Arbium Platform
Arbium Platform
Section titled “Arbium Platform”End-to-end deployment guide for the Arbium platform.
The rollout is a sequence of steps owned by two teams: Cloud Ops stands up the backend on AWS, Google Cloud, or Azure and exposes it at a customer-reachable HTTPS URL, and IT registers an app in the customer’s Entra tenant and ships the agent to managed devices. The two threads kick off in parallel - the Entra app registration produces inputs Cloud Ops needs for the Helm step - and converge when Cloud Ops returns the captures-endpoint URL and publishable key.
How to read this
Section titled “How to read this”Both threads start at their team’s Step 1.
- Cloud Ops follows the shared five-step installation guide, choosing AWS, Google Cloud, or Azure only for the provider-specific foundation step. Provisioning can run while IT does Step 1 in parallel; the shared Helm step needs the Entra tenant and client IDs from IT.
- IT > Step 1 for the Entra app registration. Steps 2 through 4 need the captures-endpoint URL from Cloud Ops Step 5.
Each page leads with an Owner line and ends with what to do next.
What you’ll find
Section titled “What you’ll find”Cloud Ops stands up the Arbium backend, then hands the captures URL and publishable key back to IT:
- Shared flow: prerequisites, provider selection, Helm configuration, verification, upgrades, and handoff.
- Provider foundations: EKS/Aurora on AWS, GKE/Cloud SQL on Google Cloud, or AKS/PostgreSQL Flexible Server on Azure.
IT registers the app(s) in Entra, then deploys agent + policies to devices:
- Entra app registration (
Arbium Agentalways;Arbium Adminonly if the fleet console is being enabled) - Policy management
- Enroll apps
- Smoke test
Auth model in one paragraph
Section titled “Auth model in one paragraph”Agents authenticate with a Microsoft Entra ID JWT, verified by the backend’s
standard OIDC integration (no Arbium-specific identity provider). The macOS
agent mints an app-only token via OAuth 2.0 client credentials; the Windows
agent uses MSAL + the WAM broker against the device’s Primary Refresh Token.
Per-user attribution comes from local OS state - Open Directory’s
AltSecurityIdentities on Mac, WAM on Windows - and ships in each capture’s
email field. This is the same pattern Microsoft Defender for Endpoint and
CrowdStrike Falcon use.