Documentation · Organization admin

Admin Console Guide

The admin console is BeProof's web UI for security and fleet teams. It aggregates posture from managed Mac endpoints enrolled in your organization — heartbeat, audit freshness, sanitized review items, and signed policy bundles.

Overview

Fleetin BeProof means your organization's enrolled managed Macs — not a separate product. Each endpoint runs the BeProof app in managed mode, sends signed metadata-only summaries to the control plane, and pulls org policy overlays. The admin console is the read-and-respond layer for security teams.

  • Endpoint app — local audit, policy evaluation, evidence on device.
  • Control plane API — enrollment, heartbeat, ingest, review queue, policy distribution.
  • Admin console (this UI) — fleet dashboard, inventory, analyst queue, policy publish.

Getting started

Production admin console: sign in at /fleet/login with your organization email and password (Firebase Identity Platform). Local demo builds may still offer a one-click Acme Corp walkthrough with sample data.

Sign-in · organization admin console
  1. Sign in → confirm your tenant badge (e.g. Acme Corp) appears in the header. If you belong to multiple orgs, use the tenant switcher to pick the active context.
  2. Org admins: open Members to invite analysts and fleet admins (copy the one-time password link securely).
  3. Open Enrollment Create token → run the CLI command on each managed Mac.
  4. Run a managed audit on the endpoint — heartbeat and signed summaries appear on the dashboard.
  5. Analysts triage the review queue; org admins publish policy bundle updates.

Ops runbook for GCP bootstrap (Identity Platform, Vercel env, membership): see infra/gcp/REAL_PILOT.md in the repository.

Fleet dashboard

Organization-wide posture: active devices, 24h reporting, stale audit rate (POL-M02), per-device health, and shortcuts to open review items.

  • Fleet health score combines reporting coverage and stale-audit rate.
  • Device health table shows heartbeat overdue vs stale audit vs healthy states.
  • Open review banner links directly to analyst workflow when findings exist.
Fleet dashboard

Managed endpoints (Devices)

Inventory of enrolled Macs with app version, enrollment time, last heartbeat, and active policy bundle revision.

  • Each row maps to a device credential issued at fleet enroll time.
  • Health badges mirror dashboard logic (healthy, heartbeat overdue, stale audit, needs attention).
  • Policy revision shows which signed bundle the endpoint will pull on next sync.
Managed endpoints (Devices)

Review queue

Sanitized analyst workflow for policy violations surfaced from managed endpoint audits — title, summary, severity, rule id, device hostname. No raw evidence paths.

  • Severity counts (high / medium / low) help prioritize analyst work.
  • Bulk approve is available to org_admin and security_analyst roles.
  • Assignments sync back to endpoints as review decisions on the next collector run.
Review queue

Policy bundle publish

Org admins publish a signed org overlay + allowlist JSON bundle. Enrolled endpoints download the new revision on the next policy sync.

  • Revision is optional — control plane assigns a timestamped id when omitted.
  • Bundles are Ed25519-signed; endpoints verify signature before applying overlay.
  • Personal-mode Macs do not enroll; policy distribution targets managed endpoints only.
Policy bundle publish

Device enrollment tokens

Org admins issue one-time enrollment tokens from the admin console. Each token is single-use, expires after 72 hours by default, and binds the endpoint to your tenant org policy.

  • Sign in at /fleet/login with your organization Firebase account.
  • Open Enrollment → Create token → copy the CLI command shown on screen.
  • Deliver the token via MDM script or secure handoff — do not reuse dev-enroll-token-acme.
  • After enroll, the endpoint appears under Devices and begins heartbeat on the next collector run.
Device enrollment tokens

Org members & audit

Org admins invite additional console users by email and role. Fleet admins can view the roster read-only. All invite, role change, and remove actions are recorded in the admin audit log.

  • Open Members → Create invite → copy the one-time password link (shown once, like enrollment tokens).
  • Invite links use your BeProof domain (www.beproof.co); the invited user sets a password then signs in at /fleet/login.
  • Roles include org_admin, fleet_admin, security_analyst, and auditor_readonly. Last org_admin guard prevents lockout.
  • Users with memberships in multiple tenants switch org context from the header dropdown; API calls scope to the active tenant.
  • Org admins see an Audit log section with recent org_membership.* events (who invited, changed role, or removed a member).
Org members & audit

Roles & access

Admin roles are stored in the control plane per tenant and resolved via /api/v1/me after Firebase sign-in. Demo builds may use dev headers locally; production requires Identity Platform id tokens.

RoleCapabilities
org_adminFull access: metrics, review mutations, policy publish, enrollment tokens, member invite/remove/role, admin audit log
security_analystReview queue assign + bulk approve/exception
fleet_adminRead fleet state + create enrollment tokens + read-only members list; no review mutations, policy publish, or member changes
auditor_readonlyRead-only fleet and review queue

Architecture

Policy evaluation stays on the endpoint. The control plane never receives raw SQLite databases or secret values — only signed, metadata-only fleet summaries and heartbeat fields defined in the fleet evidence contract (packages/contracts). The admin console reads that org-scoped posture; it does not scan workstations.

See also Reference architecture, Managed deployment (MDM), and Policy Pack v1.2.2.