docker · sarahsanders-docker · Jun 10, 2025 · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025
diff --git a/.markdownlint.json b/.markdownlint.json
@@ -13,7 +13,7 @@
   "no-space-in-code": true,
   "no-space-in-links": true,
   "no-empty-links": true,
-  "ol-prefix": {"style": "ordered"},
+  "ol-prefix": {"style": "one_or_ordered"},
   "no-reversed-links": true,
   "reference-links-images": {
     "shortcut_syntax": false

@@ -70,9 +70,10 @@ The chart contains the following data.
 | Active user | The number of users that have actively used Docker Desktop and either signed in with a Docker account that has a license in your organization or signed in to a Docker account with an email address from a domain associated with your organization. <br><br>Users who don’t sign in to an account associated with your organization are not represented in the data. To ensure users sign in with an account associated with your organization, you can [enforce sign-in](/security/for-admins/enforce-sign-in/). |
 | Total organization members | The number of users that have used Docker Desktop, regardless of their Insights activity. |
 | Users opted out of analytics | The number of users that are a member of your organization that have opted out of sending analytics. <br><br>When users opt out of sending analytics, you won't see any of their data in Insights. To ensure that the data includes all users, you can use [Settings Management](/desktop/hardened-desktop/settings-management/) to set `analyticsEnabled` for all your users. |
+| Unassociated machines | Users who have actively used Docker Desktop but aren't signed in with a licensed Docker account or an email address from a domain associated with the organization. |
+| Registered users | Users linked to unassociated machines where email addresses have been captured but are outside the organization's domain |
 | Active users (graph) | The view over time for total active users. |
 
-
 ### Builds
 
 Monitor development efficiency and the time your team invests in builds with

@@ -30,13 +30,13 @@
 - /desktop/get-started/
 ---
 
-Docker recommends signing in with the **Sign in** option in the top-right corner of the Docker Dashboard. 
+Docker recommends signing in with the **Sign in** option in the top-right corner of the Docker Dashboard.
 
-In large enterprises where admin access is restricted, administrators can [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). 
+In large enterprises where admin access is restricted, administrators can [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md).
 
 > [!TIP]
 >
-> Explore [Docker's core subscriptions](https://www.docker.com/pricing/) to see what else Docker can offer you. 
+> Explore [Docker's core subscriptions](https://www.docker.com/pricing/) to see what else Docker can offer you.
 
 ## Benefits of signing in
 
@@ -48,7 +48,7 @@
 
 > [!NOTE]
 >
-> Docker Desktop automatically signs you out after 90 days, or after 30 days of inactivity. 
+> Docker Desktop automatically signs you out after 90 days, or after 30 days of inactivity.
 
 ## Signing in with Docker Desktop for Linux
 
@@ -60,8 +60,8 @@
 
    ``` console
    $ gpg --generate-key
-   ``` 
-2. Enter your name and email once prompted. 
+   ```
+2. Enter your name and email once prompted.
 
    Once confirmed, GPG creates a key pair. Look for the `pub` line that contains your GPG ID, for example:
 
@@ -75,9 +75,9 @@
 
    ```console
    $ pass init <your_generated_gpg-id_public_key>
-   ``` 
+   ```
 
-   You should see output similar to: 
+   You should see output similar to:
 
    ```text
    mkdir: created directory '/home/molly/.password-store/'
@@ -91,14 +91,34 @@
 $ docker pull molly/privateimage
 Using default tag: latest
 latest: Pulling from molly/privateimage
-3b9cc81c3203: Pull complete 
+3b9cc81c3203: Pull complete
 Digest: sha256:3c6b73ce467f04d4897d7a7439782721fd28ec9bf62ea2ad9e81a5fb7fb3ff96
 Status: Downloaded newer image for molly/privateimage:latest
 docker.io/molly/privateimage:latest
 ```
 
+## Why do I need to sign in?
+
+By default, Docker Desktop does not require sign in.
+
+If Docker Desktop is prompting you to sign in, it may be due to policies set
+by your organization's administrator.
+
+### Organization sign-in enforcement
+
+Your organization requires all users to sign in and be members of the
+organization to use Docker Desktop. This provides enhanced security and ensures
+only authorized users can access Docker Desktop. For more information, see [Enforce sign-in for Docker Desktop](/manuals/security/for-admins/enforce-sign-in/_index.md).
+
+### Unassociated machine identification
+
+Your organization wants to identify who is using Docker Desktop on machines
+that appear to belong to your company. You can sign in with any email address.
+This helps administrators understand Docker usage across the organization. For
+more information, see [Manage unassociated machines](/manuals/security/for-admins/unassociated-machines.md).
+
 ## What's next?
 
-- [Explore Docker Desktop](/manuals/desktop/use-desktop/_index.md) and its features. 
+- [Explore Docker Desktop](/manuals/desktop/use-desktop/_index.md) and its features.
 - Change your [Docker Desktop settings](/manuals/desktop/settings-and-maintenance/settings.md).
 - [Browse common FAQs](/manuals/desktop/troubleshoot-and-support/faqs/general.md).
@@ -31,10 +31,18 @@ grid_admins:
   description: Configure sign-in for members of your teams and organizations.
   link: /security/for-admins/enforce-sign-in/
   icon: passkey
+- title: Domain management
+  description: Learn how to manage domains and users in the Admin Console.
+  link: /security/for-admins/domain-management/
+  icon: domain_verification
 - title: Domain audit
   description: Identify uncaptured users in your organization.
   link: /security/for-admins/domain-audit/
   icon: person_search
+- title: Manage unassociated machines
+  description: Learn how to manage unassociated machines using the Docker Admin Console.
+  link: /security/for-admins/unassociated-machines/
+  icon: desktop_windows
 - title: Docker Scout
   description: Explore how Docker Scout can help you create a more secure software supply chain.
   icon: query_stats

@@ -0,0 +1,205 @@
+---
+title: Manage unassociated machines
+description: Learn how to manage unassociated machines using the Docker Admin Console
+keywords: unassociated machines, insights, manage users, enforce sign-in
+weight: 56
+---
+
+{{< summary-bar feature_name="Unassociated machines" >}}
+
+Docker administrators can identify, view, and manage Docker Desktop machines
+that are likely associated with their organization but aren't currently linked
+to user accounts. This self-service capability helps you understand Docker
+Desktop usage across your organization and streamline user onboarding without
+IT involvement.
+
+## Prerequisites
+
+- Docker Business subscription
+- Organization owner access to your Docker organization
+
+## About unassociated machines
+
+Unassociated machines are Docker Desktop instances that Docker has identified
+as likely belonging to your organization based on usage patterns, but the users
+are not signed in to Docker Desktop with an account that is part of your
+organization.
+
+## How Docker identifies unassociated machines
+
+Docker uses telemetry data to identify which machines likely belong to your
+organization:
+
+- Domain matching: Users signed in with email domains associated with your
+organization
+- Registry patterns: Analysis of container registry access patterns that
+indicate organizational usage
+
+## View unassociated machines
+
+To see detailed information about unassociated machines:
+
+1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
+your organization.
+1. In **User management**, select **Unassociated**.
+
+The machine list displays:
+
+- Machine ID (Docker-generated identifier)
+- The registry address used to predict whether a user is part of your
+organization
+- User email (only displays if the user is signed into Docker Desktop while
+using it)
+- Docker Desktop version
+- Operating system (OS)
+- Last activity date
+- Sign-in enforced status
+
+You can:
+
+- Export the list as CSV
+- Take actions on individual or multiple machines
+
+## Enable sign-in enforcement for unassociated machines
+
+> [!NOTE]
+>
+> Sign-in enforcement for unassociated machines is different from
+the [organization-level sign-in enforcement](/security/for-admins/enforce-sign-in/)
+available through `registry.json` and configuration profiles. This sign-in
+enforcement only requires users to sign in so admins can identify who is
+using the machine, meaning users can sign in with any email address. For more
+stringent security controls that limit sign-ins to users who are already part
+of your organization, see [Enforce sign-in](/security/for-admins/enforce-sign-in/).
+
+Sign-in enforcement helps you identify who is using unassociated machines in
+your organization. When you enable enforcement, users on these machines will
+be required to sign in to Docker Desktop. Once they sign in, their email
+addresses will appear in the Unassociated list, allowing you to then add them
+to your organization.
+
+> [!IMPORTANT]
+>
+> Sign-in enforcement only takes effect after Docker Desktop is restarted.
+Users can continue using Docker Desktop until their next restart.
+
+### Enable for all unassociated machines
+
+1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
+your organization.
+1. In **User management**, select **Unassociated**.
+1. Turn on the **Enforce sign-in** toggle.
+1. In the pop-up modal, select **Require sign-in** to confirm.
+
+The **Sign-in required** status will update for all unassociated machines to
+**Yes**.
+
+> [!NOTE]
+>
+> When you enable sign-in enforcement for all unassociated machines, any new
+machines detected in the future will automatically have sign-in enforcement
+enabled. Sign-in enforcement requires Docker Desktop version 4.41 or later.
+Users with older versions will not be prompted to sign in and can continue
+using Docker Desktop normally until they update. Their status shows
+as **Pending** until they update to version 4.41 or later.
+
+### Enable for individual unassociated machines
+
+1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
+your organization.
+1. In **User management**, select **Unassociated**.
+1. Locate the machine you want to enable sign-in enforcement for.
+1. Select the **Actions** menu and choose **Turn on sign-in enforcement**.
+1. In the pop-up modal, select **Require sign-in** to confirm.
+
+The **Sign-in required** status will update for the individual machine to
+**Yes**.
+
+> [!NOTE]
+>
+> Sign-in enforcement requires Docker Desktop version 4.41 or later. Users
+with older versions will not be prompted to sign in and can continue using
+Docker Desktop normally until they update. Their status shows as **Pending**
+until they update to version 4.41 or later.
+
+### What happens when users sign in
+
+After you enable sign-in enforcement:
+
+1. Users must restart Docker Desktop. Enforcement only takes effect after
+restart.
+1. When users open Docker Desktop, they see a sign-in prompt. They must sign
+in to continue using Docker Desktop.
+1. User email addresses appear in the **Unassociated** list.
+1. You can add users to your organization.
+
+Users can continue using Docker Desktop immediately after signing in, even
+before being added to your organization.
+
+## Add unassociated machines to your organization
+
+When users in your organization use Docker without signing in, their machines
+appear in the **Unassociated** list. You can add these users to your
+organization in two ways:
+
+- Automatic addition:
+    - Auto-provisioning: If you have verified domains with auto-provisioning
+    enabled, users who sign in with a matching email domain will automatically
+    be added to your organization. For more information on verifying domains and
+    auto-provisioning, see [Domain management](/manuals/security/for-admins/domain-management.md).
+    - SSO user provisioning: If you have SSO configured with
+    [Just-in-Time provisioning](/manuals/security/for-admins/provisioning/just-in-time.md),
+    users who sign in through your SSO connection will automatically be added
+    to your organization.
+- Manual addition: If you don't have auto-provisioning or SSO set up, or if a
+user's email domain doesn't match your configured domains, their email will
+appear in the **Unassociated** list where you can choose to add them directly.
+
+> [!NOTE]
+>
+> If you add users and do not have enough seats in your organization, a
+pop-up will appear prompting you to **Get more seats**.
+
+### Add individual users
+
+1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
+your organization.
+1. In **User management**, select **Unassociated**.
+1. Locate the machine you want to add to your organization.
+1. Select the **Actions** menu and choose **Add to organization**.
+1. In the pop-up modal, select **Add user**.
+
+### Bulk add users
+
+1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
+your organization.
+1. In **User management**, select **Unassociated**.
+1. Use the **checkboxes** to select the machines you want to add to your
+organizations.
+1. Select the **Add to organization** button.
+1. In the pop-up modal, select **Add users** to confirm.
+
+## Disable sign-in enforcement
+
+### Disable for all unassociated machines
+
+1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
+your organization.
+1. In **User management**, select **Unassociated**.
+1. Turn off the **Enforce sign-in** toggle.
+1. In the pop-up modal, select **Turn off sign-in requirement** to confirm.
+
+The **Sign-in required** status will update for all unassociated machines to
+**No**.
+
+### Disable for specific unassociated machines
+
+1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
+your organization.
+1. In **User management**, select **Unassociated**.
+1. Locate the machine you want to disable sign-in enforcement for.
+1. Select the **Actions** menu and choose **Turn off sign-in enforcement**.
+1. In the pop-up modal, select **Turn off sign-in requirement** to confirm.
+
+The **Sign-in required** status will update for the individual machine to
+**No**.
diff --git a/data/summary.yaml b/data/summary.yaml
@@ -230,6 +230,10 @@ SSO:
   for: Administrators
 Synchronized file sharing:
   subscription: [Pro, Team, Business]
+Unassociated machines:
+  subscription: [Business]
+  for: Administrators
+  requires: Docker Desktop [4.41](/manuals/desktop/release-notes.md#4410) and later
 USB/IP support:
   requires: Docker Desktop [4.35.0](/manuals/desktop/release-notes.md#4350) and later
   for: Docker Desktop for Mac, Linux, and Windows with the Hyper-V backend