Enforce sign-in for Desktop

By default, members of your organization can use Docker Desktop without signing in. When users don’t sign in as a member of your organization, they don’t receive the benefits of your organization’s subscription and they can circumvent Docker’s security features for your organization.

To ensure members of your organization always sign in, you can deploy a registry.json configuration file to the machines of your users.

How is sign-in enforced?

When Docker Desktop starts and it detects a registry.json file, the following occurs:

• The following Sign in required! prompt appears requiring the user to sign in as a member of your organization to use Docker Desktop.
  
• When a user signs in to an account that isn’t a member of your organization, they will be automatically signed out and can’t use Docker Desktop. The user can select Sign in and try again.
• When a user signs in to an account that is a member of your organization, they can use Docker Desktop.
• When a user signs out, the Sign in required! prompt appears and they can no longer use Docker Desktop.

Enforce sign-in vs enforce SSO

Enforcing sign-in ensures that users are required to sign in to use Docker Desktop. If your organization is also using single sign-on (SSO), you can optionally enforce SSO. This means that your users must use SSO to sign in, instead of a username and password. When you enforce sign-in and enforce SSO, your users must sign in and must use SSO to do so. See Enforce SSO for details on how to enable this for your SSO connection.

Create a registry.json file to enforce sign-in

1. Ensure that the user is a member of your organization in Docker. For more details, see Manage members.

2. Create the registry.json file.

   Based on the user's operating system, create a file named registry.json at the following location and make sure the file can't be edited by the user.

   Platform	Location
   Windows	/ProgramData/DockerDesktop/registry.json
   Mac	/Library/Application Support/com.docker.docker/registry.json
   Linux	/usr/share/docker-desktop/registry/registry.json

3. Specify your organization in the registry.json file.

   Open the registry.json file in a text editor and add the following contents, where myorg is replaced with your organization’s name. The file contents are case-sensitive and you must use lowercase letters for your organization's name.

   {
   "allowedOrgs": ["myorg"]
   }

4. Verify that sign-in is enforced.

   To activate the registry.json file, restart Docker Desktop on the user’s machine. When Docker Desktop starts, verify that the Sign in required! prompt appears.

   In some cases, a system reboot may be necessary for the enforcement to take effect.

   Tip

   If your users have issues starting Docker Desktop after you enforce sign-in, they may need to update to the latest version.

Alternative methods to create a registry.json file

You can also use the following alternative methods to create a registry.json file.

Download a registry.json file from Docker Hub

In Docker Hub, you can download the registry.json file for your organization or copy the specific commands to create the file for your organization. To download the file or copy the commands, use the following steps.

1. Sign in to Docker Hub as an organization owner.

2. Go to Organizations > Your Organization > Settings.

3. Select Enforce Sign-in and continue with the on-screen instructions for Windows, Mac, or Linux.

Create a registry.json file when installing Docker Desktop

To create a registry.json file when installing Docker Desktop, use the following instructions based on your user's operating system.

PS> Start-Process '.\Docker Desktop Installer.exe' -Wait 'install --allowed-org=myorg'

C:\Users\Admin> "Docker Desktop Installer.exe" install --allowed-org=myorg

$ sudo hdiutil attach Docker.dmg
$ sudo /Volumes/Docker/Docker.app/Contents/MacOS/install --allowed-org=myorg
$ sudo hdiutil detach /Volumes/Docker

Create a registry.json file using the command line

To create a registry.json using the command line, use the following instructions based on your user's operating system.

PS>  Set-Content /ProgramData/DockerDesktop/registry.json '{"allowedOrgs":["myorg"]}'

PS C:\ProgramData\DockerDesktop> Get-Acl .\registry.json


    Directory: C:\ProgramData\DockerDesktop


Path          Owner                  Access
----          -----                  ------
registry.json BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow  FullControl...

$ sudo mkdir -p "/Library/Application Support/com.docker.docker"
$ echo '{"allowedOrgs":["myorg"]}' | sudo tee "/Library/Application Support/com.docker.docker/registry.json"

$ sudo cat "/Library/Application Support/com.docker.docker/registry.json"
{"allowedOrgs":["myorg"]}

$ sudo ls -l "/Library/Application Support/com.docker.docker/registry.json"
-rw-r--r--  1 root  admin  26 Jul 27 22:01 /Library/Application Support/com.docker.docker/registry.json

$ sudo mkdir -p /usr/share/docker-desktop/registry
$ echo '{"allowedOrgs":["myorg"]}' | sudo tee /usr/share/docker-desktop/registry/registry.json

$ sudo cat /usr/share/docker-desktop/registry/registry.json
{"allowedOrgs":["myorg"]}

$ sudo ls -l /usr/share/docker-desktop/registry/registry.json
-rw-r--r--  1 root  root  26 Jul 27 22:01 /usr/share/docker-desktop/registry/registry.json

Deploy registry.json to multiple devices

The previous instructions explain how to create and deploy a registry.json file to a single device. To automatically deploy the registry.json to multiple devices, you must use a third-party solution, such as a mobile device management solution. You can use the previous instructions along with your third-party solution to remotely deploy the registry.json file, or remotely install Docker Desktop with the registry.json file. For more details, see the documentation of your third-party solution.