5. Handoff to IT
Owner: Cloud Ops → IT
The backend is healthy in the customer-selected cloud and reachable from a managed-device network. The handoff is the same for AWS, Google Cloud, and Azure.
Confirm the Entra inputs you deployed
Section titled “Confirm the Entra inputs you deployed”IT should already have provided:
- Customer Entra tenant ID.
- Arbium Agent client ID.
- Entra login host (
login.microsoftonline.com, or the approved sovereign cloud host).
If the fleet console is enabled, IT also provided the Arbium Admin application
values, admin-group object IDs, and SCIM provisioning groups. These values pin
the deployment to the customer’s tenant; do not proceed if they are missing or
do not match the rendered chaindb-config ConfigMap.
Values to give IT
Section titled “Values to give IT”- Captures endpoint:
https://arbium.<customer-domain>/functions/v1/captures-batch-direct - Publishable key: the
config.edgeFnsAnonKeyvalue from the shared Helm values file. - Admin UI URL, when enabled:
https://arbium.<customer-domain>/admin - SCIM Tenant URL and token, when enabled:
https://arbium.<customer-domain>/scim/v2and the SCIM bearer token through the approved secret channel. - Deployment context: cloud provider, region, environment name, and support contact.
Verify the endpoint one final time before sending it:
curl -fsS https://arbium.<customer-domain>/functions/v1/healthcurl -fsS https://arbium.<customer-domain>/functions/v1/auth-configValues that never leave Cloud Ops
Section titled “Values that never leave Cloud Ops”Do not send any of these to managed devices or include them in the IT policy:
- Database URL or database credentials.
- Scheduler, enrollment, JWT, SCIM, or Admin client secrets, except the SCIM token sent directly to the Entra provisioning administrator.
- GHCR token or cloud workload-identity credentials.
- Cloud secret-store values, Terraform state, or Kubernetes Service URLs.
- Provider-specific cluster endpoints, load-balancer controller credentials, or certificate private keys.
The scheduler token authenticates only in-cluster CronJob calls. The GHCR token pulls release artifacts. Neither is an agent credential.
What IT does next
Section titled “What IT does next”IT continues with Step 2 - Policy management for Windows or macOS. The device policy combines the Entra values from IT Step 1 with the endpoint and publishable key from this handoff.
After the platform-specific smoke test passes, record the deployment as live with its cloud provider, region, Terraform tag, Helm chart version, hostname, and support owner.