diff --git a/assets/images/enterprise/github-ae/enterprise-account-settings-authentication-security-tab.png b/assets/images/enterprise/github-ae/enterprise-account-settings-authentication-security-tab.png new file mode 100644 index 0000000000..b189dfed6c Binary files /dev/null and b/assets/images/enterprise/github-ae/enterprise-account-settings-authentication-security-tab.png differ diff --git a/assets/images/help/business-accounts/enterprise-account-settings-authentication-security-tab.png b/assets/images/help/business-accounts/enterprise-account-settings-authentication-security-tab.png new file mode 100644 index 0000000000..aa9e7ab466 Binary files /dev/null and b/assets/images/help/business-accounts/enterprise-account-settings-authentication-security-tab.png differ diff --git a/assets/images/help/security/check-ip-address.png b/assets/images/help/security/check-ip-address.png new file mode 100644 index 0000000000..b9859c672a Binary files /dev/null and b/assets/images/help/security/check-ip-address.png differ diff --git a/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise.md b/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise.md index 8b031cfece..bfdd817cca 100644 --- a/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise.md +++ b/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise.md @@ -30,12 +30,15 @@ For instance-level restrictions using Azure NSGs, contact {% data variables.cont ## Adding an allowed IP address +{% data reusables.identity-and-permissions.about-adding-ip-allow-list-entries %} + {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} {% data reusables.identity-and-permissions.ip-allow-lists-add-ip %} {% data reusables.identity-and-permissions.ip-allow-lists-add-description %} {% data reusables.identity-and-permissions.ip-allow-lists-add-entry %} +{% data reusables.identity-and-permissions.check-ip-address %} ## Allowing access by {% data variables.product.prodname_github_apps %} @@ -43,6 +46,8 @@ For instance-level restrictions using Azure NSGs, contact {% data variables.cont ## Enabling allowed IP addresses +{% data reusables.identity-and-permissions.about-enabling-allowed-ip-addresses %} + {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} @@ -52,6 +57,8 @@ For instance-level restrictions using Azure NSGs, contact {% data variables.cont ## Editing an allowed IP address +{% data reusables.identity-and-permissions.about-editing-ip-allow-list-entries %} + {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} @@ -59,6 +66,18 @@ For instance-level restrictions using Azure NSGs, contact {% data variables.cont {% data reusables.identity-and-permissions.ip-allow-lists-edit-ip %} {% data reusables.identity-and-permissions.ip-allow-lists-edit-description %} 8. Click **Update**. +{% data reusables.identity-and-permissions.check-ip-address %} + +{% ifversion ip-allow-list-address-check %} +## Checking if an IP address is permitted + +{% data reusables.identity-and-permissions.about-checking-ip-address %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.check-ip-address-step %} +{% endif %} ## Deleting an allowed IP address diff --git a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md index b1ed91a0ce..69f3a55303 100644 --- a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md +++ b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md @@ -79,12 +79,15 @@ You can also configure allowed IP addresses for an individual organization. For ### Adding an allowed IP address +{% data reusables.identity-and-permissions.about-adding-ip-allow-list-entries %} + {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} {% data reusables.identity-and-permissions.ip-allow-lists-add-ip %} {% data reusables.identity-and-permissions.ip-allow-lists-add-description %} {% data reusables.identity-and-permissions.ip-allow-lists-add-entry %} +{% data reusables.identity-and-permissions.check-ip-address %} ### Allowing access by {% data variables.product.prodname_github_apps %} @@ -92,6 +95,8 @@ You can also configure allowed IP addresses for an individual organization. For ### Enabling allowed IP addresses +{% data reusables.identity-and-permissions.about-enabling-allowed-ip-addresses %} + {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} @@ -101,6 +106,8 @@ You can also configure allowed IP addresses for an individual organization. For ### Editing an allowed IP address +{% data reusables.identity-and-permissions.about-editing-ip-allow-list-entries %} + {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} @@ -108,6 +115,18 @@ You can also configure allowed IP addresses for an individual organization. For {% data reusables.identity-and-permissions.ip-allow-lists-edit-ip %} {% data reusables.identity-and-permissions.ip-allow-lists-edit-description %} 8. Click **Update**. +{% data reusables.identity-and-permissions.check-ip-address %} + +{% ifversion ip-allow-list-address-check %} +### Checking if an IP address is permitted + +{% data reusables.identity-and-permissions.about-checking-ip-address %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.check-ip-address-step %} +{% endif %} ### Deleting an allowed IP address diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md index 09c42afce9..7072ee723b 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md @@ -36,15 +36,20 @@ You can also configure allowed IP addresses for the organizations in an enterpri ## Adding an allowed IP address +{% data reusables.identity-and-permissions.about-adding-ip-allow-list-entries %} + {% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} {% data reusables.organizations.security %} {% data reusables.identity-and-permissions.ip-allow-lists-add-ip %} {% data reusables.identity-and-permissions.ip-allow-lists-add-description %} {% data reusables.identity-and-permissions.ip-allow-lists-add-entry %} +{% data reusables.identity-and-permissions.check-ip-address %} ## Enabling allowed IP addresses +{% data reusables.identity-and-permissions.about-enabling-allowed-ip-addresses %} + {% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} {% data reusables.organizations.security %} @@ -71,6 +76,8 @@ For more information about how to create an allow list for a {% data variables.p ## Editing an allowed IP address +{% data reusables.identity-and-permissions.about-editing-ip-allow-list-entries %} + {% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} {% data reusables.organizations.security %} @@ -78,6 +85,18 @@ For more information about how to create an allow list for a {% data variables.p {% data reusables.identity-and-permissions.ip-allow-lists-edit-ip %} {% data reusables.identity-and-permissions.ip-allow-lists-edit-description %} 1. Click **Update**. +{% data reusables.identity-and-permissions.check-ip-address %} + +{% ifversion ip-allow-list-address-check %} +## Checking if an IP address is permitted + +{% data reusables.identity-and-permissions.about-checking-ip-address %} + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.security %} +{% data reusables.identity-and-permissions.check-ip-address-step %} +{% endif %} ## Deleting an allowed IP address diff --git a/data/features/ip-allow-list-address-check.yml b/data/features/ip-allow-list-address-check.yml new file mode 100644 index 0000000000..c4dda87a70 --- /dev/null +++ b/data/features/ip-allow-list-address-check.yml @@ -0,0 +1,3 @@ +versions: + ghec: '*' + ghae: 'issue-7818' diff --git a/data/reusables/enterprise-accounts/security-tab.md b/data/reusables/enterprise-accounts/security-tab.md index 021adcca4a..36f2a01533 100644 --- a/data/reusables/enterprise-accounts/security-tab.md +++ b/data/reusables/enterprise-accounts/security-tab.md @@ -1,2 +1,7 @@ +{%- ifversion ghec or ghes > 3.4 or ghae-issue-7875 %} +1. In the left sidebar, click **Authentication security**. + {% ifversion ghae %}![Security tab in the enterprise account settings sidebar](/assets/images/enterprise/github-ae/enterprise-account-settings-authentication-security-tab.png){% else %}![Security tab in the enterprise account settings sidebar](/assets/images/help/business-accounts/enterprise-account-settings-authentication-security-tab.png){% endif %} +{%- else %} 1. In the left sidebar, click **Security**. {% ifversion ghae %}![Security tab in the enterprise account settings sidebar](/assets/images/enterprise/github-ae/enterprise-account-settings-security-tab.png){% else %}![Security tab in the enterprise account settings sidebar](/assets/images/help/business-accounts/enterprise-account-settings-security-tab.png){% endif %} +{%- endif %} \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/about-adding-ip-allow-list-entries.md b/data/reusables/identity-and-permissions/about-adding-ip-allow-list-entries.md new file mode 100644 index 0000000000..772581f87a --- /dev/null +++ b/data/reusables/identity-and-permissions/about-adding-ip-allow-list-entries.md @@ -0,0 +1,3 @@ +You can create an IP allow list by adding entries that each contain an IP address or address range.{% ifversion ip-allow-list-address-check %} After you finish adding entries, you can check whether a particular IP address would be allowed by any of the enabled entries in your list.{% endif %} + +Before the list restricts access to {% ifversion ghae %}your enterprise{% else %}private assets owned by organizations in your enterprise{% endif %}, you must also enable allowed IP addresses. \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/about-checking-ip-address.md b/data/reusables/identity-and-permissions/about-checking-ip-address.md new file mode 100644 index 0000000000..dfdc758f91 --- /dev/null +++ b/data/reusables/identity-and-permissions/about-checking-ip-address.md @@ -0,0 +1 @@ +You can check whether a particular IP address would be allowed by any of the enabled entries in your IP allow list, even if the list is not currently enabled. \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/about-editing-ip-allow-list-entries.md b/data/reusables/identity-and-permissions/about-editing-ip-allow-list-entries.md new file mode 100644 index 0000000000..1e189b909d --- /dev/null +++ b/data/reusables/identity-and-permissions/about-editing-ip-allow-list-entries.md @@ -0,0 +1,5 @@ +You can edit an entry in your IP allow list. If you edit an enabled entry, changes are enforced immediately. + +{% ifversion ip-allow-list-address-check %} +After you finish editing entries, you can check whether a particular IP address would be allowed by any of the enabled entries in your list. +{% endif %} \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/about-enabling-allowed-ip-addresses.md b/data/reusables/identity-and-permissions/about-enabling-allowed-ip-addresses.md new file mode 100644 index 0000000000..dde4e9bc05 --- /dev/null +++ b/data/reusables/identity-and-permissions/about-enabling-allowed-ip-addresses.md @@ -0,0 +1,5 @@ +After you create an IP allow list, you can enable allowed IP addresses. When you enable allowed IP addresses, {% data variables.product.company_short %} immediately enforces any enabled entries in your IP allow list. + +{% ifversion ip-allow-list-address-check %} +Before you enable allowed IP addresses, you can check whether a particular IP address would be allowed by any of the enabled entries in your list. For more information, see "[Checking if an IP address is permitted](#checking-if-an-ip-address-is-permitted)." +{% endif %} \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/check-ip-address-step.md b/data/reusables/identity-and-permissions/check-ip-address-step.md new file mode 100644 index 0000000000..cb4ba79b1b --- /dev/null +++ b/data/reusables/identity-and-permissions/check-ip-address-step.md @@ -0,0 +1,2 @@ +1. Under "Check your IP address", enter an IP address. + ![Screenshot of the "Check IP address" text field](/assets/images/help/security/check-ip-address.png) \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/check-ip-address.md b/data/reusables/identity-and-permissions/check-ip-address.md new file mode 100644 index 0000000000..9a187752d6 --- /dev/null +++ b/data/reusables/identity-and-permissions/check-ip-address.md @@ -0,0 +1,3 @@ +{%- ifversion ip-allow-list-address-check %} +1. Optionally, check if a particular IP address would be allowed by any of the enabled entries in your list. For more information, see "[Checking if an IP address is permitted](#checking-if-an-ip-address-is-permitted)." +{%- endif %} \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/ip-allow-lists-enable.md b/data/reusables/identity-and-permissions/ip-allow-lists-enable.md index ada28fa49e..9b382356fa 100644 --- a/data/reusables/identity-and-permissions/ip-allow-lists-enable.md +++ b/data/reusables/identity-and-permissions/ip-allow-lists-enable.md @@ -1 +1,3 @@ -To enforce the IP allow list, you must first add IP addresses to the list, then enable the IP allow list. You must add your current IP address, or a matching range, before you enable the IP allow list. +To enforce the IP allow list, you must first add IP addresses to the list, then enable the IP allow list.{% ifversion ip-allow-list-address-check %} After you complete your list, you can check whether a particular IP address would be allowed by any of the enabled entries in the list.{% endif %} + +You must add your current IP address, or a matching range, before you enable the IP allow list.