diff --git a/content/compose/environment-variables/envvars.md b/content/compose/environment-variables/envvars.md
index b79fbcedace..a718dece216 100644
--- a/content/compose/environment-variables/envvars.md
+++ b/content/compose/environment-variables/envvars.md
@@ -161,7 +161,7 @@ When enabled, Compose displays a navigation menu where you can choose to open th
* Supported values:
* `true` or `1`, to enable,
* `false` or `0`, to disable.
-* Defaults to: `0`.
+* Defaults to: `1` if you obtained Docker Compose through Docker Desktop, otherwise default is `0`.
> **Note**
>
diff --git a/content/desktop/extensions-sdk/quickstart.md b/content/desktop/extensions-sdk/quickstart.md
index fd579608e5d..0013e477fad 100644
--- a/content/desktop/extensions-sdk/quickstart.md
+++ b/content/desktop/extensions-sdk/quickstart.md
@@ -18,6 +18,8 @@ Follow this guide to get started with creating a basic Docker extension. The Qui
>
> NodeJS and Go are only required when you follow the quickstart guide to create an extension. It uses the `docker extension init` command to automatically generate boilerplate files. This command uses a template based on a ReactJS and Go application.
+In Docker Desktop settings, ensure you can install the extension you're developing. You may need to navigate to the **Extensions** tab in Docker Desktop settings and deselect **Allow only extensions distributed through the Docker Marketplace**.
+
## Step one: Set up your directory
To set up your directory, use the `init` subcommand and provide a name for your extension.
diff --git a/content/desktop/hardened-desktop/air-gapped-containers.md b/content/desktop/hardened-desktop/air-gapped-containers.md
index e2c07816cb8..e66e76dfe8e 100644
--- a/content/desktop/hardened-desktop/air-gapped-containers.md
+++ b/content/desktop/hardened-desktop/air-gapped-containers.md
@@ -6,13 +6,9 @@ aliases:
- /desktop/hardened-desktop/settings-management/air-gapped-containers/
---
-> **Beta feature**
->
-> This feature is in [Beta](../../release-lifecycle.md/#beta).
-> It's available with Docker Desktop version 4.29 and later.
-{ .experimental }
+{{< introduced desktop 4.29.0 "../release-notes.md#4290" >}}
-Air-gapped containers allows administrators to restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from.
+Air-Gapped Containers allows administrators to restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from.
Docker Desktop can apply a custom set of proxy rules to network traffic from containers. The proxy can be configured to:
diff --git a/content/desktop/hardened-desktop/settings-management/_index.md b/content/desktop/hardened-desktop/settings-management/_index.md
index 7328e544fe1..048e1f9f6a1 100644
--- a/content/desktop/hardened-desktop/settings-management/_index.md
+++ b/content/desktop/hardened-desktop/settings-management/_index.md
@@ -45,7 +45,7 @@ Using the `admin-settings.json` file, admins can:
- Turn off Docker Desktop's onboarding survey
- Control the file sharing implementation for your developers on macOS
- Specify which paths your developers can add file shares to
-- Configure air-gapped containers (Beta)
+- Configure Air-Gapped Containers
For more details on the syntax and options admins can set, see [Configure Settings Management](configure.md).
diff --git a/content/desktop/hardened-desktop/settings-management/configure.md b/content/desktop/hardened-desktop/settings-management/configure.md
index df79872dfa8..8eb55951cf3 100644
--- a/content/desktop/hardened-desktop/settings-management/configure.md
+++ b/content/desktop/hardened-desktop/settings-management/configure.md
@@ -183,7 +183,7 @@ The following `admin-settings.json` code and table provides an example of the re
| `exposeDockerAPIOnTCP2375` | Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
| `proxy` | |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. |
| `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. |
-| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-gapped containers](../air-gapped-containers.md).|
+| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md).|
| `enhancedContainerIsolation` | | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md).|
| `dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This allows admins to relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. |
| `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. |
diff --git a/content/desktop/install/windows-install.md b/content/desktop/install/windows-install.md
index c1659a32165..e59898affa4 100644
--- a/content/desktop/install/windows-install.md
+++ b/content/desktop/install/windows-install.md
@@ -27,14 +27,15 @@ aliases:
This page contains the download URL, information about system requirements, and instructions on how to install Docker Desktop for Windows.
-{{< button text="Docker Desktop for Windows" url="https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe" >}}
+{{< button text="Docker Desktop for Windows - x86_64" url="https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-win-amd64" >}}
+{{< button text="Docker Desktop for Windows - Arm (Beta)" url="https://desktop.docker.com/win/main/arm64/Docker%20Desktop%20Installer.exe?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-win-arm64" >}}
_For checksums, see [Release notes](../release-notes.md)_
## System requirements
{{< tabs >}}
-{{< tab name="WSL 2 backend" >}}
+{{< tab name="WSL 2 backend, x86_64" >}}
- WSL version 1.1.3.0 or later.
- Windows 11 64-bit: Home or Pro version 21H2 or higher, or Enterprise or Education version 21H2 or higher.
@@ -45,7 +46,6 @@ _For checksums, see [Release notes](../release-notes.md)_
[Microsoft documentation](https://docs.microsoft.com/en-us/windows/wsl/install-win10).
- The following hardware prerequisites are required to successfully run
WSL 2 on Windows 10 or Windows 11:
-
- 64-bit processor with [Second Level Address Translation (SLAT)](https://en.wikipedia.org/wiki/Second_Level_Address_Translation)
- 4GB system RAM
- Enable hardware virtualization in BIOS. For more information, see
@@ -64,15 +64,12 @@ For more information on setting up WSL 2 with Docker Desktop, see [WSL](../wsl/_
> Docker only supports Docker Desktop on Windows for those versions of Windows that are still within [Microsoft’s servicing timeline](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet). Docker Desktop is not supported on server versions of Windows, such as Windows Server 2019 or Windows Server 2022. For more information on how to run containers on Windows Server, see [Microsoft's official documentation](https://learn.microsoft.com/virtualization/windowscontainers/quick-start/set-up-environment).
{{< /tab >}}
-{{< tab name="Hyper-V backend and Windows containers" >}}
+{{< tab name="Hyper-V backend, x86_64" >}}
-- Windows 11 64-bit: Pro version 21H2 or higher, or Enterprise or Education version 21H2 or higher.
+- Windows 11 64-bit: Home or Pro version 21H2 or higher, or Enterprise or Education version 21H2 or higher.
- Windows 10 64-bit:
- We recommend Home or Pro 22H2 (build 19045) or higher, or Enterprise or Education 22H2 (build 19045) or higher.
- Minimum required is Home or Pro 21H2 (build 19044) or higher, or Enterprise or Education 21H2 (build 19044) or higher.
-
- For Windows 10 and Windows 11 Home, see the system requirements in the WSL 2 backend tab.
-
- Turn on Hyper-V and Containers Windows features.
- The following hardware prerequisites are required to successfully run Client
Hyper-V on Windows 10:
@@ -93,6 +90,32 @@ For more information on setting up WSL 2 with Docker Desktop, see [WSL](../wsl/_
>
> Docker only supports Docker Desktop on Windows for those versions of Windows that are still within [Microsoft’s servicing timeline](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet). Docker Desktop is not supported on server versions of Windows, such as Windows Server 2019 or Windows Server 2022. For more information on how to run containers on Windows Server, see [Microsoft's official documentation](https://learn.microsoft.com/virtualization/windowscontainers/quick-start/set-up-environment).
+{{< /tab >}}
+{{< tab name="WSL 2 backend, Arm (Beta)" >}}
+
+- WSL version 1.1.3.0 or later.
+- Windows 11 64-bit: Home or Pro version 21H2 or higher, or Enterprise or Education version 21H2 or higher.
+- Windows 10 64-bit:
+ - We recommend Home or Pro 22H2 (build 19045) or higher, or Enterprise or Education 22H2 (build 19045) or higher.
+ - Minimum required is Home or Pro 21H2 (build 19044) or higher, or Enterprise or Education 21H2 (build 19044) or higher.
+- Turn on the WSL 2 feature on Windows. For detailed instructions, refer to the
+ [Microsoft documentation](https://docs.microsoft.com/en-us/windows/wsl/install-win10).
+- The following hardware prerequisites are required to successfully run
+ WSL 2 on Windows 10 or Windows 11:
+ - 64-bit processor with [Second Level Address Translation (SLAT)](https://en.wikipedia.org/wiki/Second_Level_Address_Translation)
+ - 4GB system RAM
+ - Enable hardware virtualization in BIOS. For more information, see
+ [Virtualization](../troubleshoot/topics.md#virtualization).
+
+> **Important**
+>
+> The installer and the [privileged service](../windows/permission-requirements.md#privileged-helper) are still built for `x86_64`. These are not performance critical components and currently run with [`x86` emulation](https://learn.microsoft.com/en-us/windows/arm/apps-on-arm-x86-emulation#wow64-apis).
+>
+> Also, the following features are not supported:
+> - Hyper-V backend
+> - Windows containers
+{ .important }
+
{{< /tab >}}
{{< /tabs >}}
diff --git a/content/desktop/release-notes.md b/content/desktop/release-notes.md
index b8dc42a8c90..256b3ee73f9 100644
--- a/content/desktop/release-notes.md
+++ b/content/desktop/release-notes.md
@@ -21,11 +21,82 @@ Docker Desktop versions older than 6 months from the latest release are not avai
Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1) to see what's coming next.
+## 4.31.0
+
+{{< release-date date="2024-06-06" >}}
+
+{{< desktop-install all=true beta_win_arm=true version="4.31.0" build_path="/153195/" >}}
+
+### New
+
+- [Air-Gapped Containers](desktop/hardened-desktop/air-gapped-containers.md) is now generally available.
+- Docker Compose File Viewer shows your Compose YAML with syntax highlighting and contextual links to relevant docs (Beta, progressive rollout).
+- New Sidebar user experience.
+
+### Upgrades
+
+- [Docker Engine and CLI v26.1.4](https://github.com/moby/moby/releases/tag/v26.1.4).
+- [Docker Scout CLI v1.9.1](https://github.com/docker/scout-cli/releases/tag/v1.9.1)
+- [Docker Compose v2.27.1](https://github.com/docker/compose/releases/tag/v2.27.1)
+- [Docker Buildx v0.14.1](https://github.com/docker/buildx/releases/tag/v0.14.1)
+- [Containerd v1.6.33](https://github.com/containerd/containerd/releases/tag/v1.6.33)
+- [Credential Helpers v0.8.2](https://github.com/docker/docker-credential-helpers/releases/tag/v0.8.2)
+- [NVIDIA Container Toolkit v1.15.0](https://github.com/NVIDIA/nvidia-container-toolkit/releases/tag/v1.15.0)
+- [Go 1.22.4](https://github.com/golang/go/releases/tag/go1.22.4)
+- Linux kernel `v6.6.31`
+
+### Bug fixes and enhancements
+
+#### For all platforms
+
+- Newer releases are now displayed in the **Software updates** settings tab when an update has already been downloaded.
+- Added `proxyEnableKerberosNTLM` config to `settings.json` to enable fallback to basic proxy authentication if Kerberos/NTLM environment is not properly set up.
+- Fixed a bug where Docker Debug was not working properly with Enhanced Container Isolation enabled.
+- Fixed a bug where UDP responses were not truncated properly.
+- Fixed a bug where the **Update** screen was hidden when using [Settings Management](hardened-desktop/settings-management/_index.md).
+- Fixed a bug where proxy settings defined in `admin-settings.json` were not applied correctly on startup.
+- Fixed a bug where the **Manage Synchronized file shares with Compose** toggle did not correctly reflect the value with the feature.
+- Fixed a bug where a bind mounted file modified on host is not updated after the container restarts, when gRPC FUSE file sharing is used on macOS and on Windows with Hyper-V. Fixes [docker/for-mac#7274](https://github.com/docker/for-mac/issues/7274), [docker/for-win#14060](https://github.com/docker/for-win/issues/14060).
+
+#### For Windows
+
+- Changed the `--allowed-org` installer flag to write a policy registry key instead of to the `registry.json`.
+
+#### For Mac
+
+- Moved the setting **Automatically check configuration** from **Advanced** settings to **General** settings.
+- Improved VirtioFS caching by implementing longer attributes timeout and invalidation.
+
+#### For Linux
+
+- Added Linux headers to the VM, to ease the compilation of custom kernel modules.
+
+### Security
+
+#### For all platforms
+
+- Fixed a security bug in Enhanced Container Isolation (ECI) mode where a user could create Docker volumes sourced from restricted directories inside the Docker Desktop VM and mount them into containers, thereby giving the container access to such restricted VM directories.
+- By default, only extensions listed in the marketplace can be installed in Docker Desktop. This can be changed in Docker Desktop's settings. Extension developers will need to change this option in order to test their extensions.
+
+### For Windows
+
+- Fixed [CVE-2024-5652](https://www.cve.org/cverecord?id=CVE-2024-5652) in which a user in the `docker-users` group can cause a Windows Denial-of-Service through the `exec-path` Docker daemon config option in Windows containers mode. This vulnerability was discovered by Hashim Jawad ([@ihack4falafel](https://github.com/ihack4falafel)) working with Trend Micro Zero Day Initiative.
+
+### Deprecation
+
+#### For all platforms
+
+- The CLI binary that used to be shipped as `com.docker.cli` is now shipped simply as `docker`. This release leaves the CLI binary as `com.docker.cli`, but it will be removed next release.
+
+#### For Windows
+
+- Removed support for legacy version packs from the WSL2 engine.
+
## 4.30.0
{{< release-date date="2024-05-06" >}}
-{{< desktop-install all=true version="4.30.0" build_path="/149282/" >}}
+{{< desktop-install all=true beta_win_arm=true version="4.30.0" build_path="/149282/" >}}
### New
diff --git a/content/desktop/settings/mac.md b/content/desktop/settings/mac.md
index 3883961d4a5..9687121a402 100644
--- a/content/desktop/settings/mac.md
+++ b/content/desktop/settings/mac.md
@@ -75,6 +75,15 @@ If you choose the integrated terminal, you can run commands in a running contain
- **Enable background SBOM indexing**. When this option is enabled, Docker Scout automatically analyzes images that you build or pull.
+- **Automatically check configuration**. Regularly checks your configuration to ensure no unexpected changes have been made by another application.
+
+ Docker Desktop checks if your setup, configured during installation, has been altered by external apps like Orbstack. Docker Desktop checks:
+ - The symlinks of Docker binaries to `/usr/local/bin`.
+ - The symlink of the default Docker socket.
+ Additionally, Docker Desktop ensures that the context is switched to `desktop-linux` on startup.
+
+ You are notified if changes are found and are able to restore the configuration directly from the notification.
+
## Resources
The **Resources** tab allows you to configure CPU, memory, disk, proxies,
@@ -322,13 +331,6 @@ On the **Advanced** tab, you can reconfigure your initial installation settings:
For more information on each configuration and use case, see [Permission requirements](../mac/permission-requirements.md).
-- **Automatically check configuration**. Regularly checks your configuration to ensure no unexpected changes have been made by another application.
- Docker Desktop checks if your setup, configured during installation, has been altered by external apps like Orbstack. Docker Desktop checks:
- - The symlinks of Docker binaries to `/usr/local/bin`.
- - The symlink of the default Docker socket.
- Additionally, Docker Desktop ensures that the context is switched to `desktop-linux` on startup.
-
- You are notified if changes are found and are able to restore the configuration directly from the notification.
diff --git a/content/security/faqs/single-sign-on/idp-faqs.md b/content/security/faqs/single-sign-on/idp-faqs.md
index 63874a678fb..79fa749cc48 100644
--- a/content/security/faqs/single-sign-on/idp-faqs.md
+++ b/content/security/faqs/single-sign-on/idp-faqs.md
@@ -42,12 +42,7 @@ Yes, bot accounts need a seat, similar to a regular end user, having a non-alias
### Does SAML SSO use Just-in-Time provisioning?
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning configuration is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. Otherwise, JIT is enabled by default.
-{ .experimental }
-
-The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT if you prefer not to auto-provision users, or if you opt for auto-provisioning using SCIM. See [Just-in-Time provisioning](/security/for-admins/provisioning/just-in-time/).
+The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT in the Admin Console if you enable auto-provisioning using SCIM. See [Just-in-Time provisioning](/security/for-admins/provisioning/just-in-time/).
### Is IdP-initiated sign-in available?
diff --git a/content/security/faqs/single-sign-on/users-faqs.md b/content/security/faqs/single-sign-on/users-faqs.md
index dd6da1f32d0..d994d39d9ea 100644
--- a/content/security/faqs/single-sign-on/users-faqs.md
+++ b/content/security/faqs/single-sign-on/users-faqs.md
@@ -59,11 +59,6 @@ When SSO is enabled and enforced, your users just have to sign in using the veri
### Is Docker SSO fully synced with the IdP?
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning configuration is available in [beta](/release-lifecycle/#beta) when you use the Admin Console. Otherwise, JIT is enabled by default.
-{ .experimental }
-
Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization.
[SCIM](../../../security/for-admins/provisioning/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM.
@@ -72,12 +67,7 @@ Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to compl
### How does disabling Just-in-Time provisioning impact user sign-in?
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning configuration is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. Otherwise, JIT is enabled by default.
-{ .experimental }
-
-If a user attempts to sign in to Docker using an email address that is a verified domain for your SSO connection, they need to be a member of the organization to access it, or have a pending invitation to the organization. Users who don't meet these criteria will encounter an `Access denied` error, and will need an administrator to invite them to the organization.
+The option to disable JIT is available when you use the Admin Console and enable SCIM. If a user attempts to sign in to Docker using an email address that is a verified domain for your SSO connection, they need to be a member of the organization to access it, or have a pending invitation to the organization. Users who don't meet these criteria will encounter an `Access denied` error, and will need an administrator to invite them to the organization.
See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
diff --git a/content/security/for-admins/provisioning/just-in-time.md b/content/security/for-admins/provisioning/just-in-time.md
index c6a4576e6f1..cb64d3341d3 100644
--- a/content/security/for-admins/provisioning/just-in-time.md
+++ b/content/security/for-admins/provisioning/just-in-time.md
@@ -28,11 +28,6 @@ After every successful SSO sign-in authentication, the JIT provisioner performs
## SSO authentication with JIT provisioning disabled
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you have the option to disable JIT provisioning.
-{ .experimental }
-
When you opt to disable JIT provisioning in your SSO connection, the following actions occur:
1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
@@ -53,11 +48,6 @@ If you disable JIT provisioning when you create or edit your SSO connection, you
## Disable JIT provisioning
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users.
-{ .experimental }
-
You may want to disable JIT provisioning for reasons such as the following:
- You have multiple organizations, have SCIM enabled, and want SCIM to be the source of truth for provisioning
diff --git a/content/security/for-admins/provisioning/scim.md b/content/security/for-admins/provisioning/scim.md
index e5f9583f505..c8397bf75c3 100644
--- a/content/security/for-admins/provisioning/scim.md
+++ b/content/security/for-admins/provisioning/scim.md
@@ -45,10 +45,10 @@ For additional details about supported attributes and SCIM, see [Docker Hub API
> SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../single-sign-on/configure/configure-idp.md#sso-attributes).
{.important}
-> **Beta feature**
+> **Tip**
>
-> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
-{ .experimental }
+> Optional Just-in-Time (JIT) provisioning is available when you use the Admin Console and enable SCIM. With this feature, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
+{ .tip }
## Enable SCIM in Docker
diff --git a/content/security/for-admins/single-sign-on/configure/configure-idp.md b/content/security/for-admins/single-sign-on/configure/configure-idp.md
index b1eef880812..eae19748c0a 100644
--- a/content/security/for-admins/single-sign-on/configure/configure-idp.md
+++ b/content/security/for-admins/single-sign-on/configure/configure-idp.md
@@ -41,10 +41,10 @@ If you use SAML for your SSO connection, Docker obtains these attributes from th
>SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](../../provisioning/scim.md), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For example, to make sure that the full name of a user displays in your organization, you would set a `name` attribute in your SAML attributes and ensure the value includes their first name and last name. The exact method for setting these values (for example, constructing it with `user.firstName + " " + user.lastName`) varies depending on your IdP.
{.important}
-> **Beta feature**
+> **Tip**
>
-> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
-{ .experimental }
+> Optional Just-in-Time (JIT) provisioning is available when you use the Admin Console and enable SCIM. With this feature, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
+{ .tip }
You can also configure attributes to override default values, such as default team or organization. See [role mapping](../../provisioning/scim.md#set-up-role-mapping).
diff --git a/content/security/for-admins/single-sign-on/connect/_index.md b/content/security/for-admins/single-sign-on/connect/_index.md
index e4d15d3cece..958d591a279 100644
--- a/content/security/for-admins/single-sign-on/connect/_index.md
+++ b/content/security/for-admins/single-sign-on/connect/_index.md
@@ -26,11 +26,6 @@ Make sure you have completed the following before you begin:
## Step four: Complete your SSO connection
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you have the option to disable JIT provisioning. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
-{ .experimental }
-
{{< tabs >}}
{{< tab name="Admin Console" >}}
diff --git a/layouts/shortcodes/admin-sso-connect.md b/layouts/shortcodes/admin-sso-connect.md
index 1bc655052ed..84519fe23df 100644
--- a/layouts/shortcodes/admin-sso-connect.md
+++ b/layouts/shortcodes/admin-sso-connect.md
@@ -21,12 +21,14 @@ After you’ve completed the SSO configuration process in Docker, you can test t
>**Important**
>
-> SSO has Just-in-Time (JIT) provisioning enabled by default, unless you have [disabled it](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization on Docker Hub.
+> SSO has Just-in-Time (JIT) provisioning enabled by default, unless you have [disabled it](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
>
> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
+>
+> Alternatively, see [Manage how users are provisioned](/security/for-admins/single-sign-on/manage/#manage-how-users-are-provisioned).
{ .important}
The SSO connection is now created. You can continue to set up SCIM without enforcing SSO log-in. For more information about setting up SCIM, see [Set up SCIM](/security/for-admins/provisioning/scim/).
diff --git a/layouts/shortcodes/admin-sso-management-users.md b/layouts/shortcodes/admin-sso-management-users.md
index fa0064126c9..7ce978bc316 100644
--- a/layouts/shortcodes/admin-sso-management-users.md
+++ b/layouts/shortcodes/admin-sso-management-users.md
@@ -24,7 +24,7 @@
> **Important**
>
-> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization.
+> SSO has Just-In-Time (JIT) Provisioning enabled by default unless you have [disabled it](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
>
@@ -55,9 +55,4 @@ To remove a user:
### Manage how users are provisioned
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and SCIM is enabled. With this feature, you have the option to disable JIT provisioning. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
-{ .experimental }
-
{{ $provisioning_steps }}
diff --git a/layouts/shortcodes/desktop-install.html b/layouts/shortcodes/desktop-install.html
index a2233246746..d7ead0930a9 100644
--- a/layouts/shortcodes/desktop-install.html
+++ b/layouts/shortcodes/desktop-install.html
@@ -1,5 +1,6 @@
{{- $all := .Get "all" -}}
{{- $win := .Get "win" -}}
+{{- $beta_win_arm := .Get "beta_win_arm" -}}
{{- $mac := .Get "mac" -}}
{{- $linux := .Get "linux" -}}
{{- $version := .Get "version" -}}
@@ -13,6 +14,12 @@
(checksum) |
{{ end }}
+ {{- if or $beta_win_arm }}
+ Windows ARM Beta
+ (checksum) |
+ {{ end }}
{{- if or $all $mac }}
Mac
with Apple chip