IT overview
Owner: IT
IT owns two pieces of the rollout. First, an Entra app registration in the customer’s tenant - this happens before Cloud Ops can finish their backend deploy, because the resulting tenant_id and client_id are inputs to the ChainDB OIDC verifier. Then, once Cloud Ops returns the captures-endpoint URL and publishable key, IT deploys the Arbium agents to managed devices.
The agents authenticate to ChainDB with a Microsoft Entra ID JWT - the same pattern Microsoft Defender for Endpoint and CrowdStrike Falcon use. No shared enrollment secret on the wire.
Pick your platform
Section titled “Pick your platform”- Entra app registration - create three Entra objects and two groups in the customer tenant: the Arbium Agent app reg (agents authenticate with it; bump to v2 tokens, client secret on macOS), the Arbium Admin app reg (admin-console OIDC; only if Cloud Ops enables
admin-ui), and the Arbium SCIM non-gallery app (Entra auto-provisions users/groups into Arbium through it — App registrations can’t do SCIM). Create an Arbium Admins group (console access) and an Arbium Users group (who Arbium accepts captures from), and assign both to the Arbium SCIM app. Hand the tenant ID, agent client ID, and both group Object IDs to Cloud Ops; hold the secret for Step 2. - Policy management - register the Apple MDM push certificate, create the pilot device group, upload the managed-preferences profile (carrying the Entra credentials and the captures URL from Cloud Ops) and the Accessibility PPPC profile, scope all of it to the pilot group.
- Enroll apps - upload the agent packages (signed macOS
.pkg, Windows.msias LOB app) and scope them to the same pilot group. - Smoke test - install on one user’s device end-to-end, confirm token acquisition and capture upload, then widen the scope. If the fleet-console Admin UI was enabled in this install, also confirm an Admins-group member can sign in and a non-member is blocked.
Step 1 is best done as soon as Cloud Ops kicks off - the values you produce feed their Helm step. Steps 2 and 3 are best done in the same working session. The order within the device rollout matters: the configuration must reach the device before the agent package, or the agent installs and starts with missing configuration. It recovers once the config lands, but a clean rollout pushes configuration first.
Start with the platform-specific landing page: Windows or macOS.