From 8fab9cdd5f360b896e3769e0ac14c7373d77c206 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Tue, 7 Apr 2026 14:37:27 +0100 Subject: [PATCH 1/3] ENGDOCS-3117b --- .../settings-management/settings-reference.md | 1537 +++++------------ 1 file changed, 464 insertions(+), 1073 deletions(-) diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md index c3b373801d80..06b4a9d10e3d 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md @@ -7,267 +7,26 @@ aliases: - /security/for-admins/hardened-desktop/settings-management/settings-reference/ --- -This reference documents all Docker Desktop settings and configuration options. Use this to understand setting behavior across different configuration methods and platforms. It is organized to match the Docker Desktop GUI structure. - -Each setting includes: - -- Default and accepted values -- Platform compatibility -- Configuration methods (Docker Desktop GUI, Admin Console, `admin-settings.json` file, or CLI) -- Enterprise security recommendations where applicable - -## General settings - -### Start Docker Desktop when you sign in to your computer - -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Automatic startup of Docker Desktop when the user logs in to their computer. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Ensure Docker Desktop is always available after system boot. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Open Docker Dashboard when Docker Desktop starts - -| Default value | Accepted values | Format | -|---------------|----------------------------|--------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Whether the Docker Dashboard opens automatically when Docker Desktop launches. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Provide immediate access to containers, images, and volumes after startup. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Choose theme for Docker Desktop - -| Default value | Accepted values | Format | -|---------------|----------------------------|--------| -| `system` | `light`, `dark`, `system` | Enum | - -- **Description:** Visual appearance of the Docker Desktop interface. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Customize interface appearance to match user preferences or system theme. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Configure shell completions - -| Default value | Accepted values | Format | -|---------------|-------------------------|--------| -| `integrated` | `integrated`, `system` | String | - -- **Description:** How Docker CLI auto-completion integrates with the user's shell. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Control whether Docker modifies shell configuration files for auto-completion. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Choose container terminal - -| Default value | Accepted values | Format | -|---------------|-------------------------|--------| -| `integrated` | `integrated`, `system` | String | - -- **Description:** Default terminal used when launching Docker CLI from Docker Desktop. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Set preferred terminal application for Docker CLI interactions. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Enable Docker terminal - -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Access to Docker Desktop's integrated terminal feature. If -the value is set to `false`, users can't use the Docker terminal to interact -with the host machine and execute commands directly from Docker Desktop. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Allow or restrict developer access to the built-in terminal for host system interaction. -- **Configure this setting with:** - - **General** setting in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `desktopTerminalEnabled` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - -> [!NOTE] -> -> In hardened environments, disable and lock this setting to limit host access. - -### Enable Docker Debug by default - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Whether debug logging is turned on by default for Docker CLI commands. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Provide verbose output for troubleshooting and support scenarios. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Include VM in Time Machine backup - -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Whether the Docker Desktop virtual machine is included in macOS Time Machine backups. -- **OS:** {{< badge color=blue text="Mac only" >}} -- **Use case:** Balance backup completeness with backup size and performance. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Use containerd for pulling and storing images - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Image storage backend used by Docker Desktop. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Improve image handling performance and enable containerd-native features. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Choose Virtual Machine Manager - -#### Docker VMM - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | - -#### Apple Virtualization framework - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | - -- **Description:** Use Apple Virtualization Framework to run Docker containers. -- **OS:** {{< badge color=blue text="Mac only" >}} -- **Use case:** Improve VM performance on Apple Silicon. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -#### Rosetta - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | - -- **Description:** Use Rosetta to emulate `amd64` on Apple Silicon. If value -is set to `true`, Docker Desktop turns on Rosetta to accelerate -x86_64/amd64 binary emulation on Apple Silicon. -- **OS:** {{< badge color=blue text="Mac only" >}} 13+ -- **Use case:** Run Intel-based containers on Apple Silicon hosts. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management:`useVirtualizationFrameworkRosetta` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Use Rosetta for x86_64/amd64 emulation on Apple Silicon** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -> [!NOTE] -> -> In hardened environments, disable and lock this setting so only ARM-native -images are permitted. - -> [!NOTE] -> -> Rosetta requires enabling Apple Virtualization framework. - -#### QEMU - -> [!WARNING] -> -> QEMU has been deprecated in Docker Desktop versions 4.44 and later. For more information, see the [blog announcement](https://www.docker.com/blog/docker-desktop-for-mac-qemu-virtualization-option-to-be-deprecated-in-90-days/) - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | - -### Choose file sharing implementation - -#### VirtioFS - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | - -- **Description:** Use VirtioFS for fast, native file sharing between host and -containers. If value is set to `true`, VirtioFS is set as the file sharing -mechanism. If both VirtioFS and gRPC are set to `true`, VirtioFS takes -precedence. -- **OS:** {{< badge color=blue text="Mac only" >}} 12.5+ -- **Use case:** Achieve better file system performance and compatibility on modern macOS. -- **Configure this setting with:** - - **General settings** in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `useVirtualizationFrameworkVirtioFS` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Use VirtioFS for file sharing** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -> [!NOTE] -> -> In hardened environments, enable and lock this setting for macOS 12.5 and -later. - -#### gRPC FUSE - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | - -- **Description:** Enable gRPC FUSE for macOS file sharing. If value is set to -`true`, gRPC Fuse is set as the file sharing mechanism. -- **OS:** {{< badge color=blue text="Mac only" >}} -- **Use case:** Alternative file sharing with improved performance over legacy osxfs. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `useGrpcfuse` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Use gRPC FUSE for file sharing** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - +This reference documents Docker Desktop settings that administrators can configure using [Settings Management](/manuals/enterprise/security/hardened-desktop/settings-management/_index.md). Use this page to understand which settings are available, their accepted values, platform compatibility, and which configuration methods apply. + > [!NOTE] > -> In hardened environments, disable and lock this setting. +> This page covers admin-configurable settings only. Settings that are only available to end users via the Docker Desktop GUI are not included here. For the full list of Docker Desktop user-facing settings, see [Change settings](/manuals/desktop/settings-and-maintenance/settings.md). -#### osxfs - -| Default value | Accepted values | Format | -| ------------- | --------------- | ------- | -| `false` | `true`, `false` | Boolean | - -- **Description:** Use the original osxfs file sharing driver for macOS. When -set to true, Docker Desktop uses osxfs instead of VirtioFS or gRPC FUSE to mount -host directories into containers. -- **OS:** {{< badge color=blue text="Mac only" >}} -- **Use case:** Compatibility with legacy tooling that requires the original file sharing implementation. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +## General ### Send usage statistics -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `true` | `true`, `false` | Boolean | - -- **Description:** Controls whether Docker Desktop collects and sends local -usage statistics and crash reports to Docker. This setting affects telemetry -gathered from the Docker Desktop application itself. It does not affect -server-side telemetry collected via Docker Hub or other backend services, such +Controls whether Docker Desktop collects and sends local usage statistics and crash reports to Docker. Does not affect server-side telemetry collected via Docker Hub or other backend services such as sign in timestamps, pulls, or builds. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Help Docker improve the product based on usage patterns. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `analyticsEnabled` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Send usage statistics** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) -> [!NOTE] -> -> In hardened environments, disable and lock this setting. This allows you -to control all your data flows and collect support logs via secure channels -if needed. +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `analyticsEnabled` | +| Admin Console | **Send usage statistics** | > [!NOTE] > @@ -276,885 +35,571 @@ ensure that developer activity is fully visible. If users opt out and the setting is not locked, their activity may be excluded from analytics views. -### Use Enhanced Container Isolation +### Automatically check for updates -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | +Controls whether Docker Desktop checks for and notifies users about available updates. When set to `true`, update checks and notifications are disabled. -- **Description:** Advanced container security through Linux user namespaces and additional isolation. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Prevent containers from modifying Docker Desktop VM configuration or accessing sensitive host areas. -- **Configure this setting with:** - - **General settings** in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `enhancedContainerIsolation` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Enable enhanced container isolation** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `disableUpdate` | +| Admin Console | **Disable update** | > [!NOTE] > -> In hardened environments, disable and lock this setting. This allows you -to control all your data flows and collect support logs via secure channels -if needed. - -### Show CLI hints +> In hardened environments, enable this setting and lock it. This guarantees that +only internally vetted versions are installed. -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +### Automatically update components -- **Description:** Display of helpful CLI suggestions in the terminal when using Docker commands. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Help users discover Docker CLI features through contextual tips. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +Allows Docker Desktop to automatically update components that do not require a restart, such as Docker Compose, Docker Scout, and the Docker CLI. -### Enable Scout image analysis +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `silentModulesUpdate` | +| Admin Console | **Automatically update components** | -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +### Enable Gordon -- **Description:** Docker Scout SBOM generation and vulnerability scanning for container images. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Turn on vulnerability scanning and software bill of materials analysis. -- **Configure this setting with:** - - **General settings** in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `sbomIndexing` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **SBOM indexing** settings in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values (individuals) | `true`, `false` | +| Accepted values (Business tier) | `"Disabled"`, `"Enabled"`, `"Always Enabled"` | +| JSON key | `enableDockerAI` | +| Admin Console | **Enable Gordon** | -> [!NOTE] -> -> In hardened environments, enable and lock this setting to ensure compliance scanning is always available. +> **Important:** Docker Business customers must set this to `"Enabled"` or `"Always Enabled"` in the Admin Console. Setting to `"User Defined"` alone will not activate Gordon. -### Enable background Scout SBOM indexing +### Block `docker load` -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | +Prevents users from loading local Docker images using the `docker load` command, enforcing image provenance by requiring all images to come from registries. -- **Description:** Automatic SBOM indexing for images without requiring user interaction. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Keep image metadata current by indexing during idle time or after image operations. -- **Configure this setting with:** - - **General settings** in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `blockDockerLoad` | +| Admin Console | **Block Docker Load** | > [!NOTE] > -> In hardened environments, enable and lock this setting for continuous security analysis. - -### Automatically check configuration - -| Default value | Accepted values | Format | -|-----------------------|-----------------|---------| -| `CurrentSettingsVersions` | Integer | Integer | - -- **Description:** Regular verification that Docker Desktop configuration hasn't been modified by external applications. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Track configuration versions for compatibility and change detection. -- **Configure this setting with:** - - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `configurationFileVersion` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - -## Resources settings - -### CPU limit - -| Default value | Accepted values | Format | -|-----------------------------------------------|-----------------|---------| -| Number of logical CPU cores available on host | Integer | Integer | - -- **Description:** Number of CPU cores allocated to the Docker Desktop virtual machine. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Balance Docker performance with host system resource availability. -- **Configure this setting with:** - - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Memory limit - -| Default value | Accepted values | Format | -|---------------------------|-----------------|---------| -| Based on system resources | Integer | Integer | - -- **Description:** Amount of RAM (in MiB) allocated to the Docker Desktop virtual machine. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Control memory allocation to optimize performance for both Docker and host applications. -- **Configure this setting with:** - - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Swap - -| Default value | Accepted values | Format | -|---------------|-----------------|---------| -| `1024` | Integer | Integer | - -- **Description:** Amount of swap space (in MiB) available to the Docker virtual machine. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Extend available memory for container workloads when physical RAM is limited. -- **Configure this setting with:** - - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Disk usage limit - -| Default value | Accepted values | Format | -|-------------------------------|-----------------|---------| -| Default disk size of machine. | Integer | Integer | - -- **Description:** Maximum disk space (in MiB) allocated for Docker Desktop data. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Prevent Docker from consuming excessive disk space on the host system. -- **Configure this setting with:** - - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Disk image location - -| Default value | Accepted values | Format | -|--------------------------------------------------|-----------------|--------| -| macOS: `~/Library/Containers/com.docker.docker/Data/vms/0`
Windows: `%USERPROFILE%\AppData\Local\Docker\wsl\data` | File path | String | - -- **Description:** File system path where Docker Desktop stores virtual machine data. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Move Docker data to custom storage locations for performance or space management. -- **Configure this setting with:** - - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Enable Resource Saver +> In hardened environments, enable and lock this setting. This forces all images +to come from your secure, scanned registry. -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +### Hide onboarding survey -- **Description:** Automatic pausing of Docker Desktop when idle to conserve system resources. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Reduce CPU and memory usage when Docker Desktop isn't actively being used. -- **Configure this setting with:** - - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +Prevents the onboarding survey from being shown to new users. -### File sharing directories +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `displayedOnboarding` | +| Admin Console | **Hide onboarding survey** | -| Default value | Accepted values | Format | -|----------------------------------------|---------------------------------|--------------------------| -| Varies by OS | List of file paths as strings | Array list of strings | +### Enable Docker terminal `All platforms` -- **Description:** Host directories that can be mounted into containers as volumes. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Define which host directories containers can access for development workflows. -- **Configure this setting with:** - - **File sharing** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `filesharingAllowedDirectories` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Allowed file sharing directories** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +Allows or restricts access to the built-in terminal for host system interaction. When set to `false`, users cannot use the Docker terminal to interact with the host machine or execute commands directly from Docker Desktop. -> [!NOTE] -> -> In hardened environments, lock to an explicit allowlist and disable end-user -edits. +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| Docker Desktop GUI | **General** tab | +| JSON key | `desktopTerminalEnabled` | +| Admin Console | Not available | -### Proxy exclude +### Expose Docker API on TCP 2375 {{< badge color=blue text="Windos only" >}} -| Default value | Accepted values | Format | -|---------------|--------------------|--------| -| `""` | List of addresses | String | +Exposes the Docker API over an unauthenticated TCP socket on port 2375. Only recommended for isolated and protected environments. Supports legacy integrations that require TCP API access. -- **Description:** Network addresses that containers should bypass when using proxy settings. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Define proxy exceptions for internal services or specific domains. -- **Configure this setting with:** - - **Proxies** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `proxy` setting with `manual` and `exclude` modes in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Proxy** section in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `exposeDockerAPIOnTCP2375` | +| Admin Console | **Expose Docker API** | > [!NOTE] > -> In hardened environments, disable and lock this setting to maintain strict proxy control. - -### Docker subnet - -| Default value | Accepted values | Format | -|-------------------|-----------------|--------| -| `192.168.65.0/24` | IP address | String | - -- **Description:** Overrides the network range used for vpnkit DHCP/DNS for -`*.docker.internal`. -- **OS:** {{< badge color=blue text="Mac only" >}} -- **Use case:** Customize the subnet used for Docker container networking. -- **Configure this setting with:** - - Settings Management: `vpnkitCIDR` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **VPN Kit CIDR** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -### Use kernel networking for UDP - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Use the host’s kernel network stack for UDP traffic instead of Docker’s virtual network driver. This enables faster and more direct UDP communication, but may bypass some container isolation features. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Improve performance for UDP-intensive applications like real-time media, DNS, or gaming. -- **Configure this setting with:** - - **Network** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Enable host networking - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Experimental support for containers to use the host network stack directly. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Allow containers to bypass Docker's network isolation for specific scenarios. -- **Configure this setting with:** - - **Network** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - -### Networking mode - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `dual-stack` | `ipv4only`, `ipv6only` | String | - -- **Description:** Default IP protocol used when Docker creates new networks. -- **OS:** {{< badge color=blue text="Windows and Mac" >}} -- **Use case:** Align with network infrastructure that supports only IPv4 or IPv6. -- **Configure this setting with:** - - **Network** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `defaultNetworkingMode` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Default network IP mode** in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows). - -#### Inhibit DNS resolution for IPv4/IPv6 - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `auto` | `ipv4`, `ipv6`, `none` | String | - -- **Description:** Filters unsupported DNS record types. Requires Docker Desktop -version 4.43 and up. -- **OS:** {{< badge color=blue text="Windows and Mac" >}} -- **Use case:** Control how Docker filters DNS records returned to containers, improving reliability in environments where only IPv4 or IPv6 is supported. -- **Configure this setting with:** - - **Network** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `dnsInhibition` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **DNS filtering behavior** in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows). - -### Enable WSL engine +> In hardened environments, disable and lock this setting. This ensures the +Docker API is only reachable via the secure internal socket. -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +### Enable Docker terminal -- **Description:** If the value is set to `true`, Docker Desktop uses the WSL2 -based engine. This overrides anything that may have been set at installation -using the `--backend=` flag. -- **OS:** {{< badge color=blue text="Windows only" >}} + WSL -- **Use case:** Run Linux containers on Windows using the WSL 2 backend for better performance. -- **Configure this setting with:** - - **WSL Integration** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `wslEngineEnabled` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Windows Subsystem for Linux (WSL) Engine** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +Allows or restricts access to the built-in terminal for host system interaction. When set to `false`, users cannot use the Docker terminal to interact with the host machine or execute commands directly from Docker Desktop. -> [!NOTE] -> -> In hardened environments, enable and lock this setting for improved security and performance. +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `desktopTerminalEnabled` | +| Admin Console | Not availabe | -## Docker Engine settings +## Extensions -The Docker Engine settings let you configure low-level daemon settings through a raw JSON object. These settings are passed directly to the dockerd process that powers container management in Docker Desktop. +### Enable Docker extensions -| Key | Example | Description | Accepted values / Format | Default | -| --------------------- | --------------------------- | -------------------------------------------------- | ------------------------------ | ------- | -| `debug` | `true` | Enable verbose logging in the Docker daemon | Boolean | `false` | -| `experimental` | `true` | Enable experimental Docker CLI and daemon features | Boolean | `false` | -| `insecure-registries` | `["myregistry.local:5000"]` | Allow pulling from HTTP registries without TLS | Array of strings (`host:port`) | `[]` | -| `registry-mirrors` | `["https://mirror.gcr.io"]` | Define alternative registry endpoints | Array of URLs | `[]` | +Controls whether users can install and run Docker Extensions. -- **Description:** Customize the behavior of the Docker daemon using a structured JSON config passed directly to dockerd. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Configure registry access, enable debug logging, or turn on experimental features. -- **Configure this setting with:** - - **Docker Engine** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `extensionsEnabled` | +| Admin Console | **Allow Extensions** | > [!NOTE] > -> In hardened environments, provide a vetted configuration and lock it to prevent -unauthorized daemon modifications. +> In hardened environments, disable and lock this setting. This prevents +third-party or unverified plugins from being installed. -> [!IMPORTANT] -> -> Values for this setting are passed as-is to the Docker daemon. Invalid or unsupported fields may prevent Docker Desktop from starting. +### Allow only extensions distributed through the Docker Marketplace -## Builders settings +Prevents installation of third-party or locally developed extensions. -Builders settings lets you manage Buildx builder instances for advanced image-building scenarios, including multi-platform builds and custom backends. +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `onlyMarketplaceExtensions` | +| Admin Console | **Only marketplace extensions** | -| Key | Example | Description | Accepted values / Format | Default | -| ----------- | -------------------------------- | -------------------------------------------------------------------------- | ------------------------- | --------- | -| `name` | `"my-builder"` | Name of the builder instance | String | — | -| `driver` | `"docker-container"` | Backend used by the builder (`docker`, `docker-container`, `remote`, etc.) | String | `docker` | -| `platforms` | `["linux/amd64", "linux/arm64"]` | Target platforms supported by the builder | Array of platform strings | Host arch | +### Enable a private marketplace -- **Description:** Buildx builder instances for advanced image building scenarios. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Set up cross-platform builds, remote builders, or custom build environments. -- **Configure this setting with:** - - **Builders** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +Ensures Docker Desktop connects to content defined and controlled by the administrator instead of the public Docker Marketplace. -> [!NOTE] -> -> Builder definitions are structured as an array of objects, each describing a builder instance. Conflicting or unsupported configurations may cause build errors. +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `extensionsPrivateMarketplace` | +| Admin Console | **Extensions private marketplace** | -## AI settings +## AI ### Enable Docker Model Runner -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +Enables Docker Model Runner functionality for running AI models in containers. -- **Description:** Docker Model Runner functionality for running AI models in containers. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Run and manage AI/ML models using Docker infrastructure. -- **Configure this setting with:** - - **AI** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `enableInference` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Enable Docker Model Runner** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `enableInference` | +| Admin Console | **Enable Docker Model Runner** | #### Enable host-side TCP support -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | - -- **Description:** TCP connectivity for Docker Model Runner services. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Allow external applications to connect to Model Runner via TCP. -- **Configure this setting with:** - - **AI** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `enableInferenceTCP` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Host-side TCP support** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +Enables TCP connectivity for Docker Model Runner services, allowing external applications to connect to Model Runner via TCP. -> [!NOTE] -> -> This setting requires Docker Model Runner setting to be enabled first. +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `enableInferenceTCP` | +| Admin Console | **Host-side TCP support** | +| Requires | Docker Model Runner enabled | ##### Port -| Default value | Accepted values | Format | -|---------------|-----------------|---------| -| 12434 | Integer | Integer | - -- **Description:** Specific port used for Model Runner TCP connections. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Customize the port for Model Runner TCP connectivity. -- **Configure this setting with:** - - **AI** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `enableInferenceTCPPort` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Host-side TCP port** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -> [!NOTE] -> -> This setting requires Docker Model Runner and host-side TCP support settings to be enabled first. - -##### CORS Allowed Origins - -| Default value | Accepted values | Format | -|---------------|---------------------------------------------------------------------------------|--------| -| Empty string | Empty string to deny all,`*` to accept all, or a list of comma-separated values | String | - -- **Description:** Cross-origin resource sharing settings for Model Runner web integration. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Allow web applications to connect to Model Runner services. -- **Configure this setting with:** - - **AI** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `enableInferenceCORS` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **CORS Allowed Origins** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -> [!NOTE] -> -> This setting requires Docker Model Runner and host-side TCP support settings to be enabled first. - -#### Enable GPU-backed inference - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | - -- **Description:** GPU-backed inference. -- **OS:** {{< badge color=blue text="Windows only" >}} -- **Use case:** Enable GPU-backed inference. Additional components will be downloaded to ~/.docker/bin/inference. -- **Configure this setting with:** - - **AI** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `enableInferenceGPUVariant` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Enable GPU-backed inference** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -## Kubernetes settings - -### Enable Kubernetes - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Local Kubernetes cluster integration with Docker Desktop. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Provide local Kubernetes development environment for testing and development. -- **Configure this setting with:** - - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `kubernetes` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Allow Kubernetes** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -> [!NOTE] -> -> In hardened environments, disable and lock this setting unless Kubernetes development is specifically required. - -> [!IMPORTANT] -> -> When Kubernetes is enabled through Settings Management policies, only the -`kubeadm` cluster provisioning method is supported. The `kind` provisioning -method is not yet supported by Settings Management. - -### Choose cluster provisioning method - -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `kubeadm` | `kubeadm`, `kind` | String | +Specifies the port used for Model Runner TCP connections. -- **Description:** Kubernetes cluster topology and node configuration. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Choose between single-node (`kubeadm`) or multi-node (`kind`)` cluster configurations for different development needs. -- **Configure this setting with:** - - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +| Property | Value | +|---|---| +| Default | `12434` | +| Accepted values | Integer | +| Format | Integer | +| JSON key | `enableInferenceTCPPort` | +| Admin Console | **Host-side TCP port** | +| Requires | Docker Model Runner and host-side TCP support enabled | -### Kubernetes node count (kind provisioning) +##### CORS Allowed Origins -| Default value | Accepted values | Format | -|---------------|-----------------|---------| -| `1` | Integer | Integer | +Controls cross-origin resource sharing for Model Runner web integration. -- **Description:** Number of nodes in multi-node Kubernetes clusters. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Scale cluster size for testing distributed applications or cluster features. -- **Configure this setting with:** - - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +| Property | Value | +|---|---| +| Default | Empty string | +| Accepted values | Empty string (deny all), `*` (accept all), or comma-separated list of origins | +| Format | String | +| JSON key | `enableInferenceCORS` | +| Admin Console | **CORS Allowed Origins** | +| Requires | Docker Model Runner and host-side TCP support enabled | -### Kubernetes node version (kind provisioning) +### Enable GPU-backed inference {{< badge color=blue text="Windows only" >}} -| Default value | Accepted values | Format | -|---------------|-------------------------------|--------| -| `1.31.1` | Semantic version (e.g., 1.29.1) | String | +Enables GPU-backed inference. Additional components will be downloaded to `~/.docker/bin/inference`. -- **Description:** Kubernetes version used for cluster nodes. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Pin specific Kubernetes versions for consistency or compatibility requirements. -- **Configure this setting with:** - - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `enableInferenceGPUVariant` | +| Admin Console | **Enable GPU-backed inference** | -### Show system containers +## File sharing and emulation -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | +### File sharing directories -- **Description:** Visibility of Kubernetes system containers in Docker Desktop Dashboard. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Allow developers to view and debug kube-system containers. -- **Configure this setting with:** - - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +Defines which host directories containers can access for development workflows. -> [!NOTE] -> -> In hardened environments, disable and lock this setting to reduce interface complexity. +| Property | Value | +|---|---| +| Default | Varies by OS | +| Accepted values | List of file paths | +| Format | Array of strings | +| JSON key | `filesharingAllowedDirectories` | +| Admin Console | Yes — **Allowed file sharing directories** | -## Software updates settings +### VirtioFS {{< badge color=blue text="Mac only" >}} -### Automatically check for updates +Uses VirtioFS for fast, native file sharing between host and containers. If both VirtioFS and gRPC FUSE are set to `true`, VirtioFS takes precedence. -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `false` | `true`, `false` | Boolean | +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `useVirtualizationFrameworkVirtioFS` | +| Admin Console | **Use VirtioFS for file sharing** tab | -- **Description:** Whether Docker Desktop checks for and notifies about available updates. If the -value is set to `true`, checking for updates and notifications about Docker -Desktop updates are disabled. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Control update notifications and automatic version checking. -- **Configure this setting with:** - - Settings Management: `disableUpdate` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Disable update** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +### gRPC FUSE {{< badge color=blue text="Mac only" >}} -> [!NOTE] -> -> In hardened environments, enable this setting and lock. This guarantees that -only internally vetted versions are installed. +Enables gRPC FUSE for macOS file sharing. -### Always download updates +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `useGrpcfuse` | +| Admin Console | **Use gRPC FUSE for file sharing** | -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `false` | `true`, `false` | Boolean | +### Rosetta {{< badge color=blue text="Mac only" >}} -- **Description:** Automatic downloading of Docker Desktop updates when they become available. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Manage bandwidth usage and control when updates are downloaded. -- **Configure this setting with:** - - **Software updates** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: **Disable updates** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +Uses Rosetta for x86_64/amd64 emulation on Apple Silicon. -### Automatically update components +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `useVirtualizationFrameworkRosetta` | +| Admin Console | **Use Rosetta for x86_64/amd64 emulation on Apple Silicon** | -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +## Scout -- **Description:** Allow Docker Desktop to automatically update components that don't require a restart. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Automatically updates key Docker Desktop components such as Docker Compose, Docker Scout, the Docker CLI. -- **Configure this setting with:** - - **General settings** in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md#software-updates) - - Settings Management: `silentModulesUpdate` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Automatically update components** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +### Enable Scout image analysis -## Extensions settings +Turns on vulnerability scanning and software bill of materials (SBOM) analysis for container images. -### Enable Docker extensions +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `sbomIndexing` | +| Admin Console | **SBOM indexing** | -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +### Enable background Scout SBOM indexing -- **Description:** Access to Docker Extensions marketplace and installed extensions. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Control whether users can install and run Docker Extensions. -- **Configure this setting with:** - - **Extensions** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `extensionsEnabled` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Allow Extensions** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +Keeps image metadata current by indexing during idle time or after image operations. -> [!NOTE] -> -> In hardened environments, disable and lock this setting. This prevents -third-party or unvetted plugins from being installed. +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `useBackgroundIndexing` | +| Admin Console | **Background indexing** | -### Allow only extensions distributed through the Docker Marketplace +## Proxy -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | +### Embedded PAC script -- **Description:** Restriction of Docker Extensions to only those available through the official marketplace. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Prevent installation of third-party or locally developed extensions. -- **Configure this setting with:** - - **Extensions** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `onlyMarketplaceExtensions` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Only marketplace extensions** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +Specifies an embedded Proxy Auto-Config (PAC) script. For example: `"embeddedPac": "function FindProxyForURL(url, host) { return \"DIRECT\"; }"`. -### Enable a private marketplace +| Property | Value | +|---|---| +| Default | `""` | +| Accepted values | Embedded PAC script content | +| Format | String | +| JSON key | `embeddedPac` | +| Admin Console | Yes **Embedded PAC script** | -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | +### PAC file URL -- **Description:** Activates the private marketplace. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Ensures Docker Desktop connects to content defined and controlled by the administrator instead of the public Docker marketplace. -- **Configure this setting with:** - - Settings Management: `extensionsPrivateMarketplace` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Extensions private marketplace** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +Specifies a PAC file URL for Docker Desktop to use when routing network traffic. For example: `"pac": "http://proxy/proxy.pac"`. -### Show Docker Extensions system containers +| Property | Value | +|---|---| +| Default | `""` | +| Accepted values | PAC file URL | +| Format | String | +| JSON key | `pac` | +| Admin Console | **PAC file** | -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | +### Override Windows "dockerd" port {{< badge color=blue text="Mac only" >}} -- **Description:** Visibility of system containers used by Docker Extensions in the container list. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Help developers troubleshoot extension issues by viewing underlying containers. -- **Configure this setting with:** - - **Extensions** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. -## Beta features settings +| Property | Value | +|---|---| +| Default | `-1` | +| Accepted values | `-1` `0` | +| Format | String | +| JSON key | `windowsDockerdPort` | +| Admin Console | **Override Windows “dockerd” port** | -> [!IMPORTANT] -> -> For Docker Desktop versions 4.41 and earlier, these settings were under the **Experimental features** tab on the **Features in development** page. +### Enable Kerberos and NTLM authentication -### Enable Gordon +Enables enterprise proxy authentication support for Kerberos and NTLM protocols. -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | Individual users: `true`, `false`
Business tier: `"Disabled"`, `"Enabled"`, `"Always Enabled"` | Boolean for individuals
Toggle in Admin Console | +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `proxy.enableKerberosNtlm` | +| Admin Console | **Kerberos NTLM** | +### Proxy bypass -- **Description:** Enable the Gordon AI agent -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Turn on AI-powered assistance and recommendations within Docker Desktop. -- **Configure this setting with:** - - **Beta** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `enableDockerAI` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Enable Gordon** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +Defines network addresses that containers should bypass when using proxy settings. -> [!IMPORTANT] -> -> Docker Business customers must set this to `"Enabled"` or `"Always Enabled"` -in the Admin Console. Setting to `"User Defined"` alone will not activate -Gordon features. This secure-by-default approach prevents unintended -deployment of AI features in security-conscious organizations. - -### Enable Docker MCP Toolkit - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | - -- **Description:** Enable [Docker MCP Toolkit](/manuals/ai/mcp-catalog-and-toolkit/_index.md) in Docker Desktop. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Turn on MCP toolkit features for AI model development workflows. -- **Configure this setting with:** - - **Beta** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `enableDockerMCPToolkit` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - -### Enable Docker Offload - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | - -- **Description:** Enable Docker Offload integration features and functionality. When enabled, users see the Docker Offload toggle in the Docker Desktop header. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Control Docker Offload availability and whether users can change the setting. -- **Configure this setting with:** - - **Docker Offload** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `enableCloud` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Enable Docker Offload** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +| Property | Value | +|---|---| +| Default | `""` | +| Accepted values | List of addresses | +| Format | String | +| Docker Desktop GUI | **Proxies** tab | +| JSON key | `proxy` (with `manual` and `exclude` modes) | +| Admin Console | Yes — **Proxy** section | -> [!NOTE] -> -> This setting is only available when Docker Offload capability is enabled for -> the organization. +## Containers proxy -### Enable Wasm +### Air-gapped container proxy -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | +Configures an HTTP/HTTPS proxy for containers in air-gapped environments, providing controlled network access in offline or restricted network environments. -- **Description:** Enable [Wasm](/manuals/desktop/features/wasm.md) to run Wasm workloads. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Run WebAssembly applications and modules within Docker containers. -- **Configure this setting with:** - - **Beta** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +| Property | Value | +|---|---| +| Default | See example below | +| Accepted values | JSON object | +| Format | JSON object | +| JSON key | `containersProxy` | +| Admin Console | **Containers proxy** section | -## Notifications settings +```json +"containersProxy": { + "locked": true, + "mode": "manual", + "http": "", + "https": "", + "exclude": [], + "pac": "", + "transparentPorts": "" +} +``` -### Status updates on tasks and processes +## LinuxVM -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +### Enable WSL engine {{< badge color=blue text="Windows only" >}} -- **Description:** General informational messages displayed within Docker Desktop. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Control visibility of operational status messages and process updates. -- **Configure this setting with:** - - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +When set to `true`, Docker Desktop uses the WSL 2 based engine. Overrides any backend flag set at installation using `--backend=`. -### Recommendations from Docker +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `wslEngineEnabled` | +| Admin Console | **Windows Subsystem for Linux (WSL) Engine** | -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +### Docker daemon options -- **Description:** Promotional content and feature recommendations displayed in Docker Desktop. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Manage exposure to Docker marketing content and feature promotions. -- **Configure this setting with:** - - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +Overrides the Docker daemon configuration used in containers, without modifying local configuration files. -### Docker announcements +| Property | Value | +|---|---| +| Default | `{}` | +| Accepted values | JSON object | +| Format | Stringified JSON | +| JSON key | `linuxVM.dockerDaemonOptions` | +| Admin Console | **Docker Deamon options** in the LinuxVM dropdown | -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +### VPNKit CIDR {{< badge color=blue text="Mac only" >}} -- **Description:** General announcements and news displayed within Docker Desktop. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Control visibility of Docker-wide announcements and important updates. -- **Configure this setting with:** - - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +Sets the network subnet used for Docker Desktop's internal VPNKit DHCP/DNS services. Prevents IP address conflicts in environments with overlapping network subnets. -### Docker surveys +| Property | Value | +|---|---| +| Default | `192.168.65.0/24` | +| Accepted values | CIDR notation | +| Format | String | +| JSON key | `vpnkitCIDR` | +| Admin Console | **VPNKit CIDR** | -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +## Windows containers -- **Description:** Survey invitations and feedback requests displayed to users. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Manage user participation in Docker product feedback and research. -- **Configure this setting with:** - - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +### Docker daemon options -### Docker Scout notification pop-ups +Overrides the Docker daemon configuration used inWindows containers, without modifying local configuration files. -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +| Property | Value | +|---|---| +| Default | `{}` | +| Accepted values | JSON object | +| Format | Stringified JSON | +| JSON key | `windowsContainers.dockerDaemonOptions` | +| Admin Console | **Docker Daemon options** in the **Windows containers dropdown** | -- **Description:** In-application notifications from Docker Scout vulnerability scanning. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Control visibility of vulnerability scan results and security recommendations. -- **Configure this setting with:** - - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +## Kubernetes -### Docker Scout OS notifications +### Enable Kubernetes -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | +Enables the local Kubernetes cluster integration with Docker Desktop. -- **Description:** Operating system-level notifications from Docker Scout. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Receive Scout security alerts through the system notification center. -- **Configure this setting with:** - - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `kubernetes` | +| Admin Console | **Enable Kubernetes** | -## Advanced settings +### Show system containers -### Configure installation of Docker CLI +Controls visibility of Kubernetes system containers in the Docker Desktop Dashboard. -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `system` | File path | String | +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| Admin Console | **Show system containers** | -- **Description:** File system location where Docker CLI binaries are installed. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Customize CLI installation location for compliance or tooling integration requirements. -- **Configure this setting with:** - - **Advanced** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +### Kubernetes image repository -### Allow the default Docker socket to be used +Specifies a registry used for Kubernetes control plane images instead of Docker Hub. Overrides the `[registry[:port]/][namespace]` portion of image names. Images must be mirrored from Docker Hub with matching tags. -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +| Property | Value | +|---|---| +| Default | `""` | +| Accepted values | Registry URL | +| Format | String | +| JSON key | `KubernetesImagesRepository` | +| Admin Console | **Kubernetes Images Repository** | -- **Description:** By default, enhanced container isolation blocks bind-mounting -the Docker Engine socket into containers -(e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This lets -you relax this in a controlled way. See ECI Configuration for more info. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Support Docker-in-Docker scenarios, CI agents, or tools like Testcontainers while maintaining Enhanced Container Isolation. -- **Configure this setting with:** - - **Advanced** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) - - Settings Management: `dockerSocketMount` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) +> [!NOTE] +> +> Images must be mirrored from Docker Hub with matching tags. Required images depend on the cluster provisioning method. -### Allow privileged port mapping +> [!IMPORTANT] +> +> When using custom image repositories with Enhanced Container Isolation, add these images to the ECI allowlist: `[imagesRepository]/desktop-cloud-provider-kind:*` and `[imagesRepository]/desktop-containerd-registry-mirror:*`. -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `true` | `true`, `false` | Boolean | +### Cluster provisioning method -- **Description:** Permission to bind container ports to privileged ports (1-1024) on the host. -- **OS:** {{< badge color=blue text="Mac only" >}} -- **Use case:** Allow containers to use standard service ports like HTTP (80) or HTTPS (443). -- **Configure this setting with:** - - **Advanced** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) +Controls Kubernetes cluster topology and node configuration. -## Settings only available with Settings Management +| Property | Value | +|---|---| +| Default | `kubeadm` | +| Accepted values | `kubeadm`, `kind` | +| Format | String | +| Admin Console | **Kubernetes mode** | -The following settings aren’t shown in the Docker Desktop GUI. You can only configure them using Settings Management with the Admin Console or the `admin-settings.json` file. +### Node version -### Block `docker load` +Pins the Kubernetes version used for cluster nodes. -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `false` | `true`, `false` | Boolean | +| Property | Value | +|---|---| +| Default | `1.31.1` | +| Accepted values | Semantic version (e.g. `1.29.1`) | +| Format | String | +| Admin Console | **Node version** tab | -- **Description:** Prevent users from loading local Docker images using the `docker load` command. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Enforce image provenance by requiring all images to come from registries. -- **Configure this setting with:** - - Settings Management: `blockDockerLoad` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Block Docker Load** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +### Nodes count -> [!NOTE] -> -> In hardened environments, enable and lock this setting. This forces all images -to come from your secure, scanned registry. +Sets the number of nodes in multi-node Kubernetes clusters. -### Hide onboarding survey +| Property | Value | +|---|---| +| Default | `1` | +| Accepted values | Integer | +| Format | Integer | +| Admin Console | **Nodes count** | -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `false` | `true`, `false` | Boolean | +## Features in development -- **Description:** Prevent the onboarding survey from being shown to new users. -- **OS:** {{< badge color=blue text="All" >}} -- **Configure this setting with:** - - Settings Management: `displayedOnboarding` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Hide onboarding survey** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +### Access beta features -### Expose Docker API on TCP 2375 +Controls whether users can access all Docker Desktop features that are in public beta. -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `false` | `true`, `false` | Boolean | +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `allowBetaFeatures` | +| Admin Console | **Access beta features** | -- **Description:** Exposes the Docker API over an unauthenticated TCP socket on port 2375. Only recommended for isolated and protected environments. -- **OS:** {{< badge color=blue text="Windows only" >}} -- **Use case:** Support legacy integrations that require TCP API access. -- **Configure this setting with:** - - Settings Management: `exposeDockerAPIOnTCP2375` in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Expose Docker API** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +### Enable Docker MCP Toolkit (Beta) -> [!NOTE] -> -> In hardened environments, disable and lock this setting. This ensures the -Docker API is only reachable via the secure internal socket. +Enables [Docker MCP Toolkit](/manuals/ai/mcp-catalog-and-toolkit/_index.md) in Docker Desktop for AI model development workflows. -### Air-gapped container proxy +| Property | Value | +|---|---| +| Default | `true` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `enableDockerMCPToolkit` | +| Admin Console | Not available | -| Default value | Accepted values | Format | -| ------------- | --------------- | ----------- | -| See example | Object | JSON object | +## Enhance container isolation -- **Description:** HTTP/HTTPS proxy configuration for containers in air-gapped environments. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Provide controlled network access for containers in offline or restricted network environments. -- **Configure this setting with:** - - Settings Management: `containersProxy` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Containers proxy** section in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +### Enable Enhanced Container Isolation -#### Example +Prevents containers from modifying Docker Desktop VM configuration or accessing sensitive host areas. -```json -"containersProxy": { - "locked": true, - "mode": "manual", - "http": "", - "https": "", - "exclude": [], - "pac": "", - "transparentPorts": "" -} -``` +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `enhancedContainerIsolation` | +| Admin Console | **Enable enhanced container isolation** | ### Docker socket access control (ECI exceptions) -| Default value | Accepted values | Format | -| ------------- | --------------- | ----------- | -| - | Object | JSON object | - -- **Description:** Specific images and commands allowed to use the Docker socket when Enhanced Container Isolation is active. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Support tools like Testcontainers, LocalStack, or CI systems that need Docker socket access while maintaining security. -- Configure this setting with: - - Settings Management: `enhancedContainerIsolation` > `dockerSocketMount` in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Command list** in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +Defines specific images and commands allowed to use the Docker socket when Enhanced Container Isolation is active. Supports tools like Testcontainers, LocalStack, or CI systems that need Docker socket access while maintaining security. -#### Example +| Property | Value | +|---|---| +| Accepted values | JSON object | +| Format | JSON object | +| JSON key | ``dockerSocketMount` | +| Admin Console | **Image list**, **Command list** | ```json "enhancedContainerIsolation": { @@ -1175,117 +620,63 @@ Docker API is only reachable via the secure internal socket. } ``` -### Allow beta features +## Network -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `false` | `true`, `false` | Boolean | +### Networking mode -- **Description:** Access to Docker Desktop features in public beta. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Provide early access to features in development for testing and feedback. -- **Configure this setting with:** - - Settings Management: `allowBetaFeatures` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Access beta features** +Sets the default IP protocol used when Docker creates new networks. -> [!NOTE] -> -> In hardened environments, disable and lock this setting. - -### Docker daemon options (Linux or Windows) - -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `{}` | JSON object | Stringified JSON | - -- **Description:** Override the Docker daemon configuration used in Linux or Windows containers. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Configure advanced daemon options without modifying local configuration files. -- **Configure this setting with:** - - Settings Management: `linuxVM.dockerDaemonOptions` or `windowsContainers.dockerDaemonOptions` in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - -> [!NOTE] -> -> In hardened environments, provide a vetted JSON config and lock it so no -overrides are possible. +| Property | Value | +|---|---| +| Default | `dual-stack` | +| Accepted values | `ipv4only`, `ipv6only` | +| Format | String | +| JSON key | `defaultNetworkingMode` | +| Admin Console | **Default network IP mode** | -### VPNKit CIDR - -| Default value | Accepted values | Format | -|-------------------|-----------------|--------| -| `192.168.65.0/24` | CIDR notation | String | - -- **Description:** Network subnet used for Docker Desktop's internal VPNKit DHCP/DNS services. -- **OS:** {{< badge color=blue text="Mac only" >}} -- **Use case:** Prevent IP address conflicts in environments with overlapping network subnets. -- **Configure this setting with:** - - Settings Management: `vpnkitCIDR` setting in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **VPN Kit CIDR** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) - -> [!NOTE] -> -> In hardened environments, lock to an approved, non-conflicting CIDR. - -### Enable Kerberos and NTLM authentication - -| Default value | Accepted values | Format | -|---------------|-----------------|--------| -| `false` | `true`, `false` | Boolean | +For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows). -- **Description:** Enterprise proxy authentication support for Kerberos and NTLM protocols. -- **OS:** {{< badge color=blue text="All" >}} -- **Use case:** Support enterprise proxy servers that require Kerberos or NTLM authentication. -- **Configure this setting with:** - - Settings Management: `proxy.enableKerberosNtlm` in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Kerberos NTLM** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +### Inhibit DNS resolution for IPv4/IPv6 -### PAC file URL +Filters unsupported DNS record types to improve reliability in environments where only IPv4 or IPv6 is supported. Requires Docker Desktop 4.43 and later. -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `""` | PAC file URL | String | +| Property | Value | +|---|---| +| Default | `auto` | +| Accepted values | `ipv4`, `ipv6`, `none` | +| Format | String | +| JSON key | `dnsInhibition` | +| Admin Console | **DNS filtering behavior** | -- **Description:** Specifies a PAC file URL. For example, `"pac": "http://proxy/proxy.pac"`. -- **OS:** {{< badge color=blue text="All" >}} -- **Configure this setting with:** - - Settings Management: `pac` in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **PAC file** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows). -### Embedded PAC script +### Port binding behavior -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `""` | Embedded PAC script | String | +Specify how port bindings are handled for new containers. -- **Description:** Specifies an embedded PAC (Proxy Auto-Config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"DIRECT\"; }"`. -- **OS:** {{< badge color=blue text="All" >}} -- **Configure this setting with:** - - Settings Management: `embeddedPac` in the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Embedded PAC script** setting in the [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +| Property | Value | +|---|---| +| Default | `default-port-binding` | +| Accepted values | `default-local-port-binding`, `local-only-port-binding`, `default-port-binding` | +| Format | String | +| JSON key | `portBindingBehavior` | +| Admin Console | **Port binding behavior** | +## Other -### Custom Kubernetes image repository +### Enable Docker Offload -| Default value | Accepted values | Format | -|---------------|-----------------|----------| -| `""` | Registry URL | String | +Controls Docker Offload availability. When enabled, users see the Docker Offload toggle in the Docker Desktop header. -- **Description**: Registry used for Kubernetes control plane images instead of Docker Hub. This allows Docker Desktop to pull Kubernetes system -images from a private registry or mirror instead of Docker Hub. This setting -overrides the `[registry[:port]/][namespace]` portion of image names. -- **OS**: {{< badge color=blue text="All" >}} -- **Use case**: Support air-gapped environments or when Docker Hub access is restricted. -- **Configure this setting with**: - - Settings Management: `KubernetesImagesRepository` settings in the - [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md) - - Settings Management: **Kubernetes Images Repository** setting in the - [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md) +| Property | Value | +|---|---| +| Default | `false` | +| Accepted values | `true`, `false` | +| Format | Boolean | +| JSON key | `enableCloud` | +| Admin Console | **Enable Docker Offload** | > [!NOTE] > -> Images must be mirrored from Docker Hub with matching tags. Required images depend on the cluster provisioning method. - -> [!IMPORTANT] -> -> When using custom image repositories with Enhanced Container Isolation, add these images to the ECI allowlist: `[imagesRepository]/desktop-cloud-provider-kind:*` and -`[imagesRepository]/desktop-containerd-registry-mirror:*`. +> This setting is only available when Docker Offload capability is enabled for +> the organization. From 3ce222fe6bb3939a9b67389adc1b3b3708d63910 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Tue, 7 Apr 2026 14:48:26 +0100 Subject: [PATCH 2/3] ai review --- .../settings-management/settings-reference.md | 20 ++++--------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md index 06b4a9d10e3d..a7a82f0b88be 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md @@ -105,7 +105,7 @@ Prevents the onboarding survey from being shown to new users. | JSON key | `displayedOnboarding` | | Admin Console | **Hide onboarding survey** | -### Enable Docker terminal `All platforms` +### Enable Docker terminal Allows or restricts access to the built-in terminal for host system interaction. When set to `false`, users cannot use the Docker terminal to interact with the host machine or execute commands directly from Docker Desktop. @@ -118,7 +118,7 @@ Allows or restricts access to the built-in terminal for host system interaction. | JSON key | `desktopTerminalEnabled` | | Admin Console | Not available | -### Expose Docker API on TCP 2375 {{< badge color=blue text="Windos only" >}} +### Expose Docker API on TCP 2375 {{< badge color=blue text="Windows only" >}} Exposes the Docker API over an unauthenticated TCP socket on port 2375. Only recommended for isolated and protected environments. Supports legacy integrations that require TCP API access. @@ -135,18 +135,6 @@ Exposes the Docker API over an unauthenticated TCP socket on port 2375. Only rec > In hardened environments, disable and lock this setting. This ensures the Docker API is only reachable via the secure internal socket. -### Enable Docker terminal - -Allows or restricts access to the built-in terminal for host system interaction. When set to `false`, users cannot use the Docker terminal to interact with the host machine or execute commands directly from Docker Desktop. - -| Property | Value | -|---|---| -| Default | `false` | -| Accepted values | `true`, `false` | -| Format | Boolean | -| JSON key | `desktopTerminalEnabled` | -| Admin Console | Not availabe | - ## Extensions ### Enable Docker extensions @@ -357,7 +345,7 @@ Specifies a PAC file URL for Docker Desktop to use when routing network traffic. | JSON key | `pac` | | Admin Console | **PAC file** | -### Override Windows "dockerd" port {{< badge color=blue text="Mac only" >}} +### Override Windows "dockerd" port {{< badge color=blue text="Windows only" >}} Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. @@ -462,7 +450,7 @@ Sets the network subnet used for Docker Desktop's internal VPNKit DHCP/DNS servi ### Docker daemon options -Overrides the Docker daemon configuration used inWindows containers, without modifying local configuration files. +Overrides the Docker daemon configuration used in Windows containers, without modifying local configuration files. | Property | Value | |---|---| From e19681a881038de5ac3e303eb8525b08b8c0e5a5 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Wed, 8 Apr 2026 10:47:40 +0100 Subject: [PATCH 3/3] review edits --- .../settings-management/settings-reference.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md index a7a82f0b88be..471d33be9af8 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/settings-reference.md @@ -3,6 +3,7 @@ title: Settings reference linkTitle: Settings reference description: Complete reference for all Docker Desktop settings and configuration options keywords: docker desktop settings, configuration reference, admin controls, settings management +toc_max: 2 aliases: - /security/for-admins/hardened-desktop/settings-management/settings-reference/ --- @@ -11,7 +12,7 @@ This reference documents Docker Desktop settings that administrators can configu > [!NOTE] > -> This page covers admin-configurable settings only. Settings that are only available to end users via the Docker Desktop GUI are not included here. For the full list of Docker Desktop user-facing settings, see [Change settings](/manuals/desktop/settings-and-maintenance/settings.md). +> This page only covers configurable settings for administrators who are deploying Docker Desktop to their organization. For the full list of Docker Desktop user-facing settings, see [Change settings](/manuals/desktop/settings-and-maintenance/settings.md). ## General @@ -74,7 +75,9 @@ Allows Docker Desktop to automatically update components that do not require a r | JSON key | `enableDockerAI` | | Admin Console | **Enable Gordon** | -> **Important:** Docker Business customers must set this to `"Enabled"` or `"Always Enabled"` in the Admin Console. Setting to `"User Defined"` alone will not activate Gordon. +> [!IMPORTANT] +> +> Docker Business customers must set this to `"Enabled"` or `"Always Enabled"` in the Admin Console. Setting to `"User Defined"` alone will not activate Gordon. ### Block `docker load` @@ -408,6 +411,8 @@ Configures an HTTP/HTTPS proxy for containers in air-gapped environments, provid } ``` +For more information, see [Air-gapped containers](/manuals/enterprise/security/hardened-desktop/air-gapped-containers.md). + ## LinuxVM ### Enable WSL engine {{< badge color=blue text="Windows only" >}}