-sudo apt install libnss-authentik
-```

website/docs/endpoint-devices/device-compliance/browser-extension.mdx

@@ -1,13 +1,13 @@
 ---
 title: authentik browser extension
 sidebar_label: Browser extension
-tags: [device compliance, compliance, browser extension, extension]
+tags: [device compliance, compliance, browser extension, extension, Endpoint SSO]
 ---
 
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
-The authentik browser extension is required for device compliance functionality, and is currently available for Chrome-based and Firefox-based browsers.
+The authentik Endpoint SSO browser extension is required for device compliance functionality, and is currently available for Chrome-based and Firefox-based browsers.
 
 The browser extension connects to the [authentik Agent](../authentik-agent/index.mdx). It supplies [device facts](./device-reporting.md#device-facts) that [stages](../../add-secure-apps/flows-stages/stages/index.md) and [policies](../../customize/policies/index.md) can use during execution of authentik [flows](../../add-secure-apps/flows-stages/flow/index.md). This enables device compliance functionality such as limiting access to applications based on operating system, see [device compliance policy](./device-compliance-policy.md) for more details.
 
@@ -21,20 +21,16 @@ The browser extension connects to the [authentik Agent](../authentik-agent/index
   ]}>
   <TabItem value="chrome">
 
-(TODO - Jens finalizing adding extension to store)
-
 1. Open Google Chrome.
-2. Go to the the authentik browser extension page in the [Chrome Web Store](https://chromewebstore.google.com).
+2. Go to the the [authentik Endpoint SSO browser extension page](https://chromewebstore.google.com/detail/authentik-endpoint-sso/dklfpnaeklldfpmhkbfjbmbnmkfafdma) in the Chrome Web Store.
 3. Click **Add to Chrome**.
 4. Review the permissions and click **Add extension**.
 
   </TabItem>
   <TabItem value="firefox">
 
-(TODO - Jens finalizing adding extension to store)
-
 1. Open Firefox.
-2. Go to the the authentik browser extension page in the [Firefox Add-ons site](https://addons.mozilla.org).
+2. Go to the the [authentik Endpoint SSO browser extension page](https://addons.mozilla.org/en-US/firefox/addon/authentik-platform-sso/) on the Firefox Add-ons site.
 3. Click **Add to Firefox**.
 4. Review the permissions and click **Add** (or **Install**).
 

website/docs/endpoint-devices/index.mdx

@@ -30,7 +30,6 @@ Devices can be registered by installing the [authentik Agent](./authentik-agent/
 - [Device compliance](./device-compliance/index.mdx) by reporting information about endpoint devices to authentik.
 - [Local device login](./device-authentication/local-device-login/index.mdx) with authentik credentials.
 - [Connecting via SSH to endpoint devices](./device-authentication/ssh-authentication.mdx) with authentik credentials.
-- [Sudo authorization](./device-authentication/sudo-authorization.md) with authentik credentials.
 - [Authenticating to CLI applications](./device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials.
 
 Alternatively, [Connectors](./device-compliance/connectors.md) allow authentik to be integrated with third party services such as Fleet. This allows for device information to be reported to authentik for [Device compliance](./device-compliance/index.mdx) purposes.
@@ -41,7 +40,6 @@ Alternatively, [Connectors](./device-compliance/connectors.md) allow authentik t
 | --------------------------------------------------------- | -------------- | -------------- | ----------------- | ------------------------------------------------------------------------------------------- |
 | **Local device login**                                    | Open source    | :ak-enterprise | :ak-enterprise \* | Available for early preview on Windows.                                                     |
 | **SSH authentication**                                    | Open source    | N/A            | :ak-enterprise    | Available for early preview. Only supports Linux SSH targets. macOS targets in development. |
-| **Sudo authorization**                                    | Open source    | N/A            | N/A               | Available for early preview.                                                                |
 | **Device compliance**                                     | Open source    | Open source    | Open source       | Available for early preview.                                                                |
 | **Advanced device compliance**                            | :ak-enterprise | :ak-enterprise | :ak-enterprise    | In development.                                                                             |
 | **authentik Agent **                                      | Open source    | Open source    | Open source       | Available for early preview.                                                                |

website/docs/releases/2025/v2025.12.md

@@ -6,7 +6,7 @@ beta: true
 
 ## Highlights
 
-- **Endpoint Devices**: :ak-enterprise Endpoint Devices is a new featureset for Windows, macOS, and Linux devices that enables SSH authentication, local device login, sudo authorization and more, all with authentik credentials. See the [Endpoint Devices docs](../../endpoint-devices/index.mdx) for more details.
+- **Endpoint Devices**: :ak-enterprise Endpoint Devices is a new feature set for Windows, macOS, and Linux devices that enables SSH authentication, local device login, and more, all with authentik credentials. See the [Endpoint Devices docs](../../endpoint-devices/index.mdx) for more details.
 - **CSV Data Exports**: :ak-enterprise Now you can export user and event data in CSV format for backup or analysis purposes.
 - **RBAC Permissions**: Permissions are now granted exclusively via roles, and permission inheritance and basic object permissions have been enhanced.
 - **Passkey Autofill (WebAuthn Conditional UI)**: Passkeys now appear in the browser's autofill dropdown alongside saved passwords, enabling seamless passwordless login when focusing on input fields.
@@ -75,10 +75,11 @@ Devices can be integrated by installing the [authentik Agent](../../endpoint-dev
 
 - [Local device login](../../endpoint-devices/device-authentication/local-device-login/index.mdx) with authentik credentials
 - [Connecting via SSH to Endpoint Devices](../../endpoint-devices/device-authentication/ssh-authentication.mdx) with authentik credentials
-- [Sudo authorization](../../endpoint-devices/device-authentication/sudo-authorization.md) on Linux via the authentik Agent
 - [Authenticating to CLI applications](../../endpoint-devices/device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials
 
-[Connectors](../../endpoint-devices/device-compliance/connectors.md) allow authentik to fetch device information which enables [Device Compliance](../../endpoint-devices/device-compliance/index.mdx) functionality in authentik flows and policies. Currently, only the authentik Agent connector is supported. Connectors to fetcher information from third-party tools like Fleet, Cloudflare WARP, and Microsoft Intune are in development.
+[Connectors](../../endpoint-devices/device-compliance/connectors.md) allow authentik to fetch device information which enables [Device Compliance](../../endpoint-devices/device-compliance/index.mdx) functionality in authentik flows and policies. For example, you can limit authentication to devices running a specific OS or OS version.
+
+Currently, only the authentik Agent connector is supported. Connectors to fetch information from third-party tools like Fleet, Cloudflare WARP, and Microsoft Intune are in development.
 
 ### CSV Data Exports :ak-enterprise
 

website/docs/sidebar.mjs

@@ -765,7 +765,6 @@ const items = [
                         ],
                     },
                     "endpoint-devices/device-authentication/ssh-authentication",
-                    "endpoint-devices/device-authentication/sudo-authorization",
                     {
                         //#endregion