"admin-settings.json" enforces sign-in, while it should not

[hilari0n]

Description

According to documentation:

You first need to enforce sign-in to ensure that all Docker Desktop developers authenticate with your organization. Since the Settings Management feature requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in.

Next, you must either:

• Manually create and configure the admin-settings.json file, or use the --admin-settings installer flag on macOS or Windows to automatically create the admin-settings.json and save it in the correct location.
• Fill out the Settings policy creation form in the Docker Admin Console.

This implies, that the admin-settings.json file is not supposed to enforce sign-in by its own and that you have to do the enforcing separately.
This is not so, with the current (4.38.0) Docker Desktop version on Windows (11).
When I created the file, without applying the enforcement steps, the Docker Desktop app forced the sign-in anyway.

Reproduce

1. Install Docker Desktop 4.38.0 on Windows.
2. Create a valid Json file named admin-settings.json under path C:\ProgramData\DockerDesktop\admin-settings.json.
3. Start Docker Desktop.
4. Docker Desktop forces you to sign in (shows "Sign in required!" dialog window, only offering to "Close Application" or to "Sign in").

Expected behavior

1. Install Docker Desktop 4.38.0 on Windows.
2. Create a valid Json file named admin-settings.json under path C:\ProgramData\DockerDesktop\admin-settings.json.
3. Start Docker Desktop.
4. Docker Desktop allows you to work without signing in.

docker version

Client:
 Version:           27.5.1
 API version:       1.47
 Go version:        go1.22.11
 Git commit:        9f9e405
 Built:             Wed Jan 22 13:41:44 2025
 OS/Arch:           windows/amd64
 Context:           desktop-linux

Server: Docker Desktop 4.38.0 (181591)
 Engine:
  Version:          27.5.1
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.11
  Git commit:       4c9b3b0
  Built:            Wed Jan 22 13:41:17 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.25
  GitCommit:        bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e946
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    27.5.1
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  ai: Ask Gordon - Docker Agent (Docker Inc.)
    Version:  v0.7.3
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-ai.exe
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.20.1-desktop.2
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-buildx.exe
  compose: Docker Compose (Docker Inc.)
    Version:  v2.32.4-desktop.1
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-compose.exe
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.38
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-debug.exe
  desktop: Docker Desktop commands (Beta) (Docker Inc.)
    Version:  v0.1.4
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-desktop.exe
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-dev.exe
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.27
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-extension.exe
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-feedback.exe
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.4.0
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-init.exe
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-sbom.exe
  scout: Docker Scout (Docker Inc.)
    Version:  v1.16.1
    Path:     C:\Users\XXX\.docker\cli-plugins\docker-scout.exe

Server:
 Containers: 2
  Running: 0
  Paused: 0
  Stopped: 2
 Images: 42
 Server Version: 27.5.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 nvidia runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc version: v1.1.12-0-g51d5e946
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
 Kernel Version: 5.15.167.4-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 24
 Total Memory: 15.43GiB
 Name: docker-desktop
 ID: df562a23-434b-40ed-97d9-70b6589e58c2
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=npipe://\\.\pipe\docker_cli
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile

Diagnostics ID

AEECB6F4-4558-4399-9A63-E38CE48B4BCE/20250203155933

Additional Info

docker version and docker info information is provided when no admin-settings.json file is present.
Diagnostic file was produced (using command line), when admin-settings.json file was present and before signing in.

What is interesting, is that the file content is applied anyway, even when I'm not signed in. I noticed this, as my own settings were for Docker to use a dedicated manually set up proxy (as access without it is blocked and - for some reason - Docker does not play well with my system proxy settings) and my initial admin-settings.json was taken from examples (with locked changed to false), so it indicated proxy mode system. This caused various errors in the logs and also blocked the diagnostic file upload, even when the setting was not locked, so should have used my settings (manual), but it did not. (It overwrote my settings, so even when I remove the admin-settings.json file and restart, my proxy settings are gone and replaced with what I had in the admin-settings.json file.) I had to provide the manual proxy setup in admin-settings.json (as below), to get the diagnostic file uploaded.

The content of the admin-settings.json file used:

{
	"configurationFileVersion": 2,
	"analyticsEnabled": {
		"locked": false,
		"value": false
	},
	"allowExperimentalFeatures": {
		"locked": false,
		"value": false
	},
	"allowBetaFeatures": {
		"locked": false,
		"value": false
	},
	"enableDockerAI": {
		"locked": false,
		"value": false
	},
	"proxy": {
		"locked": false,
		"mode": "manual",
		"http": "http://localhost:8888",
		"https": "http://localhost:8888",
		"exclude": [
			"localhost",
			"127.0.0.0/8",
			"0.0.0.0/8",
			"10.0.0.0/8",
			"192.168.0.0/16",
			"192.0.0.0/24",
			"198.18.0.0/15",
			"172.16.0.0/12",
			"169.254.0.0/16"
		]
	}
}

[jpbriend]

Hi @hilari0n ,
The difference is subtle.

The first line in the documentation You first need to [enforce sign-in](https://docs.docker.com/security/for-admins/enforce-sign-in/) to ensure that all Docker Desktop developers authenticate with your organization means that you can enforce sign-in for your organization only. Meaning using an account bound to another organization will be refused by Docker Desktop.

admin-settings.json requires a Business subscription. Thus it will enforce sign-in when deployed but any valid Business subscription will "unlock" Docker Desktop.

[hilari0n]

The first line in the documentation You first need to [enforce sign-in](https://docs.docker.com/security/for-admins/enforce-sign-in/) to ensure that all Docker Desktop developers authenticate with your organization means that you can enforce sign-in for your organization only.

If it was meant to say "you can enforce", then it would not say "You first need to enforce". So it either is not working, as intended, or is not documented as intended.

As for:

admin-settings.json requires a Business subscription. Thus it will enforce sign-in when deployed but any valid Business subscription will "unlock" Docker Desktop.

There's at least two things wrong with it:

1. If admin-settings.json requires a Business subscription, it could (and should) simply be ignored, without one and "be unlocked", when one is used.
2. It actually does (at least partially) work without valid Business subscription, as it has shown me, by messing up my proxy settings even before I got to log in, so it's not true, that it requires the subscription to work.

---

PS.: The choice of what is behind a Business subscription is at least weird, e.g., you can't use SOCKS proxy, without Business subscription. So when you set it up in Docker without being logged in, you will get errors on almost any action (and not those clear ones, that you can't use SOCKS without Business, but those bogus ones on invalid characters or something). This is including a user trying to log in. So if you are a business user, who must use a SOCKS proxy to access Internet, you will not be able to log in to Docker, for it to be able to acknowledge, that you are a paying Business user, to allow you to use SOCKS proxy.