Share feedback
Answers are generated based on the documentation.

Configure sign-in enforcement

Table of contents
Subscription: Team Business
For: Administrators

You can enforce sign-in for Docker Desktop using several methods. Choose the method that best fits your organization's infrastructure and security requirements.

Choose your method

MethodPlatform
Registry keyWindows only
Configuration profilesMac only
plist fileMac only
registry.jsonAll platforms
Tip

For Mac, configuration profiles offer the highest security because they're protected by Apple's System Integrity Protection (SIP).

Windows: Registry key method

To configure the registry key method manually:

  1. Create the registry key:

    $ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Docker\Docker Desktop

  2. Create a multi-string value name allowedOrgs.

  3. Use your organization names as string data. You can add multiple organizations:

    • Use lowercase letters only
    • Add each organization on a separate line
    • Do not use spaces or commas as separators

  4. Restart Docker Desktop.

  5. Verify the Sign in required! prompt appears in Docker Desktop.

Deploy the registry key across your organization using Group Policy:

  1. Create a registry script with the required key structure.
  2. In Group Policy Management, create or edit a GPO.
  3. Navigate to Computer Configuration > Preferences > Windows Settings > Registry.
  4. Right-click Registry > New > Registry Item.
  5. Configure the registry item:
    • Action: Update
    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Docker\Docker Desktop
    • Value name: allowedOrgs
    • Value data: Your organization names
  6. Link the GPO to the target Organizational Unit.
  7. Test on a small group using gpupdate/force.
  8. Deploy organization-wide after verification.

Configuration profiles provide the most secure enforcement method for Mac, as they're protected by Apple's System Integrity Protection.

The payload is a dictionary of key-values. Docker Desktop supports the following keys:

  • allowedOrgs: Sets a list of organizations in one single string, where each organization is separated by a semi-colon.
  • overrideProxyHTTP: Sets the URL of the HTTP proxy that must be used for outgoing HTTP requests.
  • overrideProxyHTTPS: Sets the URL of the HTTP proxy that must be used for outgoing HTTPS requests.
  • overrideProxyExclude: Bypasses proxy settings for the specified hosts and domains. Uses a comma-separated list.
  • overrideProxyPAC: Sets the file path where the PAC file is located. It has precedence over the remote PAC file on the selected proxy.
  • overrideProxyEmbeddedPAC: Sets the content of an in-memory PAC file. It has precedence over overrideProxyPAC.

Overriding at least one of the proxy settings via Configuration profiles will automatically lock the settings as they're managed by Mac.

  1. Create a file named docker.mobileconfig and include the following content:
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>PayloadContent</key>
   <array>
      <dict>
         <key>PayloadType</key>
         <string>com.docker.config</string>
         <key>PayloadVersion</key>
         <integer>1</integer>
         <key>PayloadIdentifier</key>
         <string>com.docker.config</string>
         <key>PayloadUUID</key>
         <string>eed295b0-a650-40b0-9dda-90efb12be3c7</string>
         <key>PayloadDisplayName</key>
         <string>Docker Desktop Configuration</string>
         <key>PayloadDescription</key>
         <string>Configuration profile to manage Docker Desktop settings.</string>
         <key>PayloadOrganization</key>
         <string>Your Company Name</string>
         <key>allowedOrgs</key>
         <string>first_org;second_org</string>
         <key>overrideProxyHTTP</key>
         <string>http://company.proxy:port</string>
         <key>overrideProxyHTTPS</key>
         <string>https://company.proxy:port</string>
      </dict>
   </array>
   <key>PayloadType</key>
   <string>Configuration</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
   <key>PayloadIdentifier</key>
   <string>com.yourcompany.docker.config</string>
   <key>PayloadUUID</key>
   <string>0deedb64-7dc9-46e5-b6bf-69d64a9561ce</string>
   <key>PayloadDisplayName</key>
   <string>Docker Desktop Config Profile</string>
   <key>PayloadDescription</key>
   <string>Config profile to enforce Docker Desktop settings for allowed organizations.</string>
   <key>PayloadOrganization</key>
   <string>Your Company Name</string>
</dict>
</plist>
  2. Replace placeholders:
    • Change com.yourcompany.docker.config to your company identifier
    • Replace Your Company Name with your organization name
    • Replace PayloadUUID with a randomly generated UUID
    • Update the allowedOrgs value with your organization names (separated by semicolons)
    • Replace company.proxy:port with http/https proxy server host(or IP address) and port
  3. Deploy the profile using your MDM solution.
  4. Verify the profile appears in System Settings > General > Device Management under Device (Managed). Ensure the profile is listed with the correct name and settings.

Some MDM solutions let you specify the payload as a plain dictionary of key-value settings without the full .mobileconfig wrapper:

<dict>
   <key>allowedOrgs</key>
   <string>first_org;second_org</string>
   <key>overrideProxyHTTP</key>
   <string>http://company.proxy:port</string>
   <key>overrideProxyHTTPS</key>
   <string>https://company.proxy:port</string>
</dict>

Mac: plist file method

  1. Create the file /Library/Application Support/com.docker.docker/desktop.plist.
  2. Add this content, replacing myorg1 and myorg2 with your organization names:
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
      <key>allowedOrgs</key>
      <array>
          <string>myorg1</string>
          <string>myorg2</string>
      </array>
  </dict>
</plist>
  3. Set file permissions to prevent editing by non-administrator users.
  4. Restart Docker Desktop.
  5. Verify the Sign in required! prompt appears in Docker Desktop.

Create and deploy a script for organization-wide distribution:

#!/bin/bash

# Create directory if it doesn't exist
sudo mkdir -p "/Library/Application Support/com.docker.docker"

# Write the plist file
sudo defaults write "/Library/Application Support/com.docker.docker/desktop.plist" allowedOrgs -array "myorg1" "myorg2"

# Set appropriate permissions
sudo chmod 644 "/Library/Application Support/com.docker.docker/desktop.plist"
sudo chown root:admin "/Library/Application Support/com.docker.docker/desktop.plist"

Deploy this script using SSH, remote support tools, or your preferred deployment method.

All platforms: registry.json method

The registry.json method works across all platforms and offers flexible deployment options.

File locations

Create the registry.json file (UTF-8 without BOM) at the appropriate location:

PlatformLocation
Windows/ProgramData/DockerDesktop/registry.json
Mac/Library/Application Support/com.docker.docker/registry.json
Linux/usr/share/docker-desktop/registry/registry.json

Basic setup

  1. Ensure users are members of your Docker organization.
  2. Create the registry.json file at the appropriate location for your platform.
  3. Add this content, replacing organization names with your own:
    {
   "allowedOrgs": ["myorg1", "myorg2"]
}
  4. Set file permissions to prevent user editing.
  5. Restart Docker Desktop.
  6. Verify the Sign in required! prompt appears in Docker Desktop.
Tip

If users have issues starting Docker Desktop after enforcing sign-in, they may need to update to the latest version.

Windows (PowerShell as Administrator)

Set-Content /ProgramData/DockerDesktop/registry.json '{"allowedOrgs":["myorg1","myorg2"]}'

Mac

sudo mkdir -p "/Library/Application Support/com.docker.docker"
echo '{"allowedOrgs":["myorg1","myorg2"]}' | sudo tee "/Library/Application Support/com.docker.docker/registry.json"

Linux

sudo mkdir -p /usr/share/docker-desktop/registry
echo '{"allowedOrgs":["myorg1","myorg2"]}' | sudo tee /usr/share/docker-desktop/registry/registry.json

Create the registry.json file during Docker Desktop installation:

Windows

# PowerShell
Start-Process '.\Docker Desktop Installer.exe' -Wait 'install --allowed-org=myorg'

# Command Prompt
"Docker Desktop Installer.exe" install --allowed-org=myorg

Mac

sudo hdiutil attach Docker.dmg
sudo /Volumes/Docker/Docker.app/Contents/MacOS/install --allowed-org=myorg
sudo hdiutil detach /Volumes/Docker

Method precedence

When multiple configuration methods exist on the same system, Docker Desktop uses this precedence order:

  1. Registry key (Windows only)
  2. Configuration profiles (Mac only)
  3. plist file (Mac only)
  4. registry.json file

Troubleshoot sign-in enforcement

If sign-in enforcement doesn't work:

  • Verify file locations and permissions
  • Check that organization names use lowercase letters
  • Restart Docker Desktop or reboot the system
  • Confirm users are members of the specified organizations
  • Update Docker Desktop to the latest version