Skip to content

Arbium Platform

End-to-end deployment guide for the Arbium platform.

The rollout is a sequence of steps owned by two teams: Cloud Ops stands up the backend on AWS, Google Cloud, or Azure and exposes it at a customer-reachable HTTPS URL, and IT registers an app in the customer’s Entra tenant and ships the agent to managed devices. The two threads kick off in parallel - the Entra app registration produces inputs Cloud Ops needs for the Helm step - and converge when Cloud Ops returns the captures-endpoint URL and publishable key.

Both threads start at their team’s Step 1.

  • Cloud Ops follows the shared five-step installation guide, choosing AWS, Google Cloud, or Azure only for the provider-specific foundation step. Provisioning can run while IT does Step 1 in parallel; the shared Helm step needs the Entra tenant and client IDs from IT.
  • IT > Step 1 for the Entra app registration. Steps 2 through 4 need the captures-endpoint URL from Cloud Ops Step 5.

Each page leads with an Owner line and ends with what to do next.

Cloud Ops stands up the Arbium backend, then hands the captures URL and publishable key back to IT:

  • Shared flow: prerequisites, provider selection, Helm configuration, verification, upgrades, and handoff.
  • Provider foundations: EKS/Aurora on AWS, GKE/Cloud SQL on Google Cloud, or AKS/PostgreSQL Flexible Server on Azure.

IT registers the app(s) in Entra, then deploys agent + policies to devices:

  1. Entra app registration (Arbium Agent always; Arbium Admin only if the fleet console is being enabled)
  2. Policy management
  3. Enroll apps
  4. Smoke test

Agents authenticate with a Microsoft Entra ID JWT, verified by the backend’s standard OIDC integration (no Arbium-specific identity provider). The macOS agent mints an app-only token via OAuth 2.0 client credentials; the Windows agent uses MSAL + the WAM broker against the device’s Primary Refresh Token. Per-user attribution comes from local OS state - Open Directory’s AltSecurityIdentities on Mac, WAM on Windows - and ships in each capture’s email field. This is the same pattern Microsoft Defender for Endpoint and CrowdStrike Falcon use.