Skip to content

5. Handoff to IT

Owner: Cloud Ops → IT

The backend is healthy in the customer-selected cloud and reachable from a managed-device network. The handoff is the same for AWS, Google Cloud, and Azure.

IT should already have provided:

  • Customer Entra tenant ID.
  • Arbium Agent client ID.
  • Entra login host (login.microsoftonline.com, or the approved sovereign cloud host).

If the fleet console is enabled, IT also provided the Arbium Admin application values, admin-group object IDs, and SCIM provisioning groups. These values pin the deployment to the customer’s tenant; do not proceed if they are missing or do not match the rendered chaindb-config ConfigMap.

  • Captures endpoint: https://arbium.<customer-domain>/functions/v1/captures-batch-direct
  • Publishable key: the config.edgeFnsAnonKey value from the shared Helm values file.
  • Admin UI URL, when enabled: https://arbium.<customer-domain>/admin
  • SCIM Tenant URL and token, when enabled: https://arbium.<customer-domain>/scim/v2 and the SCIM bearer token through the approved secret channel.
  • Deployment context: cloud provider, region, environment name, and support contact.

Verify the endpoint one final time before sending it:

Terminal window
curl -fsS https://arbium.<customer-domain>/functions/v1/health
curl -fsS https://arbium.<customer-domain>/functions/v1/auth-config

Do not send any of these to managed devices or include them in the IT policy:

  • Database URL or database credentials.
  • Scheduler, enrollment, JWT, SCIM, or Admin client secrets, except the SCIM token sent directly to the Entra provisioning administrator.
  • GHCR token or cloud workload-identity credentials.
  • Cloud secret-store values, Terraform state, or Kubernetes Service URLs.
  • Provider-specific cluster endpoints, load-balancer controller credentials, or certificate private keys.

The scheduler token authenticates only in-cluster CronJob calls. The GHCR token pulls release artifacts. Neither is an agent credential.

IT continues with Step 2 - Policy management for Windows or macOS. The device policy combines the Entra values from IT Step 1 with the endpoint and publishable key from this handoff.

After the platform-specific smoke test passes, record the deployment as live with its cloud provider, region, Terraform tag, Helm chart version, hostname, and support owner.