Merge branch 'main' into 2fa-clarification

content/README.md

@@ -15,7 +15,7 @@ See the [contributing docs](/CONTRIBUTING.md) for general information about work
   - [`permissions`](#permissions)
   - [`product`](#product)
   - [`layout`](#layout)
-  - [`mapTopic`](#maptopic)
+  - [`children`](#children)
   - [`featuredLinks`](#featuredlinks)
   - [`showMiniToc`](#showminitoc)
   - [`miniTocMaxHeadingLevel`](#minitocmaxheadinglevel)
@@ -35,6 +35,7 @@ See the [contributing docs](/CONTRIBUTING.md) for general information about work
 - [Whitespace control](#whitespace-control)
 - [Links and image paths](#links-and-image-paths)
   - [Preventing transformations](#preventing-transformations)
+- [Index pages](#index-pages)
 - [Creating new sublanding pages](#creating-new-sublanding-pages)
 
 ## Frontmatter
@@ -143,11 +144,11 @@ shortTitle: Contributing to projects
 For a layout named `layouts/article.html`, the value would be `article`.
 - Optional. If omitted, `layouts/default.html` is used.
 
-### `mapTopic`
+### `children`
 
-- Purpose: Indicates whether a page is a map topic. See [Map Topic Pages](#map-topic-pages) for more info.
+- Purpose: Lists the relative links that belong to the product/category/map topic. See [Index pages](#index-pages) for more info.
-- Type: `Boolean`. Default is `false`.
+- Type: `Array`. Default is `false`.
-- Optional.
+- Required on `index.md` pages.
 
 ### `featuredLinks`
 
@@ -312,8 +313,6 @@ Just add a hyphen on either the left, right, or both sides to indicate that ther
 {%- if currentVersion == 'free-pro-team@latest' %}
 ```
 
-These characters are especially important in [index pages](#index-pages) comprised of list items.
-
 ## Links and image paths
 
 Local links must start with a product ID (like `/actions` or `/admin`), and image paths must start with `/assets`. The links to Markdown pages undergo some transformations on the server side to match the current page's language and version. The handling for these transformations lives in [`lib/render-content/plugins/rewrite-local-links`](lib/render-content/plugins/rewrite-local-links.js).
@@ -344,6 +343,11 @@ Sometimes you want to link to a Dotcom-only article in Enterprise content and yo
 
 Sometimes the canonical home of content moves outside the docs site. None of the links included in [`lib/redirects/external-sites.json`](/lib/redirects/external-sites.json) get rewritten. See  [`contributing/redirects.md`](/contributing/redirects.md) for more info about this type of redirect.
 
+### Index pages
+
+Index pages are the Table of Contents files for the docs site. Every product, category, and map topic subdirectory has an `index.md` that serves as the landing page. Each `index.md` must contain a `children` frontmatter property with a list of relative links to the child pages of the product, category, or map topic.
+
+**Important note**: The site only knows about paths included in `children` frontmatter. If a directory or article exists but is **not** included in `children`, its path will 404.
 
 ### Creating new sublanding pages
 

content/actions/creating-actions/index.md

@@ -11,17 +11,16 @@ versions:
   free-pro-team: '*'
   enterprise-server: '>=2.22'
   github-ae: '*'
+children:
+  - /about-actions
+  - /creating-a-docker-container-action
+  - /creating-a-javascript-action
+  - /creating-a-composite-run-steps-action
+  - /metadata-syntax-for-github-actions
+  - /dockerfile-support-for-github-actions
+  - /setting-exit-codes-for-actions
+  - /publishing-actions-in-github-marketplace
 ---
-
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
-
-{% link_in_list /about-actions %}
-{% link_in_list /creating-a-docker-container-action %}
-{% link_in_list /creating-a-javascript-action %}
-{% link_in_list /creating-a-composite-run-steps-action %}
-{% link_in_list /metadata-syntax-for-github-actions %}
-{% link_in_list /dockerfile-support-for-github-actions %}
-{% link_in_list /setting-exit-codes-for-actions %}
-{% link_in_list /publishing-actions-in-github-marketplace %}

content/actions/guides/about-continuous-integration.md

@@ -57,7 +57,7 @@ Browse the complete list of CI workflow templates offered by {% data variables.p
 {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" or currentVersion == "github-ae@next" %}
 ### Skipping workflow runs
 
-If you want to temporarily prevent a workflow from being triggered, you can add a skip instruction to the commit message. Workflows that would otherwise be triggered `on: push` or `on: pull_request`, won't be triggered if you add any any of the following strings to the commit message in a push, or the HEAD commit of a pull request:
+If you want to temporarily prevent a workflow from being triggered, you can add a skip instruction to the commit message. Workflows that would otherwise be triggered `on: push` or `on: pull_request`, won't be triggered if you add any of the following strings to the commit message in a push, or the HEAD commit of a pull request:
 
 * `[skip ci]`
 * `[ci skip]`

content/actions/guides/index.md

@@ -73,40 +73,41 @@ includeGuides:
   - /actions/guides/moving-assigned-issues-on-project-boards
   - /actions/guides/removing-a-label-when-a-card-is-added-to-a-project-board-column
   - /actions/guides/managing-github-actions-with-github-cli
-
+children:
+  - /about-continuous-integration
+  - /setting-up-continuous-integration-using-workflow-templates
+  - /building-and-testing-nodejs
+  - /building-and-testing-net
+  - /building-and-testing-powershell
+  - /building-and-testing-python
+  - /building-and-testing-ruby
+  - /building-and-testing-java-with-maven
+  - /building-and-testing-java-with-gradle
+  - /building-and-testing-java-with-ant
+  - /building-and-testing-swift
+  - /installing-an-apple-certificate-on-macos-runners-for-xcode-development
+  - /building-and-testing-xamarin-applications
+  - /about-packaging-with-github-actions
+  - /publishing-nodejs-packages
+  - /publishing-java-packages-with-maven
+  - /publishing-java-packages-with-gradle
+  - /publishing-docker-images
+  - /storing-workflow-data-as-artifacts
+  - /caching-dependencies-to-speed-up-workflows
+  - /about-service-containers
+  - /creating-redis-service-containers
+  - /creating-postgresql-service-containers
+  - /deploying-to-amazon-elastic-container-service
+  - /deploying-to-azure-app-service
+  - /deploying-to-google-kubernetes-engine
+  - /deploying-to-google-kubernetes-engine
+  - /using-github-actions-for-project-management
+  - /closing-inactive-issues
+  - /scheduling-issue-creation
+  - /adding-labels-to-issues
+  - /commenting-on-an-issue-when-a-label-is-added
+  - /moving-assigned-issues-on-project-boards
+  - /removing-a-label-when-a-card-is-added-to-a-project-board-column
+  - /managing-github-actions-with-github-cli
 ---
-<!-- {% link_in_list /about-continuous-integration %} -->
+
-<!-- {% link_in_list /setting-up-continuous-integration-using-workflow-templates %} -->
-<!-- {% link_in_list /building-and-testing-nodejs %} -->
-<!-- {% link_in_list /building-and-testing-net %} -->
-<!-- {% link_in_list /building-and-testing-powershell %} -->
-<!-- {% link_in_list /building-and-testing-python %} -->
-<!-- {% link_in_list /building-and-testing-ruby %} -->
-<!-- {% link_in_list /building-and-testing-java-with-maven %} -->
-<!-- {% link_in_list /building-and-testing-java-with-gradle %} -->
-<!-- {% link_in_list /building-and-testing-java-with-ant %} -->
-<!-- {% link_in_list /building-and-testing-swift %}-->
-<!-- {% link_in_list /installing-an-apple-certificate-on-macos-runners-for-xcode-development %} -->
-<!-- {% link_in_list /building-and-testing-xamarin-applications %} -->
-<!-- {% link_in_list /about-packaging-with-github-actions %} -->
-<!-- {% link_in_list /publishing-nodejs-packages %} -->
-<!-- {% link_in_list /publishing-java-packages-with-maven %} -->
-<!-- {% link_in_list /publishing-java-packages-with-gradle %} -->
-<!-- {% link_in_list /publishing-docker-images %} -->
-<!-- {% link_in_list /storing-workflow-data-as-artifacts %} -->
-<!-- {% link_in_list /caching-dependencies-to-speed-up-workflows %} -->
-<!-- {% link_in_list /about-service-containers %} -->
-<!-- {% link_in_list /creating-redis-service-containers %} -->
-<!-- {% link_in_list /creating-postgresql-service-containers %} -->
-<!-- {% link_in_list /deploying-to-amazon-elastic-container-service %} -->
-<!-- {% link_in_list /deploying-to-azure-app-service %} -->
-<!-- {% link_in_list /deploying-to-google-kubernetes-engine %} -->
-<!-- {% link_in_list /deploying-to-google-kubernetes-engine %} -->
-<!-- {% link_in_list /using-github-actions-for-project-management %} -->
-<!-- {% link_in_list /closing-inactive-issues %} -->
-<!-- {% link_in_list /scheduling-issue-creation %} -->
-<!-- {% link_in_list /adding-labels-to-issues %} -->
-<!-- {% link_in_list /commenting-on-an-issue-when-a-label-is-added %} -->
-<!-- {% link_in_list /moving-assigned-issues-on-project-boards %} -->
-<!-- {% link_in_list /removing-a-label-when-a-card-is-added-to-a-project-board-column %} -->
-<!-- {% link_in_list /managing-github-actions-with-github-cli %} -->

content/actions/guides/publishing-java-packages-with-gradle.md

@@ -51,6 +51,11 @@ You can define a new Maven repository in the publishing block of your _build.gra
 
 {% raw %}
 ```groovy{:copy}
+plugins {
+  ...
+  id 'maven-publish'
+}
+
 publishing {
   ...
 
@@ -114,6 +119,11 @@ For example, if your organization is named "octocat" and your repository is name
 
 {% raw %}
 ```groovy{:copy}
+plugins {
+  ...
+  id 'maven-publish'
+}
+
 publishing {
   ...
 
@@ -173,6 +183,11 @@ If your organization is named "octocat" and your repository is named "hello-worl
 
 {% raw %}
 ```groovy{:copy}
+plugins {
+  ...
+  id 'maven-publish'
+}
+
 publishing {
   ...
 

content/actions/hosting-your-own-runners/index.md

@@ -8,19 +8,18 @@ versions:
   free-pro-team: '*'
   enterprise-server: '>=2.22'
   github-ae: '*'
+children:
+  - /about-self-hosted-runners
+  - /adding-self-hosted-runners
+  - /configuring-the-self-hosted-runner-application-as-a-service
+  - /using-a-proxy-server-with-self-hosted-runners
+  - /using-labels-with-self-hosted-runners
+  - /using-self-hosted-runners-in-a-workflow
+  - /managing-access-to-self-hosted-runners-using-groups
+  - /monitoring-and-troubleshooting-self-hosted-runners
+  - /removing-self-hosted-runners
 ---
-
 {% data reusables.actions.ae-self-hosted-runners-notice %}
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
-
-{% link_in_list /about-self-hosted-runners %}
-{% link_in_list /adding-self-hosted-runners %}
-{% link_in_list /configuring-the-self-hosted-runner-application-as-a-service %}
-{% link_in_list /using-a-proxy-server-with-self-hosted-runners %}
-{% link_in_list /using-labels-with-self-hosted-runners %}
-{% link_in_list /using-self-hosted-runners-in-a-workflow %}
-{% link_in_list /managing-access-to-self-hosted-runners-using-groups %}
-{% link_in_list /monitoring-and-troubleshooting-self-hosted-runners %}
-{% link_in_list /removing-self-hosted-runners %}

content/actions/index.md

@@ -22,9 +22,9 @@ featuredLinks:
     - /actions/reference/environment-variables
     - /actions/reference/encrypted-secrets
 changelog:
-  label: 'actions'
+  label: actions
   prefix: 'GitHub Actions: '
-product_video: https://www.youtube-nocookie.com/embed/cP0I9w2coGU
+product_video: 'https://www.youtube-nocookie.com/embed/cP0I9w2coGU'
 redirect_from:
   - /articles/automating-your-workflow-with-github-actions/
   - /articles/customizing-your-project-with-github-actions/
@@ -37,13 +37,14 @@ versions:
   free-pro-team: '*'
   enterprise-server: '>=2.22'
   github-ae: '*'
+children:
+  - /quickstart
+  - /guides
+  - /learn-github-actions
+  - /managing-workflow-runs
+  - /creating-actions
+  - /using-github-hosted-runners
+  - /hosting-your-own-runners
+  - /reference
 ---
 
-<!-- {% link_with_intro /quickstart %} -->
-<!-- {% link_with_intro /guides %} -->
-<!-- {% link_with_intro /learn-github-actions %} -->
-<!-- {% link_with_intro /managing-workflow-runs %} -->
-<!-- {% link_with_intro /creating-actions %} -->
-<!-- {% link_with_intro /using-github-hosted-runners %} -->
-<!-- {% link_with_intro /hosting-your-own-runners %} -->
-<!-- {% link_with_intro /reference %} -->

content/actions/learn-github-actions/index.md

@@ -29,16 +29,17 @@ versions:
   free-pro-team: '*'
   enterprise-server: '>=2.22'
   github-ae: '*'
+children:
+  - /introduction-to-github-actions
+  - /finding-and-customizing-actions
+  - /essential-features-of-github-actions
+  - /managing-complex-workflows
+  - /sharing-workflows-with-your-organization
+  - /security-hardening-for-github-actions
+  - /migrating-from-azure-pipelines-to-github-actions
+  - /migrating-from-circleci-to-github-actions
+  - /migrating-from-gitlab-cicd-to-github-actions
+  - /migrating-from-jenkins-to-github-actions
+  - /migrating-from-travis-ci-to-github-actions
 ---
 
-{% link_with_intro /introduction-to-github-actions %}
-{% link_with_intro /finding-and-customizing-actions %}
-{% link_with_intro /essential-features-of-github-actions %}
-{% link_with_intro /managing-complex-workflows %}
-{% link_with_intro /sharing-workflows-with-your-organization %}
-{% link_with_intro /security-hardening-for-github-actions %}
-{% link_with_intro /migrating-from-azure-pipelines-to-github-actions %}
-{% link_with_intro /migrating-from-circleci-to-github-actions %}
-{% link_with_intro /migrating-from-gitlab-cicd-to-github-actions %}
-{% link_with_intro /migrating-from-jenkins-to-github-actions %}
-{% link_with_intro /migrating-from-travis-ci-to-github-actions %}

content/actions/managing-workflow-runs/index.md

@@ -14,24 +14,24 @@ versions:
   free-pro-team: '*'
   enterprise-server: '>=2.22'
   github-ae: '*'
+children:
+  - /using-the-visualization-graph
+  - /viewing-workflow-run-history
+  - /using-workflow-run-logs
+  - /manually-running-a-workflow
+  - /re-running-a-workflow
+  - /canceling-a-workflow
+  - /approving-workflow-runs-from-public-forks
+  - /reviewing-deployments
+  - /disabling-and-enabling-a-workflow
+  - /deleting-a-workflow-run
+  - /viewing-job-execution-time
+  - /downloading-workflow-artifacts
+  - /removing-workflow-artifacts
+  - /enabling-debug-logging
+  - /adding-a-workflow-status-badge
 ---
-
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
-
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" or currentVersion == "github-ae@latest" %}{% endif %}
-{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" or currentVersion == "github-ae@latest" %}{% link_in_list /using-the-visualization-graph %}{% endif %}
-{% link_in_list /viewing-workflow-run-history %}
-{% link_in_list /using-workflow-run-logs %}
-{% link_in_list /manually-running-a-workflow %}
-{% link_in_list /re-running-a-workflow %}
-{% link_in_list /canceling-a-workflow %}
-{% link_in_list /approving-workflow-runs-from-public-forks %}
-{% link_in_list /reviewing-deployments %}
-{% link_in_list /disabling-and-enabling-a-workflow %}
-{% link_in_list /deleting-a-workflow-run %}
-{% link_in_list /viewing-job-execution-time %}
-{% link_in_list /downloading-workflow-artifacts %}
-{% link_in_list /removing-workflow-artifacts %}
-{% link_in_list /enabling-debug-logging %}
-{% link_in_list /adding-a-workflow-status-badge %}

content/actions/reference/context-and-expression-syntax-for-github-actions.md

@@ -45,7 +45,7 @@ steps:
 {% raw %}
 ```yaml
 env:
-  my_env_var: ${{ <expression> }}
+  MY_ENV_VAR: ${{ <expression> }}
 ```
 {% endraw %}
 

content/actions/reference/index.md

@@ -7,52 +7,37 @@ versions:
   free-pro-team: '*'
   enterprise-server: '>=2.22'
   github-ae: '*'
+children:
+  - /workflow-syntax-for-github-actions
+  - /context-and-expression-syntax-for-github-actions
+  - /workflow-commands-for-github-actions
+  - /events-that-trigger-workflows
+  - /authentication-in-a-workflow
+  - /encrypted-secrets
+  - /environments
+  - /environment-variables
+  - /usage-limits-billing-and-administration
 ---
-
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
-
 ### Workflow syntax
-
 The workflow file is written in YAML. In the YAML workflow file, you can use expression syntax to evaluate contextual information, literals, operators, and functions. Contextual information includes workflow, environment variables, secrets, and the events that triggered the workflow. When you use [`run`](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun) in a workflow step to run shell commands, you can use specific workflow command syntax to set environment variables, set output parameters for subsequent steps, and set error or debug messages.
-
-{% link_in_list /workflow-syntax-for-github-actions %}
-{% link_in_list /context-and-expression-syntax-for-github-actions %}
-{% link_in_list /workflow-commands-for-github-actions %}
-
 ### Events
 
 You can configure workflows to run when specific GitHub events occur, at a scheduled time, manually, or when events outside of GitHub occur.
 
-{% link_in_list /events-that-trigger-workflows %}
-
 ### Authentication and secrets
 
 {% data variables.product.prodname_dotcom %} provides a token that you can use to authenticate on behalf of {% data variables.product.prodname_actions %}. You can also store sensitive information as a secret in your organization{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" or currentVersion == "github-ae@latest" %}, repository, or environments{% else %} or repository{% endif %}. {% data variables.product.prodname_dotcom %} encrypts all secrets.
 
-{% link_in_list /authentication-in-a-workflow %}
-{% link_in_list /encrypted-secrets %}
-
 {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" or currentVersion == "github-ae@latest" %}
 ### Environments
-
 Workflow jobs can reference environments that have protection rules or environment-specific secrets.
-
-{% link_in_list /environments %}
 {% endif %}
-
 ### Environment variables
-
 {% data variables.product.prodname_dotcom %} sets default environment variables for each {% data variables.product.prodname_actions %} workflow run. You can also set custom environment variables in your workflow file.
-
-{% link_in_list /environment-variables %}
-
 {% if currentVersion == "free-pro-team@latest" %}
 ### Administration
-
 When you run workflows on {% data variables.product.prodname_dotcom %}-hosted runners, there are usage limits and potential usage charges. You can also disable or restrict the usage of {% data variables.product.prodname_actions %} in a repository and organization.
-
-{% link_in_list /usage-limits-billing-and-administration %}
-
 {% endif %}

content/actions/using-github-hosted-runners/index.md

@@ -5,16 +5,15 @@ versions:
   free-pro-team: '*'
   enterprise-server: '>=2.22'
   github-ae: '*'
+children:
+  - /about-github-hosted-runners
+  - /customizing-github-hosted-runners
+  - /about-ae-hosted-runners
+  - /adding-ae-hosted-runners
+  - /using-ae-hosted-runners-in-a-workflow
+  - /using-labels-with-ae-hosted-runners
+  - /using-groups-to-manage-access-to-ae-hosted-runners
+  - /creating-custom-images
 ---
-
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
-
-{% link_in_list /about-github-hosted-runners %}
-{% link_in_list /customizing-github-hosted-runners %}
-{% link_in_list /about-ae-hosted-runners %}
-{% link_in_list /adding-ae-hosted-runners %}
-{% link_in_list /using-ae-hosted-runners-in-a-workflow %}
-{% link_in_list /using-labels-with-ae-hosted-runners %}
-{% link_in_list /using-groups-to-manage-access-to-ae-hosted-runners %}
-{% link_in_list /creating-custom-images %}

content/admin/advanced-security/index.md

@@ -1,7 +1,7 @@
 ---
 title: Managing GitHub Advanced Security for your enterprise
 shortTitle: Managing GitHub Advanced Security
-intro: You can configure {% data variables.product.prodname_advanced_security %} and manage use by your enterprise to suit your organization's needs.
+intro: 'You can configure {% data variables.product.prodname_advanced_security %} and manage use by your enterprise to suit your organization''s needs.'
 product: '{% data reusables.gated-features.ghas %}'
 redirect_from:
   - /enterprise/admin/configuration/configuring-advanced-security-features
@@ -10,12 +10,11 @@ versions:
   enterprise-server: '>=2.22'
 topics:
   - Enterprise
+children:
+  - /about-licensing-for-github-advanced-security
+  - /enabling-github-advanced-security-for-your-enterprise
+  - /configuring-code-scanning-for-your-appliance
+  - /configuring-secret-scanning-for-your-appliance
+  - /viewing-your-github-advanced-security-usage
 ---
 
-### Table of Contents
-
-{% link_in_list /about-licensing-for-github-advanced-security %}
-{% link_in_list /enabling-github-advanced-security-for-your-enterprise %}
-{% link_in_list /configuring-code-scanning-for-your-appliance %}
-{% link_in_list /configuring-secret-scanning-for-your-appliance %}
-{% link_in_list /viewing-your-github-advanced-security-usage %}

content/admin/authentication/about-identity-and-access-management-for-your-enterprise.md

@@ -1,35 +0,0 @@
----
-title: About identity and access management for your enterprise
-shortTitle: About identity and access management
-intro: 'You can use {% if enterpriseServerVersions contains currentVersion %}{% data variables.product.prodname_ghe_server %}''s built-in authentication, or choose between CAS, LDAP, or SAML{% else %}SAML single sign-on (SSO) and System for Cross-domain Identity Management (SCIM){% endif %} to centrally manage access {% if currentVersion == "free-pro-team@latest" %}to organizations owned by your enterprise on {% data variables.product.prodname_dotcom_the_website %}{% endif %}{% if enterpriseServerVersions contains currentVersion or currentVersion == "github-ae@latest" %}to {% data variables.product.product_location %}{% endif %}.'
-product: '{% data reusables.gated-features.saml-sso %}'
-versions:
-  github-ae: '*'
-type: overview
-topics:
-  - Accounts
-  - Access management
-  - Authentication
-  - Enterprise
-  - Identity
----
-
-### About identity and access management for your enterprise
-
-{% if currentVersion == "github-ae@latest" %}
-
-{% data reusables.saml.ae-uses-saml-sso %} {% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
-
-After you configure the application for {% data variables.product.product_name %} on your IdP, you can grant access to {% data variables.product.product_location %} by assigning the application to users and groups on your IdP. For more information about SAML SSO for {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
-
-{% data reusables.scim.after-you-configure-saml %} For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise)."
-
-To learn how to configure both authentication and user provisioning for {% data variables.product.product_location %} with your specific IdP, see "[Configuring authentication and provisioning with your identity provider](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider)."
-
-{% endif %}
-
-### Further reading
-
-- [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website
-- [System for Cross-domain Identity Management: Protocol (RFC 7644)](https://tools.ietf.org/html/rfc7644) on the IETF website
-- [Restricting network traffic to your enterprise](/admin/configuration/restricting-network-traffic-to-your-enterprise)

content/admin/authentication/allowing-built-in-authentication-for-users-outside-your-identity-provider.md

@@ -1,58 +0,0 @@
----
-title: Allowing built-in authentication for users outside your identity provider
-intro: 'You can configure built-in authentication to authenticate users who don''t have access to your identity provider that uses LDAP, SAML, or CAS.'
-redirect_from:
-  - /enterprise/admin/user-management/allowing-built-in-authentication-for-users-outside-your-identity-provider
-  - /enterprise/admin/authentication/allowing-built-in-authentication-for-users-outside-your-identity-provider
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - Identity
----
-
-### About built-in authentication for users outside your identity provider
-
-You can use built-in authentication for outside users when you are unable to add specific accounts to your identity provider (IdP), such as accounts for contractors or machine users. You can also use built-in authentication to access a fallback account if the identity provider is unavailable.  
-
-After built-in authentication is configured and a user successfully authenticates with SAML or CAS, they will no longer have the option to authenticate with a username and password. If a user successfully authenticates with LDAP, the credentials are no longer considered internal.
-
-Built-in authentication for a specific IdP is disabled by default.
-
-{% warning %}
-
-**Warning:** If you disable built-in authentication, you must individually suspend any users that should no longer have access to the instance. For more information, see "[Suspending and unsuspending users](/enterprise/{{ currentVersion }}/admin/guides/user-management/suspending-and-unsuspending-users)."
-
-{% endwarning %}
-
-### Configuring built-in authentication for users outside your identity provider
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.authentication %}
-4. Select your identity provider.
-  ![Select identity provider option](/assets/images/enterprise/management-console/identity-provider-select.gif)
-5. Select **Allow creation of accounts with built-in authentication**.
-  ![Select built-in authentication option](/assets/images/enterprise/management-console/built-in-auth-identity-provider-select.png)
-6. Read the warning, then click **Ok**.
-
-{% data reusables.enterprise_user_management.two_factor_auth_header %}
-{% data reusables.enterprise_user_management.2fa_is_available %}
-
-### Inviting users outside your identity provider to authenticate to your instance
-
-When a user accepts the invitation, they can use their username and password to sign in rather than signing in through the IdP.
-
-{% data reusables.enterprise_site_admin_settings.sign-in %}
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.invite-user-sidebar-tab %}
-{% data reusables.enterprise_site_admin_settings.invite-user-reset-link %}
-
-### Further reading
-
-- "[Using LDAP](/enterprise/admin/authentication/using-ldap)"
-- "[Using SAML](/enterprise/{{ currentVersion }}/admin/guides/user-management/using-saml)"
-- "[Using CAS](/enterprise/{{ currentVersion }}/admin/guides/user-management/using-cas)"

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance.md

@@ -1,17 +0,0 @@
----
-title: Authenticating users for your GitHub Enterprise Server instance
-intro: 'You can use {% data variables.product.prodname_ghe_server %}''s built-in authentication, or choose between CAS, LDAP, or SAML to integrate your existing accounts and centrally manage user access to {% data variables.product.product_location %}.'
-redirect_from:
-  - /enterprise/admin/categories/authentication/
-  - /enterprise/admin/guides/installation/user-authentication/
-  - /enterprise/admin/articles/inviting-users/
-  - /enterprise/admin/guides/migrations/authenticating-users-for-your-github-enterprise-instance/
-  - /enterprise/admin/user-management/authenticating-users-for-your-github-enterprise-server-instance
-  - /enterprise/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance
-mapTopic: true
-versions:
-  enterprise-server: '*'
-topics:
-  - Enterprise
----
-

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/allowing-built-in-authentication-for-users-outside-your-identity-provider.md

@@ -0,0 +1,58 @@
+---
+title: Allowing built-in authentication for users outside your identity provider
+intro: 'You can configure built-in authentication to authenticate users who don''t have access to your identity provider that uses LDAP, SAML, or CAS.'
+redirect_from:
+  - /enterprise/admin/user-management/allowing-built-in-authentication-for-users-outside-your-identity-provider
+  - /enterprise/admin/authentication/allowing-built-in-authentication-for-users-outside-your-identity-provider
+  - /admin/authentication/allowing-built-in-authentication-for-users-outside-your-identity-provider
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+---
+### About built-in authentication for users outside your identity provider
+
+You can use built-in authentication for outside users when you are unable to add specific accounts to your identity provider (IdP), such as accounts for contractors or machine users. You can also use built-in authentication to access a fallback account if the identity provider is unavailable.  
+
+After built-in authentication is configured and a user successfully authenticates with SAML or CAS, they will no longer have the option to authenticate with a username and password. If a user successfully authenticates with LDAP, the credentials are no longer considered internal.
+
+Built-in authentication for a specific IdP is disabled by default.
+
+{% warning %}
+
+**Warning:** If you disable built-in authentication, you must individually suspend any users that should no longer have access to the instance. For more information, see "[Suspending and unsuspending users](/enterprise/{{ currentVersion }}/admin/guides/user-management/suspending-and-unsuspending-users)."
+
+{% endwarning %}
+
+### Configuring built-in authentication for users outside your identity provider
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.authentication %}
+4. Select your identity provider.
+  ![Select identity provider option](/assets/images/enterprise/management-console/identity-provider-select.gif)
+5. Select **Allow creation of accounts with built-in authentication**.
+  ![Select built-in authentication option](/assets/images/enterprise/management-console/built-in-auth-identity-provider-select.png)
+6. Read the warning, then click **Ok**.
+
+{% data reusables.enterprise_user_management.two_factor_auth_header %}
+{% data reusables.enterprise_user_management.2fa_is_available %}
+
+### Inviting users outside your identity provider to authenticate to your instance
+
+When a user accepts the invitation, they can use their username and password to sign in rather than signing in through the IdP.
+
+{% data reusables.enterprise_site_admin_settings.sign-in %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.invite-user-sidebar-tab %}
+{% data reusables.enterprise_site_admin_settings.invite-user-reset-link %}
+
+### Further reading
+
+- "[Using LDAP](/enterprise/admin/authentication/using-ldap)"
+- "[Using SAML](/enterprise/{{ currentVersion }}/admin/guides/user-management/using-saml)"
+- "[Using CAS](/enterprise/{{ currentVersion }}/admin/guides/user-management/using-cas)"

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/changing-authentication-methods.md

@@ -0,0 +1,39 @@
+---
+title: Changing authentication methods
+intro: 'You can change the way {% data variables.product.prodname_ghe_server %} authenticates with your existing accounts at any time.'
+redirect_from:
+  - /enterprise/admin/user-management/changing-authentication-methods
+  - /enterprise/admin/authentication/changing-authentication-methods
+  - /admin/authentication/changing-authentication-methods
+versions:
+  enterprise-server: '*'
+type: overview
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+---
+User accounts on {% data variables.product.product_location %} are preserved when you change the authentication method and users will continue to log into the same account as long as their username doesn't change.
+
+If the new method of authentication changes usernames, new accounts will be created. As an administrator, you can rename users through the site admin settings or by using [the User Administration API](/rest/reference/enterprise-admin#update-the-username-for-a-user).
+
+Other issues you should take into consideration include:
+
+* **Passwords:** If you switch to using built-in authentication for your instance, users must [set a password](/enterprise/user/articles/how-can-i-reset-my-password/) after the change is completed.
+
+* **Site administrators:** Administrative privileges are [controlled by your identity provider when you use SAML](/enterprise/admin/guides/user-management/using-saml/#saml-attributes) and can be [controlled by group membership when you use LDAP](/enterprise/admin/authentication/using-ldap#configuring-ldap-with-your-github-enterprise-server-instance).
+
+* **Team membership:** Only LDAP lets you [control team membership](/enterprise/admin/authentication/using-ldap#configuring-ldap-with-your-github-enterprise-server-instance) from your directory server.
+
+* **User suspension:** When you use LDAP to authenticate, access to {% data variables.product.prodname_ghe_server %} can be controlled via _restricted groups_. After switching to LDAP, if restricted groups are configured, existing users who are not in one of those groups will be suspended. Suspension will occur either when they log in or during the next LDAP Sync.
+
+* **Group membership:** When you use LDAP to authenticate, users are automatically [suspended and unsuspended](/enterprise/admin/guides/user-management/suspending-and-unsuspending-users) based on restricted group membership and account status with Active Directory.
+
+* **Git authentication:** SAML and CAS only supports Git authentication over HTTP or HTTPS using a [personal access token](/articles/creating-an-access-token-for-command-line-use). Password authentication over HTTP or HTTPS is not supported. LDAP supports password-based Git authentication by default, but we recommend that you [disable that method](/enterprise/admin/authentication/using-ldap#disabling-password-authentication-for-git-operations) and force authentication via a personal access token or SSH key.
+
+* **API authentication:** SAML and CAS only supports API authentication using a [personal access token](/articles/creating-an-access-token-for-command-line-use). Basic authentication is not supported.
+
+* **Two-factor authentication:** {% data reusables.enterprise_user_management.external_auth_disables_2fa %}
+
+* **Built-in authentication for users outside your identity provider:** You can invite users to authenticate to {% data variables.product.product_location %} without adding them to your identity provider. For more information, see "[Allowing built-in authentication for users outside your identity provider](/enterprise/{{ currentVersion }}/admin/guides/user-management/allowing-built-in-authentication-for-users-outside-your-identity-provider)."

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/disabling-unauthenticated-sign-ups.md

@@ -0,0 +1,22 @@
+---
+title: Disabling unauthenticated sign-ups
+redirect_from:
+  - /enterprise/admin/articles/disabling-sign-ups/
+  - /enterprise/admin/user-management/disabling-unauthenticated-sign-ups
+  - /enterprise/admin/authentication/disabling-unauthenticated-sign-ups
+  - /admin/authentication/disabling-unauthenticated-sign-ups
+intro: 'If you''re using built-in authentication, you can block unauthenticated people from being able to create an account.'
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+---
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.privacy %}
+3. Unselect **Enable sign-up**.
+![Enable sign-up checkbox](/assets/images/enterprise/management-console/enable-sign-up.png)
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/index.md

@@ -0,0 +1,24 @@
+---
+title: Authenticating users for your GitHub Enterprise Server instance
+intro: 'You can use {% data variables.product.prodname_ghe_server %}''s built-in authentication, or choose between CAS, LDAP, or SAML to integrate your existing accounts and centrally manage user access to {% data variables.product.product_location %}.'
+redirect_from:
+  - /enterprise/admin/categories/authentication/
+  - /enterprise/admin/guides/installation/user-authentication/
+  - /enterprise/admin/articles/inviting-users/
+  - /enterprise/admin/guides/migrations/authenticating-users-for-your-github-enterprise-instance/
+  - /enterprise/admin/user-management/authenticating-users-for-your-github-enterprise-server-instance
+  - /enterprise/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance
+versions:
+  enterprise-server: '*'
+topics:
+  - Enterprise
+children:
+  - /using-built-in-authentication
+  - /disabling-unauthenticated-sign-ups
+  - /using-cas
+  - /using-saml
+  - /using-ldap
+  - /allowing-built-in-authentication-for-users-outside-your-identity-provider
+  - /changing-authentication-methods
+---
+

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/using-built-in-authentication.md

@@ -0,0 +1,39 @@
+---
+title: Using built-in authentication
+intro: 'When you use the default authentication method, all authentication details are stored within {% data variables.product.product_location %}. Built-in authentication is the default method if you don’t already have an established authentication provider, such as LDAP, SAML, or CAS.'
+redirect_from:
+  - /enterprise/admin/user-management/using-built-in-authentication
+  - /enterprise/admin/authentication/using-built-in-authentication
+  - /admin/authentication/using-built-in-authentication
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+---
+You can create custom messages that users will see on the sign in and sign out pages. For more information, see "[Customizing user messages on your instance](/enterprise/admin/user-management/customizing-user-messages-on-your-instance)."
+
+### Configuring built-in authentication
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.authentication %}
+4. Select **Built in authentication**.
+![Select built-in authentication option](/assets/images/enterprise/management-console/built-in-auth-select.png)
+
+{% data reusables.enterprise_user_management.two_factor_auth_header %}
+{% data reusables.enterprise_user_management.2fa_is_available %}
+
+### Creating your account and adding users
+
+Once your instance has been created, you'll need to create your own admin account and use it to provision users.
+
+1. On the "Create Admin Account" page at `http(s)://[hostname]/join`, choose your username, password, and email address, then click **Create an account**.
+![Create Admin Account](/assets/images/enterprise/site-admin-settings/create-first-admin-acct.png)
+{% data reusables.enterprise_site_admin_settings.sign-in %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.invite-user-sidebar-tab %}
+{% data reusables.enterprise_site_admin_settings.invite-user-reset-link %}

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/using-cas.md

@@ -0,0 +1,52 @@
+---
+title: Using CAS
+redirect_from:
+  - /enterprise/admin/articles/configuring-cas-authentication/
+  - /enterprise/admin/articles/about-cas-authentication/
+  - /enterprise/admin/user-management/using-cas
+  - /enterprise/admin/authentication/using-cas
+  - /admin/authentication/using-cas
+intro: 'CAS is a single sign-on (SSO) protocol for multiple web applications. A CAS user account does not take up a {% if currentVersion ver_gt "enterprise-server@2.16" %}user license{% else %}seat{% endif %} until the user signs in.'
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+  - SSO
+---
+{% data reusables.enterprise_user_management.built-in-authentication %}
+
+### Username considerations with CAS
+
+{% data reusables.enterprise_management_console.username_normalization %}
+
+{% data reusables.enterprise_management_console.username_normalization_sample %}
+
+{% data reusables.enterprise_user_management.two_factor_auth_header %}
+{% data reusables.enterprise_user_management.external_auth_disables_2fa %}
+
+### CAS attributes
+
+The following attributes are available.
+
+| Attribute name           | Type     | Description |
+|--------------------------|----------|-------------|
+| `username`               | Required | The {% data variables.product.prodname_ghe_server %} username. |
+
+### Configuring CAS
+{% warning %}
+
+**Warning:** Before configuring CAS on {% data variables.product.product_location %}, note that users will not be able to use their CAS usernames and passwords to authenticate API requests or Git operations over HTTP/HTTPS. Instead, they will need to [create an access token](/enterprise/{{ currentVersion }}/user/articles/creating-an-access-token-for-command-line-use).
+
+{% endwarning %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.authentication %}
+3. Select **CAS**.
+![CAS select](/assets/images/enterprise/management-console/cas-select.png)
+4. {% data reusables.enterprise_user_management.built-in-authentication-option %} ![Select CAS built-in authentication checkbox](/assets/images/enterprise/management-console/cas-built-in-authentication.png)
+5. In the **Server URL** field, type the full URL of your CAS server. If your CAS server uses a certificate that can't be validated by {% data variables.product.prodname_ghe_server %}, you can use the `ghe-ssl-ca-certificate-install` command to install it as a trusted certificate.

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/using-ldap.md

@@ -0,0 +1,207 @@
+---
+title: Using LDAP
+redirect_from:
+  - /enterprise/admin/articles/configuring-ldap-authentication/
+  - /enterprise/admin/articles/about-ldap-authentication/
+  - /enterprise/admin/articles/viewing-ldap-users/
+  - /enterprise/admin/hidden/enabling-ldap-sync/
+  - /enterprise/admin/hidden/ldap-sync/
+  - /enterprise/admin/user-management/using-ldap
+  - /enterprise/admin/authentication/using-ldap
+  - /admin/authentication/using-ldap
+intro: 'LDAP lets you authenticate {% data variables.product.prodname_ghe_server %} against your existing accounts and centrally manage repository access. LDAP is a popular application protocol for accessing and maintaining directory information services, and is one of the most common protocols used to integrate third-party software with large company user directories.'
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+---
+{% data reusables.enterprise_user_management.built-in-authentication %}
+
+### Supported LDAP services
+
+{% data variables.product.prodname_ghe_server %} integrates with these LDAP services:
+
+* Active Directory
+* FreeIPA
+* Oracle Directory Server Enterprise Edition
+* OpenLDAP
+* Open Directory
+* 389-ds
+
+### Username considerations with LDAP
+
+{% data reusables.enterprise_management_console.username_normalization %}
+
+{% data reusables.enterprise_management_console.username_normalization_sample %}
+
+{% data reusables.enterprise_user_management.two_factor_auth_header %}
+{% data reusables.enterprise_user_management.2fa_is_available %}
+
+### Configuring LDAP with {% data variables.product.product_location %}
+
+After you configure LDAP, users will be able to sign into your instance with their LDAP credentials. When users sign in for the first time, their profile names, email addresses, and SSH keys will be set with the LDAP attributes from your directory.
+
+When you configure LDAP access for users via the {% data variables.enterprise.management_console %}, your user licenses aren't used until the first time a user signs in to your instance. However, if you create an account manually using site admin settings, the user license is immediately accounted for.
+
+{% warning %}
+
+**Warning:** Before configuring LDAP on {% data variables.product.product_location %}, make sure that your LDAP service supports paged results.
+
+{% endwarning %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.authentication %}
+3. Under "Authentication", select **LDAP**.
+![LDAP select](/assets/images/enterprise/management-console/ldap-select.png)
+4. {% data reusables.enterprise_user_management.built-in-authentication-option %} ![Select LDAP built-in authentication checkbox](/assets/images/enterprise/management-console/ldap-built-in-authentication.png)
+5. Add your configuration settings.
+
+### LDAP attributes
+Use these attributes to finish configuring LDAP for {% data variables.product.product_location %}.
+
+| Attribute name           | Type     | Description |
+|--------------------------|----------|-------------|
+| `Host`                   | Required | The LDAP host, e.g. `ldap.example.com` or `10.0.0.30`. If the hostname is only available from your internal network, you may need to configure {% data variables.product.product_location %}'s DNS first so it can resolve the hostname using your internal nameservers. |
+| `Port`                   | Required | The port the host's LDAP services are listening on. Examples include: 389 and 636 (for LDAPS). |
+| `Encryption`             | Required | The encryption method used to secure communications to the LDAP server. Examples include plain (no encryption), SSL/LDAPS (encrypted from the start), and StartTLS (upgrade to encrypted communication once connected). |
+| `Domain search user`     | Optional | The LDAP user that looks up other users that sign in, to allow authentication. This is typically a service account created specifically for third-party integrations. Use a fully qualified name, such as `cn=Administrator,cn=Users,dc=Example,dc=com`. With Active Directory, you can also use the `[DOMAIN]\[USERNAME]` syntax (e.g. `WINDOWS\Administrator`) for the domain search user with Active Directory. |
+| `Domain search password` | Optional | The password for the domain search user. |
+| `Administrators group`   | Optional | Users in this group are promoted to site administrators when signing into your appliance. If you don't configure an LDAP Administrators group, the first LDAP user account that signs into your appliance will be automatically promoted to a site administrator. |
+| `Domain base`            | Required | The fully qualified `Distinguished Name` (DN) of an LDAP subtree you want to search for users and groups. You can add as many as you like; however, each group must be defined in the same domain base as the users that belong to it. If you specify restricted user groups, only users that belong to those groups will be in scope. We recommend that you specify the top level of your LDAP directory tree as your domain base and use restricted user groups to control access. |
+| `Restricted user groups` | Optional | If specified, only users in these groups will be allowed to log in. You only need to specify the common names (CNs) of the groups, and you can add as many groups as you like. If no groups are specified, *all* users within the scope of the specified domain base will be able to sign in to your {% data variables.product.prodname_ghe_server %} instance. |
+| `User ID`                | Required | The LDAP attribute that identifies the LDAP user who attempts authentication. Once a mapping is established, users may change their {% data variables.product.prodname_ghe_server %} usernames. This field should be `sAMAccountName` for most Active Directory installations, but it may be `uid` for other LDAP solutions, such as OpenLDAP. The default value is `uid`. |
+| `Profile name`           | Optional | The name that will appear on the user's {% data variables.product.prodname_ghe_server %} profile page. Unless LDAP Sync is enabled, users may change their profile names. |
+| `Emails`                 | Optional | The email addresses for a user's {% data variables.product.prodname_ghe_server %} account. |
+| `SSH keys`               | Optional | The public SSH keys attached to a user's {% data variables.product.prodname_ghe_server %} account. The keys must be in OpenSSH format. |
+| `GPG keys`               | Optional | The GPG keys attached to a user's {% data variables.product.prodname_ghe_server %} account. |
+| `Disable LDAP authentication for Git operations` | Optional |If selected, [turns off](#disabling-password-authentication-for-git-operations) users' ability to use LDAP passwords to authenticate Git operations. |
+| `Enable LDAP certificate verification` | Optional |If selected, [turns on](#enabling-ldap-certificate-verification) LDAP certificate verification. |
+| `Synchronization` | Optional |If selected, [turns on](#enabling-ldap-sync) LDAP Sync. |
+
+#### Disabling password authentication for Git operations
+
+Select **Disable username and password authentication for Git operations** in your LDAP settings to enforce use of personal access tokens or SSH keys for Git access, which can help prevent your server from being overloaded by LDAP authentication requests. We recommend this setting because a slow-responding LDAP server, especially combined with a large number of requests due to polling, is a frequent source of performance issues and outages.
+
+![Disable LDAP password auth for Git check box](/assets/images/enterprise/management-console/ldap-disable-password-auth-for-git.png)
+
+When this option is selected, if a user tries to use a password for Git operations via the command line, they will receive an error message that says, `Password authentication is not allowed for Git operations. You must use a personal access token.`
+
+#### Enabling LDAP certificate verification
+
+Select **Enable LDAP certificate verification** in your LDAP settings to validate the LDAP server certificate you use with TLS.
+
+![LDAP certificate verification box](/assets/images/enterprise/management-console/ldap-enable-certificate-verification.png)
+
+When this option is selected, the certificate is validated to make sure:
+- If the certificate contains at least one Subject Alternative Name (SAN), one of the SANs matches the LDAP hostname. Otherwise, the Common Name (CN) matches the LDAP hostname.
+- The certificate is not expired.
+- The certificate is signed by a trusted certificate authority (CA).
+
+#### Enabling LDAP Sync
+
+{% note %}
+
+**Note:** Teams using LDAP Sync are limited to a maximum 1499 members.
+
+{% endnote %}
+
+LDAP Sync lets you synchronize {% data variables.product.prodname_ghe_server %} users and team membership against your established LDAP groups. This lets you establish role-based access control for users from your LDAP server instead of manually within {% data variables.product.prodname_ghe_server %}. For more information, see "[Creating teams](/enterprise/{{ currentVersion }}/admin/guides/user-management/creating-teams#creating-teams-with-ldap-sync-enabled)."
+
+To enable LDAP Sync, in your LDAP settings, select **Synchronize Emails**, **Synchronize SSH Keys**, or **Synchronize GPG Keys** .
+
+![Synchronization check box](/assets/images/enterprise/management-console/ldap-synchronize.png)
+
+After you enable LDAP sync, a synchronization job will run at the specified time interval to perform the following operations on each user account:
+
+- If you've allowed built-in authentication for users outside your identity provider, and the user is using built-in authentication, move on to the next user.
+- If no LDAP mapping exists for the user, try to map the user to an LDAP entry in the directory. If the user cannot be mapped to an LDAP entry, suspend the user and move on to the next user.
+- If there is an LDAP mapping and the corresponding LDAP entry in the directory is missing, suspend the user and move on to the next user.
+- If the corresponding LDAP entry has been marked as disabled and the user is not already suspended, suspend the user and move on to the next user.
+- If the corresponding LDAP entry is not marked as disabled, and the user is suspended, and _Reactivate suspended users_ is enabled in the Admin Center, unsuspend the user.
+- If the corresponding LDAP entry includes a `name` attribute, update the user's profile name.
+- If the corresponding LDAP entry is in the Administrators group, promote the user to site administrator.
+- If the corresponding LDAP entry is not in the Administrators group, demote the user to a normal account.
+- If an LDAP User field is defined for emails, synchronize the user's email settings with the LDAP entry. Set the first LDAP `mail` entry as the primary email.
+- If an LDAP User field is defined for SSH public keys, synchronize the user's public SSH keys with the LDAP entry.  
+- If an LDAP User field is defined for GPG keys, synchronize the user's GPG keys with the LDAP entry.  
+
+{% note %}
+
+**Note**: LDAP entries can only be marked as disabled if you use Active Directory and the `userAccountControl` attribute is present and flagged with `ACCOUNTDISABLE`.
+
+{% endnote %}
+
+A synchronization job will also run at the specified time interval to perform the following operations on each team that has been mapped to an LDAP group:
+
+- If a team's corresponding LDAP group has been removed, remove all members from the team.
+- If LDAP member entries have been removed from the LDAP group, remove the corresponding users from the team. If the user loses access to any repositories as a result, delete any private forks the user has of those repositories.
+- If LDAP member entries have been added to the LDAP group, add the corresponding users to the team. If the user regains access to any repositories as a result, restore any private forks of the repositories that were deleted because the user lost access in the past 90 days.
+
+{% data reusables.enterprise_user_management.ldap-sync-nested-teams %}
+
+{% warning %}
+
+**Security Warning:**
+
+When LDAP Sync is enabled, site admins and organization owners can search the LDAP directory for groups to map the team to.
+
+This has the potential to disclose sensitive organizational information to contractors or other unprivileged users, including:
+
+- The existence of specific LDAP Groups visible to the *Domain search user*.
+- Members of the LDAP group who have {% data variables.product.prodname_ghe_server %} user accounts, which is disclosed when creating a team synced with that LDAP group.
+
+If disclosing such information is not desired, your company or organization should restrict the permissions of the configured *Domain search user* in the admin console. If such restriction isn't possible, contact {% data variables.contact.contact_ent_support %}.
+
+{% endwarning %}
+
+#### Supported LDAP group object classes
+
+{% data variables.product.prodname_ghe_server %} supports these LDAP group object classes. Groups can be nested.
+
+- `group`
+- `groupOfNames`
+- `groupOfUniqueNames`
+- `posixGroup`
+
+### Viewing and creating LDAP users
+
+You can view the full list of LDAP users who have access to your instance and provision new users.
+
+{% data reusables.enterprise_site_admin_settings.sign-in %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+3. In the left sidebar, click **LDAP users**.
+![LDAP users tab](/assets/images/enterprise/site-admin-settings/ldap-users-tab.png)
+4. To search for a user, type a full or partial username and click **Search**. Existing users will be displayed in search results. If a user doesn’t exist, click **Create** to provision the new user account.
+![LDAP search](/assets/images/enterprise/site-admin-settings/ldap-users-search.png)
+
+### Updating LDAP accounts
+
+Unless [LDAP Sync is enabled](#enabling-ldap-sync), changes to LDAP accounts are not automatically synchronized with {% data variables.product.prodname_ghe_server %}.
+
+* To use a new LDAP admin group, users must be manually promoted and demoted on {% data variables.product.prodname_ghe_server %} to reflect changes in LDAP.
+* To add or remove LDAP accounts in LDAP admin groups, [promote or demote the accounts on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/guides/user-management/promoting-or-demoting-a-site-administrator).
+* To remove LDAP accounts, [suspend the {% data variables.product.prodname_ghe_server %} accounts](/enterprise/{{ currentVersion }}/admin/guides/user-management/suspending-and-unsuspending-users).
+
+#### Manually syncing LDAP accounts
+
+{% data reusables.enterprise_site_admin_settings.sign-in %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.search-user %}
+{% data reusables.enterprise_site_admin_settings.click-user %}
+{% data reusables.enterprise_site_admin_settings.admin-top-tab %}
+{% data reusables.enterprise_site_admin_settings.admin-tab %}
+5. Under "LDAP," click **Sync now** to manually update the account with data from your LDAP server.
+![LDAP sync now button](/assets/images/enterprise/site-admin-settings/ldap-sync-now-button.png)
+
+You can also [use the API to trigger a manual sync](/enterprise/{{ currentVersion }}/user/rest/reference/enterprise-admin#ldap).
+
+### Revoking access to {% data variables.product.product_location %}
+
+If [LDAP Sync is enabled](#enabling-ldap-sync), removing a user's LDAP credentials will suspend their account after the next synchronization run.
+
+If LDAP Sync is **not** enabled, you must manually suspend the {% data variables.product.prodname_ghe_server %} account after you remove the LDAP credentials. For more information, see "[Suspending and unsuspending users](/enterprise/{{ currentVersion }}/admin/guides/user-management/suspending-and-unsuspending-users)".

content/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/using-saml.md

@@ -0,0 +1,201 @@
+---
+title: Using SAML
+redirect_from:
+  - /enterprise/admin/articles/configuring-saml-authentication/
+  - /enterprise/admin/articles/about-saml-authentication/
+  - /enterprise/admin/user-management/using-saml
+  - /enterprise/admin/authentication/using-saml
+  - /admin/authentication/using-saml
+intro: 'SAML is an XML-based standard for authentication and authorization. {% data variables.product.prodname_ghe_server %} can act as a service provider (SP) with your internal SAML identity provider (IdP).'
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+  - SSO
+---
+{% data reusables.enterprise_user_management.built-in-authentication %}
+
+### Supported SAML services
+
+{% data reusables.saml.saml-supported-idps %}
+
+{% data reusables.saml.saml-single-logout-not-supported %}
+
+### Username considerations with SAML
+
+Each {% data variables.product.prodname_ghe_server %} username is determined by one of the following assertions in the SAML response, ordered by priority:
+
+- The custom username attribute, if defined and present
+- An `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` assertion, if present
+- An `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` assertion, if present
+- The `NameID` element
+
+The `NameID` element is required even if other attributes are present.
+
+A mapping is created between the `NameID` and the {% data variables.product.prodname_ghe_server %} username, so the `NameID` should be persistent, unique, and not subject to change for the lifecycle of the user.
+
+{% note %}
+
+**Note**: If the `NameID` for a user does change on the IdP, the user will see an error message when they try to sign in to your {% data variables.product.prodname_ghe_server %} instance. {% if currentVersion ver_gt "enterprise-server@2.21" %}To restore the user's access, you'll need to update the user account's `NameID` mapping. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."{% else %} For more information, see "[Error: 'Another user already owns the account'](#error-another-user-already-owns-the-account)."{% endif %}
+
+{% endnote %}
+
+{% data reusables.enterprise_management_console.username_normalization %}
+
+{% data reusables.enterprise_management_console.username_normalization_sample %}
+
+{% data reusables.enterprise_user_management.two_factor_auth_header %}
+{% data reusables.enterprise_user_management.external_auth_disables_2fa %}
+
+### SAML metadata
+
+Your {% data variables.product.prodname_ghe_server %} instance's service provider metadata is available at `http(s)://[hostname]/saml/metadata`.
+
+To configure your identity provider manually, the Assertion Consumer Service (ACS) URL is `http(s)://[hostname]/saml/consume`. It uses the `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST` binding.
+
+### SAML attributes
+
+These attributes are available. You can change the attribute names in the [management console](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-management-console/), with the exception of the `administrator` attribute.
+
+| Default attribute name  | Type     | Description |
+|-----------------|----------|-------------|
+| `NameID` | Required | A persistent user identifier. Any persistent name identifier format may be used. The `NameID` element will be used for a {% data variables.product.prodname_ghe_server %} username unless one of the alternative assertions is provided. |
+| `administrator` | Optional | When the value is 'true', the user will automatically be promoted as an administrator. Any other value or a non-existent value will demote the user to a normal user account. |
+| `username` | Optional | The {% data variables.product.prodname_ghe_server %} username. |
+| `full_name`     | Optional | The name of the user displayed on their profile page. Users may change their names after provisioning. |
+| `emails`        | Optional | The email addresses for the user. More than one can be specified. |
+| `public_keys`   | Optional | The public SSH keys for the user. More than one can be specified. |
+| `gpg_keys`   | Optional | The GPG keys for the user. More than one can be specified.  |
+
+### Configuring SAML settings
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.authentication %}
+3. Select **SAML**.
+![SAML authentication](/assets/images/enterprise/management-console/auth-select-saml.png)
+4. {% data reusables.enterprise_user_management.built-in-authentication-option %} ![Select SAML built-in authentication checkbox](/assets/images/enterprise/management-console/saml-built-in-authentication.png)
+5. Optionally, to enable unsolicited response SSO, select **IdP initiated SSO**. By default, {% data variables.product.prodname_ghe_server %} will reply to an unsolicited Identity Provider (IdP) initiated request with an `AuthnRequest` back to the IdP.
+![SAML idP SSO](/assets/images/enterprise/management-console/saml-idp-sso.png)
+
+  {% tip %}
+
+  **Note**: We recommend keeping this value **unselected**. You should enable this feature **only** in the rare instance that your SAML implementation does not support service provider initiated SSO, and when advised by {% data variables.contact.enterprise_support %}.
+
+  {% endtip %}
+
+5. Select **Disable administrator demotion/promotion** if you **do not** want your SAML provider to determine administrator rights for users on {% data variables.product.product_location %}.
+![SAML disable admin configuration](/assets/images/enterprise/management-console/disable-admin-demotion-promotion.png)
+6. In the **Single sign-on URL** field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.product.product_location %} to use internal nameservers](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-dns-nameservers/).
+![SAML authentication](/assets/images/enterprise/management-console/saml-single-sign-url.png)
+7. Optionally, in the **Issuer** field, type your SAML issuer's name. This verifies the authenticity of messages sent to {% data variables.product.product_location %}.
+![SAML issuer](/assets/images/enterprise/management-console/saml-issuer.png)
+8. In the **Signature Method** and **Digest Method** drop-down menus, choose the hashing algorithm used by your SAML issuer to verify the integrity of the requests from {% data variables.product.product_location %}. Specify the format with the **Name Identifier Format** drop-down menu.
+![SAML method](/assets/images/enterprise/management-console/saml-method.png)
+9. Under **Verification certificate**, click **Choose File** and choose a certificate to validate SAML responses from the IdP.
+![SAML authentication](/assets/images/enterprise/management-console/saml-verification-cert.png)
+10. Modify the SAML attribute names to match your IdP if needed, or accept the default names.
+ ![SAML attribute names](/assets/images/enterprise/management-console/saml-attributes.png)
+
+{% if currentVersion ver_gt "enterprise-server@2.21" %}
+
+### Updating a user's SAML `NameID`
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+2. In the left sidebar, click **All users**.
+  !["All users" sidebar item in site administrator settings](/assets/images/enterprise/site-admin-settings/all-users.png)
+3. In the list of users, click the username you'd like to update the `NameID` mapping for.
+  ![Username in list of instance user accounts](/assets/images/enterprise/site-admin-settings/all-users-click-username.png)
+{% data reusables.enterprise_site_admin_settings.security-tab %}
+5. To the right of "Update SAML NameID", click **Edit** .
+  !["Edit" button under "SAML authentication" and to the right of "Update SAML NameID"](/assets/images/enterprise/site-admin-settings/update-saml-nameid-edit.png)
+6. In the "NameID" field, type the new `NameID` for the user.
+  !["NameID" field in modal dialog with NameID typed](/assets/images/enterprise/site-admin-settings/update-saml-nameid-field-in-modal.png)
+7. Click **Update NameID**.
+  !["Update NameID" button under updated NameID value within modal](/assets/images/enterprise/site-admin-settings/update-saml-nameid-update.png)
+
+{% endif %}
+
+### Revoking access to {% data variables.product.product_location %}
+
+If you remove a user from your identity provider, you must also manually suspend them. Otherwise, they'll continue to be able to authenticate using access tokens or SSH keys. For more information, see "[Suspending and unsuspending users](/enterprise/admin/guides/user-management/suspending-and-unsuspending-users)".
+
+### Response message requirements
+
+The response message must fulfill the following requirements:
+
+- The `<Destination>` element must be provided on the root response document and match the ACS URL only when the root response document is signed. If the assertion is signed, it will be ignored.
+- The `<Audience>` element must always be provided as part of the `<AudienceRestriction>` element. It must match the `EntityId` for {% data variables.product.prodname_ghe_server %}. This is the URL to the {% data variables.product.prodname_ghe_server %} instance, such as `https://ghe.corp.example.com`.
+- Each assertion in the response **must** be protected by a digital signature. This can be accomplished by signing each individual `<Assertion>` element or by signing the `<Response>` element.
+- A `<NameID>` element must be provided as part of the `<Subject>` element. Any persistent name identifier format may be used.
+- The `Recipient` attribute must be present and set to the ACS URL. For example:
+
+```xml
+<samlp:Response ...>
+  <saml:Assertion ...>
+    <saml:Subject>
+      <saml:NameID ...>...</saml:NameID>
+      <saml:SubjectConfirmation ...>
+        <saml:SubjectConfirmationData Recipient="https://ghe.corp.example.com/saml/consume" .../>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:AttributeStatement>
+      <saml:Attribute FriendlyName="USERNAME-ATTRIBUTE" ...>
+        <saml:AttributeValue>monalisa</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>
+```
+
+### Troubleshooting SAML authentication
+
+{% data variables.product.prodname_ghe_server %} logs error messages for failed SAML authentication in the authentication log at  _/var/log/github/auth.log_. For more information about SAML response requirements, see "[Response message requirements](#response-message-requirements)."
+
+#### Error: "Another user already owns the account"
+
+When a user signs in to {% data variables.product.prodname_ghe_server %} for the first time with SAML authentication, {% data variables.product.prodname_ghe_server %} creates a user account on the instance and maps the SAML `NameID` to the account.
+
+When the user signs in again, {% data variables.product.prodname_ghe_server %} compares the account's `NameID` mapping to the IdP's response. If the `NameID` in the IdP's response no longer matches the `NameID` that {% data variables.product.prodname_ghe_server %} expects for the user, the sign-in will fail. The user will see the following message.
+
+> Another user already owns the account. Please have your administrator check the authentication log.
+
+The message typically indicates that the person's username or email address has changed on the IdP. {% if currentVersion ver_gt "enterprise-server@2.21" %}Ensure that the `NameID` mapping for the user account on {% data variables.product.prodname_ghe_server %} matches the user's `NameID` on your IdP. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."{% else %}For help updating the `NameID` mapping, contact {% data variables.contact.contact_ent_support %}.{% endif %}
+
+#### Error: Recipient in SAML response was blank or not valid
+
+If the `Recipient` does not match the ACS URL for your {% data variables.product.prodname_ghe_server %} instance, one of the following two error messages will appear in the authentication log when a user attempts to authenticate.
+
+```
+Recipient in the SAML response must not be blank.
+```
+
+```
+Recipient in the SAML response was not valid.
+```
+
+Ensure that you set the value for `Recipient` on your IdP to the full ACS URL for your {% data variables.product.prodname_ghe_server %} instance. For example, `https://ghe.corp.example.com/saml/consume`.
+
+#### Error: "SAML Response is not signed or has been modified"
+
+If your IdP does not sign the SAML response, or the signature does not match the contents, the following error message will appear in the authentication log.
+
+```
+SAML Response is not signed or has been modified.
+```
+
+Ensure that you configure signed assertions for the {% data variables.product.prodname_ghe_server %} application on your IdP.
+
+#### Error: "Audience is invalid" or "No assertion found"
+
+If the IdP's response has a missing or incorrect value for `Audience`, the following error message will appear in the authentication log.
+
+```shell
+Audience is invalid. Audience attribute does not match https://<em>YOUR-INSTANCE-URL</em>
+```
+
+Ensure that you set the value for `Audience` on your IdP to the `EntityId` for your {% data variables.product.prodname_ghe_server %} instance, which is the full URL to your {% data variables.product.prodname_ghe_server %} instance. For example, `https://ghe.corp.example.com`.

content/admin/authentication/changing-authentication-methods.md

@@ -1,38 +0,0 @@
----
-title: Changing authentication methods
-intro: 'You can change the way {% data variables.product.prodname_ghe_server %} authenticates with your existing accounts at any time.'
-redirect_from:
-  - /enterprise/admin/user-management/changing-authentication-methods
-  - /enterprise/admin/authentication/changing-authentication-methods
-versions:
-  enterprise-server: '*'
-type: overview
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - Identity
----
-User accounts on {% data variables.product.product_location %} are preserved when you change the authentication method and users will continue to log into the same account as long as their username doesn't change.
-
-If the new method of authentication changes usernames, new accounts will be created. As an administrator, you can rename users through the site admin settings or by using [the User Administration API](/rest/reference/enterprise-admin#update-the-username-for-a-user).
-
-Other issues you should take into consideration include:
-
-* **Passwords:** If you switch to using built-in authentication for your instance, users must [set a password](/enterprise/user/articles/how-can-i-reset-my-password/) after the change is completed.
-
-* **Site administrators:** Administrative privileges are [controlled by your identity provider when you use SAML](/enterprise/admin/guides/user-management/using-saml/#saml-attributes) and can be [controlled by group membership when you use LDAP](/enterprise/admin/authentication/using-ldap#configuring-ldap-with-your-github-enterprise-server-instance).
-
-* **Team membership:** Only LDAP lets you [control team membership](/enterprise/admin/authentication/using-ldap#configuring-ldap-with-your-github-enterprise-server-instance) from your directory server.
-
-* **User suspension:** When you use LDAP to authenticate, access to {% data variables.product.prodname_ghe_server %} can be controlled via _restricted groups_. After switching to LDAP, if restricted groups are configured, existing users who are not in one of those groups will be suspended. Suspension will occur either when they log in or during the next LDAP Sync.
-
-* **Group membership:** When you use LDAP to authenticate, users are automatically [suspended and unsuspended](/enterprise/admin/guides/user-management/suspending-and-unsuspending-users) based on restricted group membership and account status with Active Directory.
-
-* **Git authentication:** SAML and CAS only supports Git authentication over HTTP or HTTPS using a [personal access token](/articles/creating-an-access-token-for-command-line-use). Password authentication over HTTP or HTTPS is not supported. LDAP supports password-based Git authentication by default, but we recommend that you [disable that method](/enterprise/admin/authentication/using-ldap#disabling-password-authentication-for-git-operations) and force authentication via a personal access token or SSH key.
-
-* **API authentication:** SAML and CAS only supports API authentication using a [personal access token](/articles/creating-an-access-token-for-command-line-use). Basic authentication is not supported.
-
-* **Two-factor authentication:** {% data reusables.enterprise_user_management.external_auth_disables_2fa %}
-
-* **Built-in authentication for users outside your identity provider:** You can invite users to authenticate to {% data variables.product.product_location %} without adding them to your identity provider. For more information, see "[Allowing built-in authentication for users outside your identity provider](/enterprise/{{ currentVersion }}/admin/guides/user-management/allowing-built-in-authentication-for-users-outside-your-identity-provider)."

content/admin/authentication/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad.md

@@ -1,55 +0,0 @@
----
-title: Configuring authentication and provisioning for your enterprise using Azure AD
-shortTitle: Configuring with Azure AD
-intro: 'You can use a tenant in Azure Active Directory (Azure AD) as an identity provider (IdP) to centrally manage authentication and user provisioning for {% data variables.product.product_location %}.'
-permissions: 'Enterprise owners can configure authentication and provisioning for an enterprise on {% data variables.product.product_name %}.'
-product: '{% data reusables.gated-features.saml-sso %}'
-versions:
-  github-ae: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - Identity
-  - SSO
----
-
-### About authentication and user provisioning with Azure AD
-
-Azure Active Directory (Azure AD) is a service from Microsoft that allows you to centrally manage user accounts and access to web applications. For more information, see [What is Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) in the Microsoft Docs.
-
-To manage identity and access for {% data variables.product.product_name %}, you can use an Azure AD tenant as a SAML IdP for authentication. You can also configure Azure AD to automatically provision accounts and access membership with SCIM, which allows you to create {% data variables.product.prodname_ghe_managed %} users and manage team and organization membership from your Azure AD tenant.
-
-After you enable SAML SSO and SCIM for {% data variables.product.prodname_ghe_managed %} using Azure AD, you can accomplish the following from your Azure AD tenant.
-
-* Assign the {% data variables.product.prodname_ghe_managed %} application on Azure AD to a user account to automatically create and grant access to a corresponding user account on {% data variables.product.product_name %}.
-* Unassign the {% data variables.product.prodname_ghe_managed %} application to a user account on Azure AD to deactivate the corresponding user account on {% data variables.product.product_name %}.
-* Assign the {% data variables.product.prodname_ghe_managed %} application to an IdP group on Azure AD to automatically create and grant access to user accounts on {% data variables.product.product_name %} for all members of the IdP group. In addition, the IdP group is available on {% data variables.product.prodname_ghe_managed %} for connection to a team and its parent organization.
-* Unassign the {% data variables.product.prodname_ghe_managed %} application from an IdP group to deactivate the {% data variables.product.product_name %} user accounts of all IdP users who had access only through that IdP group and remove the users from the parent organization. The IdP group will be disconnected from any teams on {% data variables.product.product_name %}.
-
-For more information about managing identity and access for your enterprise on {% data variables.product.product_location %}, see "[Managing identity and access for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise)." For more information about synchronizing teams with IdP groups, see "[Synchronizing a team with an identity provider group](/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)."
-
-### Prerequisites
-
-To configure authentication and user provisioning for {% data variables.product.product_name %} using Azure AD, you must have an Azure AD account and tenant. For more information, see the [Azure AD website](https://azure.microsoft.com/free/active-directory) and [Quickstart: Create an Azure Active Directory tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant) in the Microsoft Docs.
-
-{% data reusables.saml.assert-the-administrator-attribute %} For more information about including the `administrator` attribute in the SAML claim from Azure AD, see [How to: customize claims issued in the SAML token for enterprise applications](https://docs.microsoft.com/azure/active-directory/develop/active-directory-saml-claims-customization) in the Microsoft Docs.
-
-{% data reusables.saml.create-a-machine-user %}
-
-### Configuring authentication and user provisioning with Azure AD
-
-{% if currentVersion == "github-ae@latest" %}
-
-1. In Azure AD, add {% data variables.product.ae_azure_ad_app_link %} to your tenant and configure single sign-on. For more information, see [Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.prodname_ghe_managed %}](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-tutorial) in the Microsoft Docs.
-
-1. In {% data variables.product.prodname_ghe_managed %}, enter the details for your Azure AD tenant.
-
-    - {% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
-
-    - If you've already configured SAML SSO for {% data variables.product.product_location %} using another IdP and you want to use Azure AD instead, you can edit your configuration. For more information, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise#editing-the-saml-sso-configuration)."
-
-1. Enable user provisioning in {% data variables.product.product_name %} and configure user provisioning in Azure AD. For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise#enabling-user-provisioning-for-your-enterprise)."
-
-{% endif %}

content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider.md

@@ -1,8 +0,0 @@
----
-title: Configuring authentication and provisioning with your identity provider
-intro: You can use an identity provider (IdP) that supports both SAML single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) to configure authentication and user provisioning for {% data variables.product.product_location %}.
-mapTopic: true
-versions:
-  github-ae: '*'
----
-

content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad.md

@@ -0,0 +1,56 @@
+---
+title: Configuring authentication and provisioning for your enterprise using Azure AD
+shortTitle: Configuring with Azure AD
+intro: 'You can use a tenant in Azure Active Directory (Azure AD) as an identity provider (IdP) to centrally manage authentication and user provisioning for {% data variables.product.product_location %}.'
+permissions: 'Enterprise owners can configure authentication and provisioning for an enterprise on {% data variables.product.product_name %}.'
+product: '{% data reusables.gated-features.saml-sso %}'
+versions:
+  github-ae: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+  - SSO
+redirect_from:
+  - /admin/authentication/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad
+---
+### About authentication and user provisioning with Azure AD
+
+Azure Active Directory (Azure AD) is a service from Microsoft that allows you to centrally manage user accounts and access to web applications. For more information, see [What is Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) in the Microsoft Docs.
+
+To manage identity and access for {% data variables.product.product_name %}, you can use an Azure AD tenant as a SAML IdP for authentication. You can also configure Azure AD to automatically provision accounts and access membership with SCIM, which allows you to create {% data variables.product.prodname_ghe_managed %} users and manage team and organization membership from your Azure AD tenant.
+
+After you enable SAML SSO and SCIM for {% data variables.product.prodname_ghe_managed %} using Azure AD, you can accomplish the following from your Azure AD tenant.
+
+* Assign the {% data variables.product.prodname_ghe_managed %} application on Azure AD to a user account to automatically create and grant access to a corresponding user account on {% data variables.product.product_name %}.
+* Unassign the {% data variables.product.prodname_ghe_managed %} application to a user account on Azure AD to deactivate the corresponding user account on {% data variables.product.product_name %}.
+* Assign the {% data variables.product.prodname_ghe_managed %} application to an IdP group on Azure AD to automatically create and grant access to user accounts on {% data variables.product.product_name %} for all members of the IdP group. In addition, the IdP group is available on {% data variables.product.prodname_ghe_managed %} for connection to a team and its parent organization.
+* Unassign the {% data variables.product.prodname_ghe_managed %} application from an IdP group to deactivate the {% data variables.product.product_name %} user accounts of all IdP users who had access only through that IdP group and remove the users from the parent organization. The IdP group will be disconnected from any teams on {% data variables.product.product_name %}.
+
+For more information about managing identity and access for your enterprise on {% data variables.product.product_location %}, see "[Managing identity and access for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise)." For more information about synchronizing teams with IdP groups, see "[Synchronizing a team with an identity provider group](/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)."
+
+### Prerequisites
+
+To configure authentication and user provisioning for {% data variables.product.product_name %} using Azure AD, you must have an Azure AD account and tenant. For more information, see the [Azure AD website](https://azure.microsoft.com/free/active-directory) and [Quickstart: Create an Azure Active Directory tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant) in the Microsoft Docs.
+
+{% data reusables.saml.assert-the-administrator-attribute %} For more information about including the `administrator` attribute in the SAML claim from Azure AD, see [How to: customize claims issued in the SAML token for enterprise applications](https://docs.microsoft.com/azure/active-directory/develop/active-directory-saml-claims-customization) in the Microsoft Docs.
+
+{% data reusables.saml.create-a-machine-user %}
+
+### Configuring authentication and user provisioning with Azure AD
+
+{% if currentVersion == "github-ae@latest" %}
+
+1. In Azure AD, add {% data variables.product.ae_azure_ad_app_link %} to your tenant and configure single sign-on. For more information, see [Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.prodname_ghe_managed %}](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-tutorial) in the Microsoft Docs.
+
+1. In {% data variables.product.prodname_ghe_managed %}, enter the details for your Azure AD tenant.
+
+    - {% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
+
+    - If you've already configured SAML SSO for {% data variables.product.product_location %} using another IdP and you want to use Azure AD instead, you can edit your configuration. For more information, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise#editing-the-saml-sso-configuration)."
+
+1. Enable user provisioning in {% data variables.product.product_name %} and configure user provisioning in Azure AD. For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise#enabling-user-provisioning-for-your-enterprise)."
+
+{% endif %}

content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/index.md

@@ -0,0 +1,9 @@
+---
+title: Configuring authentication and provisioning with your identity provider
+intro: 'You can use an identity provider (IdP) that supports both SAML single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) to configure authentication and user provisioning for {% data variables.product.product_location %}.'
+versions:
+  github-ae: '*'
+children:
+  - /configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad
+---
+

content/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise.md

@@ -1,118 +0,0 @@
----
-title: Configuring SAML single sign-on for your enterprise
-shortTitle: Configuring SAML SSO
-intro: 'You can configure SAML single sign-on (SSO) for your enterprise, which allows you to centrally control authentication for {% data variables.product.product_location %} using your identity provider (IdP).'
-product: '{% data reusables.gated-features.saml-sso %}'
-permissions: 'Enterprise owners can configure SAML SSO for an enterprise on {% data variables.product.product_name %}.'
-versions:
-  github-ae: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - Identity
-  - SSO
----
-
-### About SAML SSO
-
-{% if currentVersion == "github-ae@latest" %}
-
-SAML SSO allows you to centrally control and secure access to {% data variables.product.product_location %} from your SAML IdP. When an unauthenticated user visits {% data variables.product.product_location %} in a browser, {% data variables.product.product_name %} will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to {% data variables.product.product_location %}. {% data variables.product.product_name %} validates the response from your IdP, then grants access to the user.
-
-After a user successfully authenticates on your IdP, the user's SAML session for {% data variables.product.product_location %} is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.
-
-{% data reusables.saml.assert-the-administrator-attribute %}
-
-{% data reusables.scim.after-you-configure-saml %} For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise)."
-
-{% endif %}
-
-### Supported identity providers
-
-{% data variables.product.product_name %} supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
-
-{% data variables.product.company_short %} has tested SAML SSO for {% data variables.product.product_name %} with the following IdPs.
-
-{% if currentVersion == "github-ae@latest" %}
-- Azure AD
-{% endif %}
-
-### Enabling SAML SSO
-
-{% if currentVersion == "github-ae@latest" %}
-
-{% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
-
-The following IdPs provide documentation about configuring SAML SSO for {% data variables.product.product_name %}. If your IdP isn't listed, please contact your IdP to request support for {% data variables.product.product_name %}.
-
- | IdP | More information |
- | :- | :- |
- | Azure AD | [Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.prodname_ghe_managed %}](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-tutorial) in the Microsoft Docs |
-
-During initialization for {% data variables.product.product_name %}, you must configure {% data variables.product.product_name %} as a SAML Service Provider (SP) on your IdP. You must enter several unique values on your IdP to configure {% data variables.product.product_name %} as a valid SP.
-
-| Value | Other names | Description | Example |
-| :- | :- | :- | :- |
-| SP Entity ID | SP URL | Your top-level URL for {% data variables.product.prodname_ghe_managed %} | <code>https://<em>YOUR-GITHUB-AE-HOSTNAME</em></code>
-| SP Assertion Consumer Service (ACS) URL | Reply URL | URL where IdP sends SAML responses | <code>https://<em>YOUR-GITHUB-AE-HOSTNAME</em>/saml/consume</code> |
-| SP Single Sign-On (SSO) URL | | URL where IdP begins SSO |  <code>https://<em>YOUR-GITHUB-AE-HOSTNAME</em>/sso</code> |
-
-{% endif %}
-
-### Editing the SAML SSO configuration
-
-If the details for your IdP change, you'll need to edit the SAML SSO configuration for {% data variables.product.product_location %}. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.
-
-{% if currentVersion == "github-ae@latest" %}
-
-{% note %}
-
-**Note**: {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}
-
-{% endnote %} 
-
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.security-tab %}
-1. Under "SAML single sign-on", type the new details for your IdP.
-  ![Text entry fields with IdP details for SAML SSO configuration for an enterprise](/assets/images/help/saml/ae-edit-idp-details.png)
-1. Optionally, click {% octicon "pencil" aria-label="The edit icon" %} to configure a new signature or digest method.
-  ![Edit icon for changing signature and digest method](/assets/images/help/saml/ae-edit-idp-details-edit-signature-and-digest.png)
-
-    - Use the drop-down menus and choose the new signature or digest method.
-      ![Drop-down menus for choosing a new signature or digest method](/assets/images/help/saml/ae-edit-idp-details-edit-signature-and-digest-drop-down-menus.png)
-1. To ensure that the information you've entered is correct, click **Test SAML configuration**.
-  !["Test SAML configuration" button](/assets/images/help/saml/ae-edit-idp-details-test-saml-configuration.png)
-1. Click **Save**.
-    !["Save" button for SAML SSO configuration](/assets/images/help/saml/ae-edit-idp-details-save.png)
-1. Optionally, to automatically provision and deprovision user accounts for {% data variables.product.product_location %}, reconfigure user provisioning with SCIM. For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise)."
-
-{% endif %}
-
-### Disabling SAML SSO
-
-{% if currentVersion == "github-ae@latest" %}
-
-{% warning %}
-
-**Warning**: If you disable SAML SSO for {% data variables.product.product_location %}, users without existing SAML SSO sessions cannot sign into {% data variables.product.product_location %}. SAML SSO sessions on {% data variables.product.product_location %} end after 24 hours.
-
-{% endwarning %}
-
-{% note %}
-
-**Note**: {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}
-
-{% endnote %}
-
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.security-tab %}
-1. Under "SAML single sign-on", unselect **Enable SAML authentication**.
-  ![Checkbox for "Enable SAML authentication"](/assets/images/help/saml/ae-saml-disabled.png)
-1. To disable SAML SSO and require signing in with the built-in user account you created during initialization, click **Save**.
-    !["Save" button for SAML SSO configuration](/assets/images/help/saml/ae-saml-disabled-save.png)
-
-{% endif %}

content/admin/authentication/configuring-user-provisioning-for-your-enterprise.md

@@ -1,89 +0,0 @@
----
-title: Configuring user provisioning for your enterprise
-shortTitle: Configuring user provisioning
-intro: 'You can configure System for Cross-domain Identity Management (SCIM) for your enterprise, which automatically provisions user accounts on {% data variables.product.product_location %} when you assign the application for {% data variables.product.product_location %} to a user on your identity provider (IdP).'
-permissions: 'Enterprise owners can configure user provisioning for an enterprise on {% data variables.product.product_name %}.'
-product: '{% data reusables.gated-features.saml-sso %}'
-versions:
-  github-ae: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - Identity
-  - SSO
----
-
-### About user provisioning for your enterprise
-
-{% data reusables.saml.ae-uses-saml-sso %} For more information, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
-
-{% data reusables.scim.after-you-configure-saml %} For more information about SCIM, see [System for Cross-domain Identity Management: Protocol (RFC 7644)](https://tools.ietf.org/html/rfc7644) on the IETF website.
-
-{% if currentVersion == "github-ae@latest" %}
-
-Configuring provisioning allows your IdP to communicate with {% data variables.product.product_location %} when you assign or unassign the application for {% data variables.product.product_name %} to a user on your IdP. When you assign the application, your IdP will prompt {% data variables.product.product_location %} to create an account and send an onboarding email to the user. When you unassign the application, your IdP will communicate with {% data variables.product.product_name %} to invalidate any SAML sessions and disable the member's account.
-
-To configure provisioning for your enterprise, you must enable provisioning on {% data variables.product.product_name %}, then install and configure a provisioning application on your IdP.
-
-The provisioning application on your IdP communicates with {% data variables.product.product_name %} via our SCIM API for enterprises. For more information, see "[GitHub Enterprise administration](/rest/reference/enterprise-admin#scim)" in the {% data variables.product.prodname_dotcom %} REST API documentation.
-
-{% endif %}
-
-### Supported identity providers
-
-{% data reusables.scim.supported-idps %}
-
-When you set up user provisioning with a supported IdP, you can also assign or unassign the application for {% data variables.product.product_name %} to groups of users. These groups are then available to organization owners and team maintainers in {% data variables.product.product_location %} to map to {% data variables.product.product_name %} teams. For more information, see "[Synchronizing a team with an identity provider group](/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)."
-
-### Prerequisites
-
-{% if currentVersion == "github-ae@latest" %}
-
-To automatically provision and deprovision access to {% data variables.product.product_location %} from your IdP, you must first configure SAML SSO when you initialize {% data variables.product.product_name %}. For more information, see "[Initializing {% data variables.product.prodname_ghe_managed %}](/admin/configuration/initializing-github-ae)."
-
-You must have administrative access on your IdP to configure the application for user provisioning for {% data variables.product.product_name %}.
-
-{% endif %}
-
-### Enabling user provisioning for your enterprise
-
-{% if currentVersion == "github-ae@latest" %}
-
-1. While signed into {% data variables.product.product_location %} as an enterprise owner, create a personal access token with **admin:enterprise** scope. For more information, see "[Creating a personal access token](/github/authenticating-to-github/creating-a-personal-access-token)."
-  {% note %}
-
-  **Notes**:
-    - To create the personal access token, we recommend using the account for the first enterprise owner that you created during initialization. For more information, see "[Initializing {% data variables.product.prodname_ghe_managed %}](/admin/configuration/initializing-github-ae)."
-    - You'll need this personal access token to configure the application for SCIM on your IdP. Store the token securely in a password manager until you need the token again later in these instructions.
-
-  {% endnote %}
-  {% warning %}
-
-  **Warning**: If the user account for the enterprise owner who creates the personal access token is deactivated or deprovisioned, your IdP will no longer provision and deprovision user accounts for your enterprise automatically. Another enterprise owner must create a new personal access token and reconfigure provisioning on the IdP.
-
-  {% endwarning %}
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.security-tab %}
-1. Under "SCIM User Provisioning", select **Require SCIM user provisioning**.
-  ![Checkbox for "Require SCIM user provisioning" within enterprise security settings](/assets/images/help/enterprises/settings-require-scim-user-provisioning.png)
-1. Click **Save**.
-  ![Save button under "Require SCIM user provisioning" within enterprise security settings](/assets/images/help/enterprises/settings-scim-save.png)
-1. Configure user provisioning in the application for {% data variables.product.product_name %} on your IdP.
-
-  The following IdPs provide documentation about configuring provisioning for {% data variables.product.product_name %}. If your IdP isn't listed, please contact your IdP to request support for {% data variables.product.product_name %}.
-
-  | IdP | More information |
-  | :- | :- |
-  | Azure AD | [Tutorial: Configure {% data variables.product.prodname_ghe_managed %} for automatic user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-provisioning-tutorial) in the Microsoft Docs |
-
-  The application on your IdP requires two values to provision or deprovision user accounts on {% data variables.product.product_location %}.
-
-  | Value | Other names | Description | Example |
-  | :- | :- | :- | :- |
-  | URL | Tenant URL | URL to the SCIM provisioning API for your enterprise on {% data variables.product.prodname_ghe_managed %} | <pre>https&colon;//api.<em>YOUR-GITHUB-AE-HOSTNAME</em>/scim/v2</pre> |
-  | Shared secret | Personal access token, secret token | Token for application on your IdP to perform provisioning tasks on behalf of an enterprise owner | Personal access token you created in step 1 |
-
-{% endif %}

content/admin/authentication/disabling-unauthenticated-sign-ups.md

@@ -1,22 +0,0 @@
----
-title: Disabling unauthenticated sign-ups
-redirect_from:
-  - /enterprise/admin/articles/disabling-sign-ups/
-  - /enterprise/admin/user-management/disabling-unauthenticated-sign-ups
-  - /enterprise/admin/authentication/disabling-unauthenticated-sign-ups
-intro: 'If you''re using built-in authentication, you can block unauthenticated people from being able to create an account.'
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
----
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.privacy %}
-3. Unselect **Enable sign-up**.
-![Enable sign-up checkbox](/assets/images/enterprise/management-console/enable-sign-up.png)
-{% data reusables.enterprise_management_console.save-settings %}

content/admin/authentication/index.md

@@ -8,22 +8,9 @@ versions:
   github-ae: '*'
 topics:
   - Enterprise
+children:
+  - /authenticating-users-for-your-github-enterprise-server-instance
+  - /managing-identity-and-access-for-your-enterprise
+  - /configuring-authentication-and-provisioning-with-your-identity-provider
 ---
 
-
-### Table of Contents
-
-{% topic_link_in_list /authenticating-users-for-your-github-enterprise-server-instance %}
-    {% link_in_list /using-built-in-authentication %}
-    {% link_in_list /disabling-unauthenticated-sign-ups %}
-    {% link_in_list /using-cas %}
-    {% link_in_list /using-saml %}
-    {% link_in_list /using-ldap %}
-    {% link_in_list /allowing-built-in-authentication-for-users-outside-your-identity-provider %}
-    {% link_in_list /changing-authentication-methods %}
-{% topic_link_in_list /managing-identity-and-access-for-your-enterprise %}
-    {% link_in_list /about-identity-and-access-management-for-your-enterprise %}
-    {% link_in_list /configuring-saml-single-sign-on-for-your-enterprise %}
-    {% link_in_list /configuring-user-provisioning-for-your-enterprise %}
-{% topic_link_in_list /configuring-authentication-and-provisioning-with-your-identity-provider %}
-    {% link_in_list /configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad %}

content/admin/authentication/managing-identity-and-access-for-your-enterprise.md

@@ -1,9 +0,0 @@
----
-title: Managing identity and access for your enterprise
-shortTitle: Managing identity and access
-intro: You can centrally manage accounts and access to {% data variables.product.product_location %}.
-mapTopic: true
-versions:
-  github-ae: '*'
----
-

content/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise.md

@@ -0,0 +1,36 @@
+---
+title: About identity and access management for your enterprise
+shortTitle: About identity and access management
+intro: 'You can use {% if enterpriseServerVersions contains currentVersion %}{% data variables.product.prodname_ghe_server %}''s built-in authentication, or choose between CAS, LDAP, or SAML{% else %}SAML single sign-on (SSO) and System for Cross-domain Identity Management (SCIM){% endif %} to centrally manage access {% if currentVersion == "free-pro-team@latest" %}to organizations owned by your enterprise on {% data variables.product.prodname_dotcom_the_website %}{% endif %}{% if enterpriseServerVersions contains currentVersion or currentVersion == "github-ae@latest" %}to {% data variables.product.product_location %}{% endif %}.'
+product: '{% data reusables.gated-features.saml-sso %}'
+versions:
+  github-ae: '*'
+type: overview
+topics:
+  - Accounts
+  - Access management
+  - Authentication
+  - Enterprise
+  - Identity
+redirect_from:
+  - /admin/authentication/about-identity-and-access-management-for-your-enterprise
+---
+### About identity and access management for your enterprise
+
+{% if currentVersion == "github-ae@latest" %}
+
+{% data reusables.saml.ae-uses-saml-sso %} {% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
+
+After you configure the application for {% data variables.product.product_name %} on your IdP, you can grant access to {% data variables.product.product_location %} by assigning the application to users and groups on your IdP. For more information about SAML SSO for {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
+
+{% data reusables.scim.after-you-configure-saml %} For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise)."
+
+To learn how to configure both authentication and user provisioning for {% data variables.product.product_location %} with your specific IdP, see "[Configuring authentication and provisioning with your identity provider](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider)."
+
+{% endif %}
+
+### Further reading
+
+- [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website
+- [System for Cross-domain Identity Management: Protocol (RFC 7644)](https://tools.ietf.org/html/rfc7644) on the IETF website
+- [Restricting network traffic to your enterprise](/admin/configuration/restricting-network-traffic-to-your-enterprise)

content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise.md

@@ -0,0 +1,119 @@
+---
+title: Configuring SAML single sign-on for your enterprise
+shortTitle: Configuring SAML SSO
+intro: 'You can configure SAML single sign-on (SSO) for your enterprise, which allows you to centrally control authentication for {% data variables.product.product_location %} using your identity provider (IdP).'
+product: '{% data reusables.gated-features.saml-sso %}'
+permissions: 'Enterprise owners can configure SAML SSO for an enterprise on {% data variables.product.product_name %}.'
+versions:
+  github-ae: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+  - SSO
+redirect_from:
+  - /admin/authentication/configuring-saml-single-sign-on-for-your-enterprise
+---
+### About SAML SSO
+
+{% if currentVersion == "github-ae@latest" %}
+
+SAML SSO allows you to centrally control and secure access to {% data variables.product.product_location %} from your SAML IdP. When an unauthenticated user visits {% data variables.product.product_location %} in a browser, {% data variables.product.product_name %} will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to {% data variables.product.product_location %}. {% data variables.product.product_name %} validates the response from your IdP, then grants access to the user.
+
+After a user successfully authenticates on your IdP, the user's SAML session for {% data variables.product.product_location %} is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.
+
+{% data reusables.saml.assert-the-administrator-attribute %}
+
+{% data reusables.scim.after-you-configure-saml %} For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise)."
+
+{% endif %}
+
+### Supported identity providers
+
+{% data variables.product.product_name %} supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
+
+{% data variables.product.company_short %} has tested SAML SSO for {% data variables.product.product_name %} with the following IdPs.
+
+{% if currentVersion == "github-ae@latest" %}
+- Azure AD
+{% endif %}
+
+### Enabling SAML SSO
+
+{% if currentVersion == "github-ae@latest" %}
+
+{% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
+
+The following IdPs provide documentation about configuring SAML SSO for {% data variables.product.product_name %}. If your IdP isn't listed, please contact your IdP to request support for {% data variables.product.product_name %}.
+
+ | IdP | More information |
+ | :- | :- |
+ | Azure AD | [Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.prodname_ghe_managed %}](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-tutorial) in the Microsoft Docs |
+
+During initialization for {% data variables.product.product_name %}, you must configure {% data variables.product.product_name %} as a SAML Service Provider (SP) on your IdP. You must enter several unique values on your IdP to configure {% data variables.product.product_name %} as a valid SP.
+
+| Value | Other names | Description | Example |
+| :- | :- | :- | :- |
+| SP Entity ID | SP URL | Your top-level URL for {% data variables.product.prodname_ghe_managed %} | <code>https://<em>YOUR-GITHUB-AE-HOSTNAME</em></code>
+| SP Assertion Consumer Service (ACS) URL | Reply URL | URL where IdP sends SAML responses | <code>https://<em>YOUR-GITHUB-AE-HOSTNAME</em>/saml/consume</code> |
+| SP Single Sign-On (SSO) URL | | URL where IdP begins SSO |  <code>https://<em>YOUR-GITHUB-AE-HOSTNAME</em>/sso</code> |
+
+{% endif %}
+
+### Editing the SAML SSO configuration
+
+If the details for your IdP change, you'll need to edit the SAML SSO configuration for {% data variables.product.product_location %}. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.
+
+{% if currentVersion == "github-ae@latest" %}
+
+{% note %}
+
+**Note**: {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}
+
+{% endnote %} 
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "SAML single sign-on", type the new details for your IdP.
+  ![Text entry fields with IdP details for SAML SSO configuration for an enterprise](/assets/images/help/saml/ae-edit-idp-details.png)
+1. Optionally, click {% octicon "pencil" aria-label="The edit icon" %} to configure a new signature or digest method.
+  ![Edit icon for changing signature and digest method](/assets/images/help/saml/ae-edit-idp-details-edit-signature-and-digest.png)
+
+    - Use the drop-down menus and choose the new signature or digest method.
+      ![Drop-down menus for choosing a new signature or digest method](/assets/images/help/saml/ae-edit-idp-details-edit-signature-and-digest-drop-down-menus.png)
+1. To ensure that the information you've entered is correct, click **Test SAML configuration**.
+  !["Test SAML configuration" button](/assets/images/help/saml/ae-edit-idp-details-test-saml-configuration.png)
+1. Click **Save**.
+    !["Save" button for SAML SSO configuration](/assets/images/help/saml/ae-edit-idp-details-save.png)
+1. Optionally, to automatically provision and deprovision user accounts for {% data variables.product.product_location %}, reconfigure user provisioning with SCIM. For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise)."
+
+{% endif %}
+
+### Disabling SAML SSO
+
+{% if currentVersion == "github-ae@latest" %}
+
+{% warning %}
+
+**Warning**: If you disable SAML SSO for {% data variables.product.product_location %}, users without existing SAML SSO sessions cannot sign into {% data variables.product.product_location %}. SAML SSO sessions on {% data variables.product.product_location %} end after 24 hours.
+
+{% endwarning %}
+
+{% note %}
+
+**Note**: {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}
+
+{% endnote %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "SAML single sign-on", unselect **Enable SAML authentication**.
+  ![Checkbox for "Enable SAML authentication"](/assets/images/help/saml/ae-saml-disabled.png)
+1. To disable SAML SSO and require signing in with the built-in user account you created during initialization, click **Save**.
+    !["Save" button for SAML SSO configuration](/assets/images/help/saml/ae-saml-disabled-save.png)
+
+{% endif %}

content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-user-provisioning-for-your-enterprise.md

@@ -0,0 +1,90 @@
+---
+title: Configuring user provisioning for your enterprise
+shortTitle: Configuring user provisioning
+intro: 'You can configure System for Cross-domain Identity Management (SCIM) for your enterprise, which automatically provisions user accounts on {% data variables.product.product_location %} when you assign the application for {% data variables.product.product_location %} to a user on your identity provider (IdP).'
+permissions: 'Enterprise owners can configure user provisioning for an enterprise on {% data variables.product.product_name %}.'
+product: '{% data reusables.gated-features.saml-sso %}'
+versions:
+  github-ae: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+  - SSO
+redirect_from:
+  - /admin/authentication/configuring-user-provisioning-for-your-enterprise
+---
+### About user provisioning for your enterprise
+
+{% data reusables.saml.ae-uses-saml-sso %} For more information, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
+
+{% data reusables.scim.after-you-configure-saml %} For more information about SCIM, see [System for Cross-domain Identity Management: Protocol (RFC 7644)](https://tools.ietf.org/html/rfc7644) on the IETF website.
+
+{% if currentVersion == "github-ae@latest" %}
+
+Configuring provisioning allows your IdP to communicate with {% data variables.product.product_location %} when you assign or unassign the application for {% data variables.product.product_name %} to a user on your IdP. When you assign the application, your IdP will prompt {% data variables.product.product_location %} to create an account and send an onboarding email to the user. When you unassign the application, your IdP will communicate with {% data variables.product.product_name %} to invalidate any SAML sessions and disable the member's account.
+
+To configure provisioning for your enterprise, you must enable provisioning on {% data variables.product.product_name %}, then install and configure a provisioning application on your IdP.
+
+The provisioning application on your IdP communicates with {% data variables.product.product_name %} via our SCIM API for enterprises. For more information, see "[GitHub Enterprise administration](/rest/reference/enterprise-admin#scim)" in the {% data variables.product.prodname_dotcom %} REST API documentation.
+
+{% endif %}
+
+### Supported identity providers
+
+{% data reusables.scim.supported-idps %}
+
+When you set up user provisioning with a supported IdP, you can also assign or unassign the application for {% data variables.product.product_name %} to groups of users. These groups are then available to organization owners and team maintainers in {% data variables.product.product_location %} to map to {% data variables.product.product_name %} teams. For more information, see "[Synchronizing a team with an identity provider group](/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)."
+
+### Prerequisites
+
+{% if currentVersion == "github-ae@latest" %}
+
+To automatically provision and deprovision access to {% data variables.product.product_location %} from your IdP, you must first configure SAML SSO when you initialize {% data variables.product.product_name %}. For more information, see "[Initializing {% data variables.product.prodname_ghe_managed %}](/admin/configuration/initializing-github-ae)."
+
+You must have administrative access on your IdP to configure the application for user provisioning for {% data variables.product.product_name %}.
+
+{% endif %}
+
+### Enabling user provisioning for your enterprise
+
+{% if currentVersion == "github-ae@latest" %}
+
+1. While signed into {% data variables.product.product_location %} as an enterprise owner, create a personal access token with **admin:enterprise** scope. For more information, see "[Creating a personal access token](/github/authenticating-to-github/creating-a-personal-access-token)."
+  {% note %}
+
+  **Notes**:
+    - To create the personal access token, we recommend using the account for the first enterprise owner that you created during initialization. For more information, see "[Initializing {% data variables.product.prodname_ghe_managed %}](/admin/configuration/initializing-github-ae)."
+    - You'll need this personal access token to configure the application for SCIM on your IdP. Store the token securely in a password manager until you need the token again later in these instructions.
+
+  {% endnote %}
+  {% warning %}
+
+  **Warning**: If the user account for the enterprise owner who creates the personal access token is deactivated or deprovisioned, your IdP will no longer provision and deprovision user accounts for your enterprise automatically. Another enterprise owner must create a new personal access token and reconfigure provisioning on the IdP.
+
+  {% endwarning %}
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "SCIM User Provisioning", select **Require SCIM user provisioning**.
+  ![Checkbox for "Require SCIM user provisioning" within enterprise security settings](/assets/images/help/enterprises/settings-require-scim-user-provisioning.png)
+1. Click **Save**.
+  ![Save button under "Require SCIM user provisioning" within enterprise security settings](/assets/images/help/enterprises/settings-scim-save.png)
+1. Configure user provisioning in the application for {% data variables.product.product_name %} on your IdP.
+
+  The following IdPs provide documentation about configuring provisioning for {% data variables.product.product_name %}. If your IdP isn't listed, please contact your IdP to request support for {% data variables.product.product_name %}.
+
+  | IdP | More information |
+  | :- | :- |
+  | Azure AD | [Tutorial: Configure {% data variables.product.prodname_ghe_managed %} for automatic user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-provisioning-tutorial) in the Microsoft Docs |
+
+  The application on your IdP requires two values to provision or deprovision user accounts on {% data variables.product.product_location %}.
+
+  | Value | Other names | Description | Example |
+  | :- | :- | :- | :- |
+  | URL | Tenant URL | URL to the SCIM provisioning API for your enterprise on {% data variables.product.prodname_ghe_managed %} | <pre>https&colon;//api.<em>YOUR-GITHUB-AE-HOSTNAME</em>/scim/v2</pre> |
+  | Shared secret | Personal access token, secret token | Token for application on your IdP to perform provisioning tasks on behalf of an enterprise owner | Personal access token you created in step 1 |
+
+{% endif %}

content/admin/authentication/managing-identity-and-access-for-your-enterprise/index.md

@@ -0,0 +1,12 @@
+---
+title: Managing identity and access for your enterprise
+shortTitle: Managing identity and access
+intro: 'You can centrally manage accounts and access to {% data variables.product.product_location %}.'
+versions:
+  github-ae: '*'
+children:
+  - /about-identity-and-access-management-for-your-enterprise
+  - /configuring-saml-single-sign-on-for-your-enterprise
+  - /configuring-user-provisioning-for-your-enterprise
+---
+

content/admin/authentication/using-built-in-authentication.md

@@ -1,39 +0,0 @@
----
-title: Using built-in authentication
-intro: 'When you use the default authentication method, all authentication details are stored within {% data variables.product.product_location %}. Built-in authentication is the default method if you don’t already have an established authentication provider, such as LDAP, SAML, or CAS.'
-redirect_from:
-  - /enterprise/admin/user-management/using-built-in-authentication
-  - /enterprise/admin/authentication/using-built-in-authentication
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - Identity
----
-
-You can create custom messages that users will see on the sign in and sign out pages. For more information, see "[Customizing user messages on your instance](/enterprise/admin/user-management/customizing-user-messages-on-your-instance)."
-
-### Configuring built-in authentication
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.authentication %}
-4. Select **Built in authentication**.
-![Select built-in authentication option](/assets/images/enterprise/management-console/built-in-auth-select.png)
-
-{% data reusables.enterprise_user_management.two_factor_auth_header %}
-{% data reusables.enterprise_user_management.2fa_is_available %}
-
-### Creating your account and adding users
-
-Once your instance has been created, you'll need to create your own admin account and use it to provision users.
-
-1. On the "Create Admin Account" page at `http(s)://[hostname]/join`, choose your username, password, and email address, then click **Create an account**.
-![Create Admin Account](/assets/images/enterprise/site-admin-settings/create-first-admin-acct.png)
-{% data reusables.enterprise_site_admin_settings.sign-in %}
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.invite-user-sidebar-tab %}
-{% data reusables.enterprise_site_admin_settings.invite-user-reset-link %}

content/admin/authentication/using-cas.md

@@ -1,52 +0,0 @@
----
-title: Using CAS
-redirect_from:
-  - /enterprise/admin/articles/configuring-cas-authentication/
-  - /enterprise/admin/articles/about-cas-authentication/
-  - /enterprise/admin/user-management/using-cas
-  - /enterprise/admin/authentication/using-cas
-intro: 'CAS is a single sign-on (SSO) protocol for multiple web applications. A CAS user account does not take up a {% if currentVersion ver_gt "enterprise-server@2.16" %}user license{% else %}seat{% endif %} until the user signs in.'
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - Identity
-  - SSO
----
-
-{% data reusables.enterprise_user_management.built-in-authentication %}
-
-### Username considerations with CAS
-
-{% data reusables.enterprise_management_console.username_normalization %}
-
-{% data reusables.enterprise_management_console.username_normalization_sample %}
-
-{% data reusables.enterprise_user_management.two_factor_auth_header %}
-{% data reusables.enterprise_user_management.external_auth_disables_2fa %}
-
-### CAS attributes
-
-The following attributes are available.
-
-| Attribute name           | Type     | Description |
-|--------------------------|----------|-------------|
-| `username`               | Required | The {% data variables.product.prodname_ghe_server %} username. |
-
-### Configuring CAS
-{% warning %}
-
-**Warning:** Before configuring CAS on {% data variables.product.product_location %}, note that users will not be able to use their CAS usernames and passwords to authenticate API requests or Git operations over HTTP/HTTPS. Instead, they will need to [create an access token](/enterprise/{{ currentVersion }}/user/articles/creating-an-access-token-for-command-line-use).
-
-{% endwarning %}
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.authentication %}
-3. Select **CAS**.
-![CAS select](/assets/images/enterprise/management-console/cas-select.png)
-4. {% data reusables.enterprise_user_management.built-in-authentication-option %} ![Select CAS built-in authentication checkbox](/assets/images/enterprise/management-console/cas-built-in-authentication.png)
-5. In the **Server URL** field, type the full URL of your CAS server. If your CAS server uses a certificate that can't be validated by {% data variables.product.prodname_ghe_server %}, you can use the `ghe-ssl-ca-certificate-install` command to install it as a trusted certificate.

content/admin/authentication/using-ldap.md

@@ -1,207 +0,0 @@
----
-title: Using LDAP
-redirect_from:
-  - /enterprise/admin/articles/configuring-ldap-authentication/
-  - /enterprise/admin/articles/about-ldap-authentication/
-  - /enterprise/admin/articles/viewing-ldap-users/
-  - /enterprise/admin/hidden/enabling-ldap-sync/
-  - /enterprise/admin/hidden/ldap-sync/
-  - /enterprise/admin/user-management/using-ldap
-  - /enterprise/admin/authentication/using-ldap
-intro: 'LDAP lets you authenticate {% data variables.product.prodname_ghe_server %} against your existing accounts and centrally manage repository access. LDAP is a popular application protocol for accessing and maintaining directory information services, and is one of the most common protocols used to integrate third-party software with large company user directories.'
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - Identity
----
-
-{% data reusables.enterprise_user_management.built-in-authentication %}
-
-### Supported LDAP services
-
-{% data variables.product.prodname_ghe_server %} integrates with these LDAP services:
-
-* Active Directory
-* FreeIPA
-* Oracle Directory Server Enterprise Edition
-* OpenLDAP
-* Open Directory
-* 389-ds
-
-### Username considerations with LDAP
-
-{% data reusables.enterprise_management_console.username_normalization %}
-
-{% data reusables.enterprise_management_console.username_normalization_sample %}
-
-{% data reusables.enterprise_user_management.two_factor_auth_header %}
-{% data reusables.enterprise_user_management.2fa_is_available %}
-
-### Configuring LDAP with {% data variables.product.product_location %}
-
-After you configure LDAP, users will be able to sign into your instance with their LDAP credentials. When users sign in for the first time, their profile names, email addresses, and SSH keys will be set with the LDAP attributes from your directory.
-
-When you configure LDAP access for users via the {% data variables.enterprise.management_console %}, your user licenses aren't used until the first time a user signs in to your instance. However, if you create an account manually using site admin settings, the user license is immediately accounted for.
-
-{% warning %}
-
-**Warning:** Before configuring LDAP on {% data variables.product.product_location %}, make sure that your LDAP service supports paged results.
-
-{% endwarning %}
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.authentication %}
-3. Under "Authentication", select **LDAP**.
-![LDAP select](/assets/images/enterprise/management-console/ldap-select.png)
-4. {% data reusables.enterprise_user_management.built-in-authentication-option %} ![Select LDAP built-in authentication checkbox](/assets/images/enterprise/management-console/ldap-built-in-authentication.png)
-5. Add your configuration settings.
-
-### LDAP attributes
-Use these attributes to finish configuring LDAP for {% data variables.product.product_location %}.
-
-| Attribute name           | Type     | Description |
-|--------------------------|----------|-------------|
-| `Host`                   | Required | The LDAP host, e.g. `ldap.example.com` or `10.0.0.30`. If the hostname is only available from your internal network, you may need to configure {% data variables.product.product_location %}'s DNS first so it can resolve the hostname using your internal nameservers. |
-| `Port`                   | Required | The port the host's LDAP services are listening on. Examples include: 389 and 636 (for LDAPS). |
-| `Encryption`             | Required | The encryption method used to secure communications to the LDAP server. Examples include plain (no encryption), SSL/LDAPS (encrypted from the start), and StartTLS (upgrade to encrypted communication once connected). |
-| `Domain search user`     | Optional | The LDAP user that looks up other users that sign in, to allow authentication. This is typically a service account created specifically for third-party integrations. Use a fully qualified name, such as `cn=Administrator,cn=Users,dc=Example,dc=com`. With Active Directory, you can also use the `[DOMAIN]\[USERNAME]` syntax (e.g. `WINDOWS\Administrator`) for the domain search user with Active Directory. |
-| `Domain search password` | Optional | The password for the domain search user. |
-| `Administrators group`   | Optional | Users in this group are promoted to site administrators when signing into your appliance. If you don't configure an LDAP Administrators group, the first LDAP user account that signs into your appliance will be automatically promoted to a site administrator. |
-| `Domain base`            | Required | The fully qualified `Distinguished Name` (DN) of an LDAP subtree you want to search for users and groups. You can add as many as you like; however, each group must be defined in the same domain base as the users that belong to it. If you specify restricted user groups, only users that belong to those groups will be in scope. We recommend that you specify the top level of your LDAP directory tree as your domain base and use restricted user groups to control access. |
-| `Restricted user groups` | Optional | If specified, only users in these groups will be allowed to log in. You only need to specify the common names (CNs) of the groups, and you can add as many groups as you like. If no groups are specified, *all* users within the scope of the specified domain base will be able to sign in to your {% data variables.product.prodname_ghe_server %} instance. |
-| `User ID`                | Required | The LDAP attribute that identifies the LDAP user who attempts authentication. Once a mapping is established, users may change their {% data variables.product.prodname_ghe_server %} usernames. This field should be `sAMAccountName` for most Active Directory installations, but it may be `uid` for other LDAP solutions, such as OpenLDAP. The default value is `uid`. |
-| `Profile name`           | Optional | The name that will appear on the user's {% data variables.product.prodname_ghe_server %} profile page. Unless LDAP Sync is enabled, users may change their profile names. |
-| `Emails`                 | Optional | The email addresses for a user's {% data variables.product.prodname_ghe_server %} account. |
-| `SSH keys`               | Optional | The public SSH keys attached to a user's {% data variables.product.prodname_ghe_server %} account. The keys must be in OpenSSH format. |
-| `GPG keys`               | Optional | The GPG keys attached to a user's {% data variables.product.prodname_ghe_server %} account. |
-| `Disable LDAP authentication for Git operations` | Optional |If selected, [turns off](#disabling-password-authentication-for-git-operations) users' ability to use LDAP passwords to authenticate Git operations. |
-| `Enable LDAP certificate verification` | Optional |If selected, [turns on](#enabling-ldap-certificate-verification) LDAP certificate verification. |
-| `Synchronization` | Optional |If selected, [turns on](#enabling-ldap-sync) LDAP Sync. |
-
-#### Disabling password authentication for Git operations
-
-Select **Disable username and password authentication for Git operations** in your LDAP settings to enforce use of personal access tokens or SSH keys for Git access, which can help prevent your server from being overloaded by LDAP authentication requests. We recommend this setting because a slow-responding LDAP server, especially combined with a large number of requests due to polling, is a frequent source of performance issues and outages.
-
-![Disable LDAP password auth for Git check box](/assets/images/enterprise/management-console/ldap-disable-password-auth-for-git.png)
-
-When this option is selected, if a user tries to use a password for Git operations via the command line, they will receive an error message that says, `Password authentication is not allowed for Git operations. You must use a personal access token.`
-
-#### Enabling LDAP certificate verification
-
-Select **Enable LDAP certificate verification** in your LDAP settings to validate the LDAP server certificate you use with TLS.
-
-![LDAP certificate verification box](/assets/images/enterprise/management-console/ldap-enable-certificate-verification.png)
-
-When this option is selected, the certificate is validated to make sure:
-- If the certificate contains at least one Subject Alternative Name (SAN), one of the SANs matches the LDAP hostname. Otherwise, the Common Name (CN) matches the LDAP hostname.
-- The certificate is not expired.
-- The certificate is signed by a trusted certificate authority (CA).
-
-#### Enabling LDAP Sync
-
-{% note %}
-
-**Note:** Teams using LDAP Sync are limited to a maximum 1499 members.
-
-{% endnote %}
-
-LDAP Sync lets you synchronize {% data variables.product.prodname_ghe_server %} users and team membership against your established LDAP groups. This lets you establish role-based access control for users from your LDAP server instead of manually within {% data variables.product.prodname_ghe_server %}. For more information, see "[Creating teams](/enterprise/{{ currentVersion }}/admin/guides/user-management/creating-teams#creating-teams-with-ldap-sync-enabled)."
-
-To enable LDAP Sync, in your LDAP settings, select **Synchronize Emails**, **Synchronize SSH Keys**, or **Synchronize GPG Keys** .
-
-![Synchronization check box](/assets/images/enterprise/management-console/ldap-synchronize.png)
-
-After you enable LDAP sync, a synchronization job will run at the specified time interval to perform the following operations on each user account:
-
-- If you've allowed built-in authentication for users outside your identity provider, and the user is using built-in authentication, move on to the next user.
-- If no LDAP mapping exists for the user, try to map the user to an LDAP entry in the directory. If the user cannot be mapped to an LDAP entry, suspend the user and move on to the next user.
-- If there is an LDAP mapping and the corresponding LDAP entry in the directory is missing, suspend the user and move on to the next user.
-- If the corresponding LDAP entry has been marked as disabled and the user is not already suspended, suspend the user and move on to the next user.
-- If the corresponding LDAP entry is not marked as disabled, and the user is suspended, and _Reactivate suspended users_ is enabled in the Admin Center, unsuspend the user.
-- If the corresponding LDAP entry includes a `name` attribute, update the user's profile name.
-- If the corresponding LDAP entry is in the Administrators group, promote the user to site administrator.
-- If the corresponding LDAP entry is not in the Administrators group, demote the user to a normal account.
-- If an LDAP User field is defined for emails, synchronize the user's email settings with the LDAP entry. Set the first LDAP `mail` entry as the primary email.
-- If an LDAP User field is defined for SSH public keys, synchronize the user's public SSH keys with the LDAP entry.  
-- If an LDAP User field is defined for GPG keys, synchronize the user's GPG keys with the LDAP entry.  
-
-{% note %}
-
-**Note**: LDAP entries can only be marked as disabled if you use Active Directory and the `userAccountControl` attribute is present and flagged with `ACCOUNTDISABLE`.
-
-{% endnote %}
-
-A synchronization job will also run at the specified time interval to perform the following operations on each team that has been mapped to an LDAP group:
-
-- If a team's corresponding LDAP group has been removed, remove all members from the team.
-- If LDAP member entries have been removed from the LDAP group, remove the corresponding users from the team. If the user loses access to any repositories as a result, delete any private forks the user has of those repositories.
-- If LDAP member entries have been added to the LDAP group, add the corresponding users to the team. If the user regains access to any repositories as a result, restore any private forks of the repositories that were deleted because the user lost access in the past 90 days.
-
-{% data reusables.enterprise_user_management.ldap-sync-nested-teams %}
-
-{% warning %}
-
-**Security Warning:**
-
-When LDAP Sync is enabled, site admins and organization owners can search the LDAP directory for groups to map the team to.
-
-This has the potential to disclose sensitive organizational information to contractors or other unprivileged users, including:
-
-- The existence of specific LDAP Groups visible to the *Domain search user*.
-- Members of the LDAP group who have {% data variables.product.prodname_ghe_server %} user accounts, which is disclosed when creating a team synced with that LDAP group.
-
-If disclosing such information is not desired, your company or organization should restrict the permissions of the configured *Domain search user* in the admin console. If such restriction isn't possible, contact {% data variables.contact.contact_ent_support %}.
-
-{% endwarning %}
-
-#### Supported LDAP group object classes
-
-{% data variables.product.prodname_ghe_server %} supports these LDAP group object classes. Groups can be nested.
-
-- `group`
-- `groupOfNames`
-- `groupOfUniqueNames`
-- `posixGroup`
-
-### Viewing and creating LDAP users
-
-You can view the full list of LDAP users who have access to your instance and provision new users.
-
-{% data reusables.enterprise_site_admin_settings.sign-in %}
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-3. In the left sidebar, click **LDAP users**.
-![LDAP users tab](/assets/images/enterprise/site-admin-settings/ldap-users-tab.png)
-4. To search for a user, type a full or partial username and click **Search**. Existing users will be displayed in search results. If a user doesn’t exist, click **Create** to provision the new user account.
-![LDAP search](/assets/images/enterprise/site-admin-settings/ldap-users-search.png)
-
-### Updating LDAP accounts
-
-Unless [LDAP Sync is enabled](#enabling-ldap-sync), changes to LDAP accounts are not automatically synchronized with {% data variables.product.prodname_ghe_server %}.
-
-* To use a new LDAP admin group, users must be manually promoted and demoted on {% data variables.product.prodname_ghe_server %} to reflect changes in LDAP.
-* To add or remove LDAP accounts in LDAP admin groups, [promote or demote the accounts on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/guides/user-management/promoting-or-demoting-a-site-administrator).
-* To remove LDAP accounts, [suspend the {% data variables.product.prodname_ghe_server %} accounts](/enterprise/{{ currentVersion }}/admin/guides/user-management/suspending-and-unsuspending-users).
-
-#### Manually syncing LDAP accounts
-
-{% data reusables.enterprise_site_admin_settings.sign-in %}
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.search-user %}
-{% data reusables.enterprise_site_admin_settings.click-user %}
-{% data reusables.enterprise_site_admin_settings.admin-top-tab %}
-{% data reusables.enterprise_site_admin_settings.admin-tab %}
-5. Under "LDAP," click **Sync now** to manually update the account with data from your LDAP server.
-![LDAP sync now button](/assets/images/enterprise/site-admin-settings/ldap-sync-now-button.png)
-
-You can also [use the API to trigger a manual sync](/enterprise/{{ currentVersion }}/user/rest/reference/enterprise-admin#ldap).
-
-### Revoking access to {% data variables.product.product_location %}
-
-If [LDAP Sync is enabled](#enabling-ldap-sync), removing a user's LDAP credentials will suspend their account after the next synchronization run.
-
-If LDAP Sync is **not** enabled, you must manually suspend the {% data variables.product.prodname_ghe_server %} account after you remove the LDAP credentials. For more information, see "[Suspending and unsuspending users](/enterprise/{{ currentVersion }}/admin/guides/user-management/suspending-and-unsuspending-users)".

content/admin/authentication/using-saml.md

@@ -1,201 +0,0 @@
----
-title: Using SAML
-redirect_from:
-  - /enterprise/admin/articles/configuring-saml-authentication/
-  - /enterprise/admin/articles/about-saml-authentication/
-  - /enterprise/admin/user-management/using-saml
-  - /enterprise/admin/authentication/using-saml
-intro: 'SAML is an XML-based standard for authentication and authorization. {% data variables.product.prodname_ghe_server %} can act as a service provider (SP) with your internal SAML identity provider (IdP).'
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - Identity
-  - SSO
----
-
-{% data reusables.enterprise_user_management.built-in-authentication %}
-
-### Supported SAML services
-
-{% data reusables.saml.saml-supported-idps %}
-
-{% data reusables.saml.saml-single-logout-not-supported %}
-
-### Username considerations with SAML
-
-Each {% data variables.product.prodname_ghe_server %} username is determined by one of the following assertions in the SAML response, ordered by priority:
-
-- The custom username attribute, if defined and present
-- An `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` assertion, if present
-- An `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` assertion, if present
-- The `NameID` element
-
-The `NameID` element is required even if other attributes are present.
-
-A mapping is created between the `NameID` and the {% data variables.product.prodname_ghe_server %} username, so the `NameID` should be persistent, unique, and not subject to change for the lifecycle of the user.
-
-{% note %}
-
-**Note**: If the `NameID` for a user does change on the IdP, the user will see an error message when they try to sign in to your {% data variables.product.prodname_ghe_server %} instance. {% if currentVersion ver_gt "enterprise-server@2.21" %}To restore the user's access, you'll need to update the user account's `NameID` mapping. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."{% else %} For more information, see "[Error: 'Another user already owns the account'](#error-another-user-already-owns-the-account)."{% endif %}
-
-{% endnote %}
-
-{% data reusables.enterprise_management_console.username_normalization %}
-
-{% data reusables.enterprise_management_console.username_normalization_sample %}
-
-{% data reusables.enterprise_user_management.two_factor_auth_header %}
-{% data reusables.enterprise_user_management.external_auth_disables_2fa %}
-
-### SAML metadata
-
-Your {% data variables.product.prodname_ghe_server %} instance's service provider metadata is available at `http(s)://[hostname]/saml/metadata`.
-
-To configure your identity provider manually, the Assertion Consumer Service (ACS) URL is `http(s)://[hostname]/saml/consume`. It uses the `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST` binding.
-
-### SAML attributes
-
-These attributes are available. You can change the attribute names in the [management console](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-management-console/), with the exception of the `administrator` attribute.
-
-| Default attribute name  | Type     | Description |
-|-----------------|----------|-------------|
-| `NameID` | Required | A persistent user identifier. Any persistent name identifier format may be used. The `NameID` element will be used for a {% data variables.product.prodname_ghe_server %} username unless one of the alternative assertions is provided. |
-| `administrator` | Optional | When the value is 'true', the user will automatically be promoted as an administrator. Any other value or a non-existent value will demote the user to a normal user account. |
-| `username` | Optional | The {% data variables.product.prodname_ghe_server %} username. |
-| `full_name`     | Optional | The name of the user displayed on their profile page. Users may change their names after provisioning. |
-| `emails`        | Optional | The email addresses for the user. More than one can be specified. |
-| `public_keys`   | Optional | The public SSH keys for the user. More than one can be specified. |
-| `gpg_keys`   | Optional | The GPG keys for the user. More than one can be specified.  |
-
-### Configuring SAML settings
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.authentication %}
-3. Select **SAML**.
-![SAML authentication](/assets/images/enterprise/management-console/auth-select-saml.png)
-4. {% data reusables.enterprise_user_management.built-in-authentication-option %} ![Select SAML built-in authentication checkbox](/assets/images/enterprise/management-console/saml-built-in-authentication.png)
-5. Optionally, to enable unsolicited response SSO, select **IdP initiated SSO**. By default, {% data variables.product.prodname_ghe_server %} will reply to an unsolicited Identity Provider (IdP) initiated request with an `AuthnRequest` back to the IdP.
-![SAML idP SSO](/assets/images/enterprise/management-console/saml-idp-sso.png)
-
-  {% tip %}
-
-  **Note**: We recommend keeping this value **unselected**. You should enable this feature **only** in the rare instance that your SAML implementation does not support service provider initiated SSO, and when advised by {% data variables.contact.enterprise_support %}.
-
-  {% endtip %}
-
-5. Select **Disable administrator demotion/promotion** if you **do not** want your SAML provider to determine administrator rights for users on {% data variables.product.product_location %}.
-![SAML disable admin configuration](/assets/images/enterprise/management-console/disable-admin-demotion-promotion.png)
-6. In the **Single sign-on URL** field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.product.product_location %} to use internal nameservers](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-dns-nameservers/).
-![SAML authentication](/assets/images/enterprise/management-console/saml-single-sign-url.png)
-7. Optionally, in the **Issuer** field, type your SAML issuer's name. This verifies the authenticity of messages sent to {% data variables.product.product_location %}.
-![SAML issuer](/assets/images/enterprise/management-console/saml-issuer.png)
-8. In the **Signature Method** and **Digest Method** drop-down menus, choose the hashing algorithm used by your SAML issuer to verify the integrity of the requests from {% data variables.product.product_location %}. Specify the format with the **Name Identifier Format** drop-down menu.
-![SAML method](/assets/images/enterprise/management-console/saml-method.png)
-9. Under **Verification certificate**, click **Choose File** and choose a certificate to validate SAML responses from the IdP.
-![SAML authentication](/assets/images/enterprise/management-console/saml-verification-cert.png)
-10. Modify the SAML attribute names to match your IdP if needed, or accept the default names.
- ![SAML attribute names](/assets/images/enterprise/management-console/saml-attributes.png)
-
-{% if currentVersion ver_gt "enterprise-server@2.21" %}
-
-### Updating a user's SAML `NameID`
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-2. In the left sidebar, click **All users**.
-  !["All users" sidebar item in site administrator settings](/assets/images/enterprise/site-admin-settings/all-users.png)
-3. In the list of users, click the username you'd like to update the `NameID` mapping for.
-  ![Username in list of instance user accounts](/assets/images/enterprise/site-admin-settings/all-users-click-username.png)
-{% data reusables.enterprise_site_admin_settings.security-tab %}
-5. To the right of "Update SAML NameID", click **Edit** .
-  !["Edit" button under "SAML authentication" and to the right of "Update SAML NameID"](/assets/images/enterprise/site-admin-settings/update-saml-nameid-edit.png)
-6. In the "NameID" field, type the new `NameID` for the user.
-  !["NameID" field in modal dialog with NameID typed](/assets/images/enterprise/site-admin-settings/update-saml-nameid-field-in-modal.png)
-7. Click **Update NameID**.
-  !["Update NameID" button under updated NameID value within modal](/assets/images/enterprise/site-admin-settings/update-saml-nameid-update.png)
-
-{% endif %}
-
-### Revoking access to {% data variables.product.product_location %}
-
-If you remove a user from your identity provider, you must also manually suspend them. Otherwise, they'll continue to be able to authenticate using access tokens or SSH keys. For more information, see "[Suspending and unsuspending users](/enterprise/admin/guides/user-management/suspending-and-unsuspending-users)".
-
-### Response message requirements
-
-The response message must fulfill the following requirements:
-
-- The `<Destination>` element must be provided on the root response document and match the ACS URL only when the root response document is signed. If the assertion is signed, it will be ignored.
-- The `<Audience>` element must always be provided as part of the `<AudienceRestriction>` element. It must match the `EntityId` for {% data variables.product.prodname_ghe_server %}. This is the URL to the {% data variables.product.prodname_ghe_server %} instance, such as `https://ghe.corp.example.com`.
-- Each assertion in the response **must** be protected by a digital signature. This can be accomplished by signing each individual `<Assertion>` element or by signing the `<Response>` element.
-- A `<NameID>` element must be provided as part of the `<Subject>` element. Any persistent name identifier format may be used.
-- The `Recipient` attribute must be present and set to the ACS URL. For example:
-
-```xml
-<samlp:Response ...>
-  <saml:Assertion ...>
-    <saml:Subject>
-      <saml:NameID ...>...</saml:NameID>
-      <saml:SubjectConfirmation ...>
-        <saml:SubjectConfirmationData Recipient="https://ghe.corp.example.com/saml/consume" .../>
-      </saml:SubjectConfirmation>
-    </saml:Subject>
-    <saml:AttributeStatement>
-      <saml:Attribute FriendlyName="USERNAME-ATTRIBUTE" ...>
-        <saml:AttributeValue>monalisa</saml:AttributeValue>
-      </saml:Attribute>
-    </saml:AttributeStatement>
-  </saml:Assertion>
-</samlp:Response>
-```
-
-### Troubleshooting SAML authentication
-
-{% data variables.product.prodname_ghe_server %} logs error messages for failed SAML authentication in the authentication log at  _/var/log/github/auth.log_. For more information about SAML response requirements, see "[Response message requirements](#response-message-requirements)."
-
-#### Error: "Another user already owns the account"
-
-When a user signs in to {% data variables.product.prodname_ghe_server %} for the first time with SAML authentication, {% data variables.product.prodname_ghe_server %} creates a user account on the instance and maps the SAML `NameID` to the account.
-
-When the user signs in again, {% data variables.product.prodname_ghe_server %} compares the account's `NameID` mapping to the IdP's response. If the `NameID` in the IdP's response no longer matches the `NameID` that {% data variables.product.prodname_ghe_server %} expects for the user, the sign-in will fail. The user will see the following message.
-
-> Another user already owns the account. Please have your administrator check the authentication log.
-
-The message typically indicates that the person's username or email address has changed on the IdP. {% if currentVersion ver_gt "enterprise-server@2.21" %}Ensure that the `NameID` mapping for the user account on {% data variables.product.prodname_ghe_server %} matches the user's `NameID` on your IdP. For more information, see "[Updating a user's SAML `NameID`](#updating-a-users-saml-nameid)."{% else %}For help updating the `NameID` mapping, contact {% data variables.contact.contact_ent_support %}.{% endif %}
-
-#### Error: Recipient in SAML response was blank or not valid
-
-If the `Recipient` does not match the ACS URL for your {% data variables.product.prodname_ghe_server %} instance, one of the following two error messages will appear in the authentication log when a user attempts to authenticate.
-
-```
-Recipient in the SAML response must not be blank.
-```
-
-```
-Recipient in the SAML response was not valid.
-```
-
-Ensure that you set the value for `Recipient` on your IdP to the full ACS URL for your {% data variables.product.prodname_ghe_server %} instance. For example, `https://ghe.corp.example.com/saml/consume`.
-
-#### Error: "SAML Response is not signed or has been modified"
-
-If your IdP does not sign the SAML response, or the signature does not match the contents, the following error message will appear in the authentication log.
-
-```
-SAML Response is not signed or has been modified.
-```
-
-Ensure that you configure signed assertions for the {% data variables.product.prodname_ghe_server %} application on your IdP.
-
-#### Error: "Audience is invalid" or "No assertion found"
-
-If the IdP's response has a missing or incorrect value for `Audience`, the following error message will appear in the authentication log.
-
-```shell
-Audience is invalid. Audience attribute does not match https://<em>YOUR-INSTANCE-URL</em>
-```
-
-Ensure that you set the value for `Audience` on your IdP to the `EntityId` for your {% data variables.product.prodname_ghe_server %} instance, which is the full URL to your {% data variables.product.prodname_ghe_server %} instance. For example, `https://ghe.corp.example.com`.

content/admin/configuration/about-enterprise-configuration.md

@@ -1,33 +0,0 @@
----
-title: About enterprise configuration
-intro: 'You can use the site admin dashboard{% if enterpriseServerVersions contains currentVersion %}, {% data variables.enterprise.management_console %}, and administrative shell (SSH) {% elsif currentVersion == "github-ae@latest" %} and enterprise settings or contact support{% endif %} to manage your enterprise.'
-versions:
-  enterprise-server: '*'
-  github-ae: '*'
-type: overview
-topics:
-  - Enterprise
-  - Fundamentals
-  - SSH
----
-
-{% if enterpriseServerVersions contains currentVersion %}
-{% data reusables.enterprise_site_admin_settings.about-the-site-admin-dashboard %} For more information, see "[Site admin dashboard](/admin/configuration/site-admin-dashboard)."
-
-{% data reusables.enterprise_site_admin_settings.about-the-management-console %} For more information, see "[Accessing the management console](/admin/configuration/accessing-the-management-console)."
-
-{% data reusables.enterprise_site_admin_settings.about-ssh-access %} For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)."
-{% endif %}
-
-{% if currentVersion == "github-ae@latest" %}
-The first time you access your enterprise, you will complete an initial configuration to get {% data variables.product.product_name %} ready to use. The initial configuration includes connecting your enterprise with an identity provider (IdP), authenticating with SAML SSO, configuring policies for repositories and organizations in your enterprise, and configuring SMTP for outbound email. For more information, see "[Initializing {% data variables.product.prodname_ghe_managed %}](/admin/configuration/initializing-github-ae)."
-
-Later, you can use the site admin dashboard and enterprise settings to further configure your enterprise, manage users, organizations and repositories, and set policies that reduce risk and increase quality. 
-
-All enterprises are configured with subdomain isolation and support for TLS 1.2 and higher for encrypted traffic only.
-{% endif %}
-
-### Further reading
-
-- "[Managing users, organizations, and repositories](/admin/user-management)"
-- "[Setting policies for your enterprise](/admin/policies)"

content/admin/configuration/accessing-the-administrative-shell-ssh.md

@@ -1,78 +0,0 @@
----
-title: Accessing the administrative shell (SSH)
-redirect_from:
-  - /enterprise/admin/articles/ssh-access/
-  - /enterprise/admin/articles/adding-an-ssh-key-for-shell-access/
-  - /enterprise/admin/guides/installation/administrative-shell-ssh-access/
-  - /enterprise/admin/articles/troubleshooting-ssh-permission-denied-publickey/
-  - /enterprise/admin/2.13/articles/troubleshooting-ssh-permission-denied-publickey/
-  - /enterprise/admin/2.14/articles/troubleshooting-ssh-permission-denied-publickey/
-  - /enterprise/admin/2.15/articles/troubleshooting-ssh-permission-denied-publickey/
-  - /enterprise/admin/installation/accessing-the-administrative-shell-ssh
-  - /enterprise/admin/configuration/accessing-the-administrative-shell-ssh
-intro: '{% data reusables.enterprise_site_admin_settings.about-ssh-access %}'
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - SSH
----
-
-### About administrative shell access
-
-If you have SSH access to the administrative shell, you can run {% data variables.product.prodname_ghe_server %}'s command line utilities. SSH access is also useful for troubleshooting, running backups, and configuring replication. Administrative SSH access is managed separately from Git SSH access and is accessible only via port 122.
-
-### Enabling access to the administrative shell via SSH
-
-To enable administrative SSH access, you must add your SSH public key to your instance's list of authorized keys.
-
-{% tip %}
-
-**Tip:** Changes to authorized SSH keys take effect immediately.
-
-{% endtip %}
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-3. Under "SSH access", paste your key into the text box, then click **Add key**.
-  ![Text box and button for adding an SSH key](/assets/images/enterprise/settings/add-authorized-ssh-key-admin-shell.png)
-{% data reusables.enterprise_management_console.save-settings %}
-
-### Connecting to the administrative shell over SSH
-
-After you've added your SSH key to the list, connect to the instance over SSH as the `admin` user on port 122.
-
-```shell
-$ ssh -p 122 admin@github.example.com
-Last login: Sun Nov 9 07:53:29 2014 from 169.254.1.1
-admin@github-example-com:~$ █
-```
-
-#### Troubleshooting SSH connection problems
-
-If you encounter the `Permission denied (publickey)` error when you try to connect to {% data variables.product.product_location %} via SSH, confirm that you are connecting over port 122. You may need to explicitly specify which private SSH key to use.
-
-To specify a private SSH key using the command line, run `ssh` with the `-i` argument.
-
-```shell
-ssh -i /path/to/ghe_private_key -p 122 admin@<em>hostname</em>
-```
-
-You can also specify a private SSH key using the SSH configuration file (`~/.ssh/config`).
-
-```shell
-Host <em>hostname</em>
-  IdentityFile /path/to/ghe_private_key
-  User admin
-  Port 122
-```
-
-### Accessing the administrative shell using the local console
-
-In an emergency situation, for example if SSH is unavailable, you can access the administrative shell locally. Sign in as the `admin` user and use the password established during initial setup of {% data variables.product.prodname_ghe_server %}.
-
-### Access limitations for the administrative shell
-
-Administrative shell access is permitted for troubleshooting and performing documented operations procedures only. Modifying system and application files, running programs, or installing unsupported software packages may void your support contract. Please contact {% data variables.contact.contact_ent_support %} if you have a question about the activities allowed by your support contract.

content/admin/configuration/accessing-the-management-console.md

@@ -1,54 +0,0 @@
----
-title: Accessing the management console
-intro: '{% data reusables.enterprise_site_admin_settings.about-the-management-console %}'
-redirect_from:
-  - /enterprise/admin/articles/about-the-management-console/
-  - /enterprise/admin/articles/management-console-for-emergency-recovery/
-  - /enterprise/admin/articles/web-based-management-console/
-  - /enterprise/admin/categories/management-console/
-  - /enterprise/admin/articles/accessing-the-management-console/
-  - /enterprise/admin/guides/installation/web-based-management-console/
-  - /enterprise/admin/installation/accessing-the-management-console
-  - /enterprise/admin/configuration/accessing-the-management-console
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
----
-
-### About the {% data variables.enterprise.management_console %}
-
-Use the {% data variables.enterprise.management_console %} for basic administrative activities:
-- **Initial setup**: Walk through the initial setup process when first launching {% data variables.product.product_location %} by visiting {% data variables.product.product_location %}'s IP address in your browser.
-- **Configuring basic settings for your instance**: Configure DNS, hostname, SSL, user authentication, email, monitoring services, and log forwarding on the Settings page.
-- **Scheduling maintenance windows**: Take {% data variables.product.product_location %} offline while performing maintenance using the {% data variables.enterprise.management_console %} or administrative shell.
-- **Troubleshooting**: Generate a support bundle or view high level diagnostic information.
-- **License management**: View or update your {% data variables.product.prodname_enterprise %} license.
-
-You can always reach the {% data variables.enterprise.management_console %} using {% data variables.product.product_location %}'s IP address, even when the instance is in maintenance mode, or there is a critical application failure or hostname or SSL misconfiguration.
-
-To access the {% data variables.enterprise.management_console %}, you must use the administrator password established during initial setup of {% data variables.product.product_location %}. You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations.
-
-### Accessing the {% data variables.enterprise.management_console %} as a site administrator
-
-The first time that you access the {% data variables.enterprise.management_console %} as a site administrator, you must upload your {% data variables.product.prodname_enterprise %} license file to authenticate into the app. For more information, see "[Managing your {% data variables.product.prodname_enterprise %} license](/enterprise/{{ currentVersion }}/admin/guides/installation/managing-your-github-enterprise-license)."
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.type-management-console-password %}
-
-### Accessing the {% data variables.enterprise.management_console %} as an unauthenticated user
-
-1. Visit this URL in your browser, replacing `hostname` with your actual {% data variables.product.prodname_ghe_server %} hostname or IP address:
-  ```shell
-  http(s)://HOSTNAME/setup
-  ```
-{% data reusables.enterprise_management_console.type-management-console-password %}
-
-### Unlocking the {% data variables.enterprise.management_console %} after failed login attempts
-
-The {% data variables.enterprise.management_console %} locks after ten failed login attempts are made in the span of ten minutes. You must wait for the login screen to automatically unlock before attempting to log in again. The login screen automatically unlocks as soon as the previous ten minute period contains fewer than ten failed login attempts. The counter resets after a successful login occurs.
-
-To immediately unlock the {% data variables.enterprise.management_console %}, use the `ghe-reactivate-admin-login` command via the administrative shell. For more information, see "[Command line utilities](/enterprise/{{ currentVersion }}/admin/guides/installation/command-line-utilities#ghe-reactivate-admin-login)" and "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-administrative-shell-ssh/)."

content/admin/configuration/command-line-utilities.md

@@ -1,829 +0,0 @@
----
-title: Command-line utilities
-intro: '{% data variables.product.prodname_ghe_server %} includes a variety of utilities to help resolve particular problems or perform specific tasks.'
-redirect_from:
-  - /enterprise/admin/articles/viewing-all-services/
-  - /enterprise/admin/articles/command-line-utilities/
-  - /enterprise/admin/installation/command-line-utilities
-  - /enterprise/admin/configuration/command-line-utilities
-miniTocMaxHeadingLevel: 4
-versions:
-  enterprise-server: '*'
-type: reference
-topics:
-  - Enterprise
-  - SSH
----
-You can execute these commands from anywhere on the VM after signing in as an SSH admin user. For more information, see "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-administrative-shell-ssh/)."
-
-### General
-
-#### ghe-announce
-
-This utility sets a banner at the top of every {% data variables.product.prodname_enterprise %} page. You can use it to broadcast a message to your users.
-
-{% if currentVersion ver_gt "enterprise-server@2.21" %}
-You can also set an announcement banner using the enterprise settings on {% data variables.product.product_name %}. For more information, see "[Customizing user messages on your instance](/enterprise/admin/user-management/customizing-user-messages-on-your-instance#creating-a-global-announcement-banner)."
-{% endif %}
-
-```shell
-# Sets a message that's visible to everyone
-$ ghe-announce -s MESSAGE
-> Announcement message set.
-# Removes a previously set message
-$ ghe-announce -u
-> Removed the announcement message
-```
-
-#### ghe-check-disk-usage
-
-This utility checks the disk for large files or files that have been deleted but still have open file handles. This should be run when you're trying to free up space on the root partition.
-
-```shell
-ghe-check-disk-usage
-```
-
-#### ghe-cleanup-caches
-
-This utility cleans up a variety of caches that might potentially take up extra disk space on the root volume. If you find your root volume disk space usage increasing notably over time it would be a good idea to run this utility to see if it helps reduce overall usage.
-
-```shell
-ghe-cleanup-caches
-```
-#### ghe-cleanup-settings
-
-This utility wipes all existing {% data variables.enterprise.management_console %} settings.
-
-{% tip %}
-
-**Tip**: {% data reusables.enterprise_enterprise_support.support_will_ask_you_to_run_command %}
-
-{% endtip %}
-
-```shell
-ghe-cleanup-settings
-```
-
-#### ghe-config
-
-With this utility, you can both retrieve and modify the configuration settings of {% data variables.product.product_location %}.
-
-```shell
-$ ghe-config <em>core.github-hostname</em>
-# Gets the configuration value of `core.github-hostname`
-$ ghe-config <em>core.github-hostname</em> <em>'example.com'</em>
-# Sets the configuration value of `core.github-hostname` to `example.com`
-$ ghe-config -l
-# Lists all the configuration values
-```
-Allows you to find the universally unique identifier (UUID) of your node in `cluster.conf`.
-
-```shell
-  $ ghe-config <em>HOSTNAME</em>.uuid
-```
-
-{% if currentVersion ver_gt "enterprise-server@2.21" %}
-Allows you to exempt a list of users from API rate limits. For more information, see "[Resources in the REST API](/rest/overview/resources-in-the-rest-api#rate-limiting)."
-
-``` shell
-$ ghe-config app.github.rate-limiting-exempt-users "<em>hubot</em> <em>github-actions</em>"
-# Exempts the users hubot and github-actions from rate limits
-```
-{% endif %}
-
-#### ghe-config-apply
-
-This utility applies {% data variables.enterprise.management_console %} settings, reloads system services, prepares a storage device, reloads application services, and runs any pending database migrations. It is equivalent to clicking **Save settings** in the {% data variables.enterprise.management_console %}'s web UI or to sending a POST request to [the `/setup/api/configure` endpoint](/enterprise/{{ currentVersion }}/user/rest/reference/enterprise-admin#management-console).
-
-You will probably never need to run this manually, but it's available if you want to automate the process of saving your settings via SSH.
-
-```shell
-ghe-config-apply
-```
-
-#### ghe-console
-
-This utility opens the GitHub Rails console on your {% data variables.product.prodname_enterprise %} appliance. {% data reusables.command_line.use_with_support_only %}
-
-```shell
-ghe-console
-```
-
-#### ghe-dbconsole
-
-This utility opens a MySQL database session on your {% data variables.product.prodname_enterprise %} appliance. {% data reusables.command_line.use_with_support_only %}
-
-```shell
-ghe-dbconsole
-```
-
-#### ghe-es-index-status
-This utility returns a summary of Elasticsearch indexes in CSV format.
-
-Print an index summary with a header row to `STDOUT`:
-```shell
-$ ghe-es-index-status -do
-> warning: parser/current is loading parser/ruby23, which recognizes
-> warning: 2.3.3-compliant syntax, but you are running 2.3.4.
-> warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
-> Name,Primary,Searchable,Writable,UpToDate,RepairProgress,Version
-> code-search-1,true,true,true,true,100.0,72e27df7c631b45e026b42bfef059328fa040e17
-> commits-5,true,true,true,true,100.0,7ed28813100c47813ef654c0ee2bb9abf21ab744
-> gists-4,true,true,true,true,100.0,cf8e7d04fcf2564c902e2873c424a279cc41079d
-> issues-4,false,false,false,true,100.0,d0bb08f71eebf6e7b070572aa399b185dbdc8a76
-> issues-5,true,true,true,true,100.0,d0bb08f71eebf6e7b070572aa399b185dbdc8a76
-> projects-2,true,true,true,true,100.0,c5cac1c4b3c66d42e609d088d174dbc3dd44469a
-> pull-requests-6,true,true,true,true,100.0,6a466ad6b896a3499509990979bf9a18d7d41de3
-> repos-6,true,true,true,true,100.0,6c8b5fbba0fc1e409558db411d05e092c1387082
-> users-5,true,true,true,true,100.0,38984875552bb826c9ec42999f409cb2e95556eb
-> wikis-4,true,true,true,true,100.0,2613dec44bd14e14577803ac1f9e4b7e07a7c234
-```
-
-Print an index summary and pipe results to `column` for readability:
-
-```shell
-$ ghe-es-index-status -do | column -ts,
-> warning: parser/current is loading parser/ruby23, which recognizes
-> warning: 2.3.3-compliant syntax, but you are running 2.3.4.
-> warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
-> Name             Primary  Searchable  Writable  UpToDate  RepairProgress  Version
-> code-search-1    true     true        true      true      100.0           72e27df7c631b45e026b42bfef059328fa040e17
-> commits-5        true     true        true      true      100.0           7ed28813100c47813ef654c0ee2bb9abf21ab744
-> gists-4          true     true        true      true      100.0           cf8e7d04fcf2564c902e2873c424a279cc41079d
-> issues-4         false    false       false     true      100.0           d0bb08f71eebf6e7b070572aa399b185dbdc8a76
-> issues-5         true     true        true      true      100.0           d0bb08f71eebf6e7b070572aa399b185dbdc8a76
-> projects-2       true     true        true      true      100.0           c5cac1c4b3c66d42e609d088d174dbc3dd44469a
-> pull-requests-6  true     true        true      true      100.0           6a466ad6b896a3499509990979bf9a18d7d41de3
-> repos-6          true     true        true      true      100.0           6c8b5fbba0fc1e409558db411d05e092c1387082
-> users-5          true     true        true      true      100.0           38984875552bb826c9ec42999f409cb2e95556eb
-> wikis-4          true     true        true      true      100.0           2613dec44bd14e14577803ac1f9e4b7e07a7c234
-```
-
-#### ghe-legacy-github-services-report
-
-This utility lists repositories on your appliance that use {% data variables.product.prodname_dotcom %} Services, an integration method that will be discontinued on October 1, 2018. Users on your appliance may have set up {% data variables.product.prodname_dotcom %} Services to create notifications for pushes to certain repositories. For more information, see "[Announcing the deprecation of {% data variables.product.prodname_dotcom %} Services](https://developer.github.com/changes/2018-04-25-github-services-deprecation/)" on {% data variables.product.prodname_blog %} or "[Replacing {% data variables.product.prodname_dotcom %} Services](/developers/overview/replacing-github-services)." For more information about this command or for additional options, use the `-h` flag.
-
-```shell
-ghe-legacy-github-services-report
-
-```
-
-#### ghe-logs-tail
-
-This utility lets you tail log all relevant log files from your installation. You can pass options in to limit the logs to specific sets. Use the -h flag for additional options.
-
-```shell
-ghe-logs-tail
-```
-
-#### ghe-maintenance
-
-This utility allows you to control the state of the installation's maintenance mode. It's designed to be used primarily by the {% data variables.enterprise.management_console %} behind-the-scenes, but it can be used directly.
-
-```shell
-ghe-maintenance -h
-```
-
-#### ghe-motd
-
-This utility re-displays the message of the day (MOTD) that administrators see when accessing the instance via the administrative shell. The output contains an overview of the instance's state.
-
-```shell
-ghe-motd
-```
-
-#### ghe-nwo
-
-This utility returns a repository's name and owner based on the repository ID.  
-
-```shell
-ghe-nwo <em>REPOSITORY_ID</em>
-```
-
-#### ghe-org-admin-promote
-
-Use this command to give organization owner privileges to users with site admin privileges on the appliance, or to give organization owner privileges to any single user in a single organization. You must specify a user and/or an organization. The `ghe-org-admin-promote` command will always ask for confirmation before running unless you use the `-y` flag to bypass the confirmation.
-
-You can use these options with the utility:
-
-- The `-u` flag specifies a username. Use this flag to give organization owner privileges to a specific user. Omit the `-u` flag to promote all site admins to the specified organization.
-- The `-o` flag specifies an organization. Use this flag to give owner privileges in a specific organization. Omit the `-o` flag to give owner permissions in all organizations to the specified site admin.
-- The `-a` flag gives owner privileges in all organizations to all site admins.
-- The `-y` flag bypasses the manual confirmation.
-
-This utility cannot promote a non-site admin to be an owner of all organizations. You can promote an ordinary user account to a site admin with [ghe-user-promote](#ghe-user-promote).
-
-Give organization owner privileges in a specific organization to a specific site admin
-
-```shell
-ghe-org-admin-promote -u <em>USERNAME</em> -o <em>ORGANIZATION</em>
-```
-
-Give organization owner privileges in all organizations to a specific site admin
-
-```shell
-ghe-org-admin-promote -u <em>USERNAME</em>
-```
-
-Give organization owner privileges in a specific organization to all site admins
-
-```shell
-ghe-org-admin-promote -o <em>ORGANIZATION</em>
-```
-
-Give organization owner privileges in all organizations to all site admins
-
-```shell
-ghe-org-admin-promote -a
-```
-
-#### ghe-reactivate-admin-login
-
-Use this command to immediately unlock the {% data variables.enterprise.management_console %} after 10 failed login attempts in the span of 10 minutes.
-
-```shell
-$ ghe-reactivate-admin-login
-```
-
-#### ghe-resque-info
-
-This utility displays information on background jobs, both active and in the queue. It provides the same job count numbers as the admin stats bar at the top of every page.
-
-This utility can help identify whether the Resque server is having problems processing background jobs. Any of the following scenarios might be indicative of a problem with Resque:
-
-* The number of background jobs is increasing, while the active jobs remain the same.
-* The event feeds are not updating.
-* Webhooks are not being triggered.
-* The web interface is not updating after a Git push.
-
-If you suspect Resque is failing, contact {% data variables.contact.contact_ent_support %} for help.
-
-With this command, you can also pause or resume jobs in the queue.
-
-```shell
-$ ghe-resque-info
-# lists queues and the number of currently queued jobs
-$ ghe-resque-info -p <em>QUEUE</em>
-# pauses the specified queue
-$ ghe-resque-info -r <em>QUEUE</em>
-# resumes the specified queue
-```
-
-#### ghe-saml-mapping-csv
-
-This utility can help map SAML records.
-
-To create a CSV file containing all the SAML mapping for your {% data variables.product.product_name %} users:
-```shell
-$ ghe-saml-mapping-csv -d
-```
-
-To perform a dry run of updating SAML mappings with new values:
-```shell
-$ ghe-saml-mapping-csv -u -n -f /path/to/file
-```
-
-To update SAML mappings with new values:
-```shell
-$ ghe-saml-mapping-csv -u -f /path/to/file
-```
-
-#### ghe-service-list
-
-This utility lists all of the services that have been started or stopped (are running or waiting) on your appliance.
-
-```shell
-$ ghe-service-list
-start/running
-  - github-resqued, process 12711
-  - github-unicorn, process 12726
-  - github-gitauth, process 12743
-  - git-daemon, process 12755
-  - babeld, process 12771
-  - github-svn-proxy, process 12802
-  - gist-unicorn, process 12832
-  - gist-resqued, process 12881
-  - render-unicorn, process 12939
-  - hookshot-unicorn, process 13076
-  - nodeload2, process 13192
-  - slumlord-unicorn, process 13304
-  - ghe-storage, process 2012
-  - enterprise-manage-unicorn, process 2024
-  - enterprise-manage-resque, process 2053
-
-stop/waiting
-  - ghe-replica-mode
-```
-
-{% tip %}
-
-The service names returned from this command can be used with [`systemctl`](https://www.freedesktop.org/software/systemd/man/systemctl.html) commands to stop, start, or restart these services manually, if needed. For example:
-
-```shell
-$ sudo systemctl restart github-resqued
-```
-
-Stopping services will cause downtime on your installation, so we recommend you contact {% data variables.contact.contact_ent_support %} before stopping or restarting any service.
-
-{% endtip %}
-
-#### ghe-set-password
-
-With `ghe-set-password`, you can set a new password to authenticate into the [{% data variables.enterprise.management_console %}](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-management-console).
-
-```shell
-ghe-set-password <new_password>
-```
-
-#### ghe-ssh-check-host-keys
-
-This utility checks the existing SSH host keys against the list of known leaked SSH host keys.
-
-```shell
-$ ghe-ssh-check-host-keys
-```
-
-If a leaked host key is found the utility exits with status `1` and a message:
-```shell
-> One or more of your SSH host keys were found in the blacklist.
-> Please reset your host keys using ghe-ssh-roll-host-keys.
-```
-
-If a leaked host key was not found, the utility exits with status `0` and a message:
-```shell
-> The SSH host keys were not found in the SSH host key blacklist.
-> No additional steps are needed/recommended at this time.
-```
-
-#### ghe-ssh-roll-host-keys
-
-This utility rolls the SSH host keys and replaces them with newly generated keys.
-
-```shell
-$ sudo ghe-ssh-roll-host-keys
-Proceed with rolling SSH host keys? This will delete the
-existing keys in /etc/ssh/ssh_host_* and generate new ones. [y/N]
-
-# Press 'Y' to confirm deleting, or use the -y switch to bypass this prompt
-
-> SSH host keys have successfully been rolled.
-```
-
-#### ghe-ssh-weak-fingerprints
-
-This utility returns a report of known weak SSH keys stored on the {% data variables.product.prodname_enterprise %} appliance. You can optionally revoke user keys as a bulk action. The utility will report weak system keys, which you must manually revoke in the [{% data variables.enterprise.management_console %}](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-management-console).
-
-```shell
-# Print a report of weak user and system SSH keys
-$ ghe-ssh-weak-fingerprints
-
-# Revoke all weak user keys
-$ ghe-ssh-weak-fingerprints --revoke
-```
-
-#### ghe-ssl-acme
-
-This utility allows you to install a Let's Encrypt certificate on your {% data variables.product.prodname_enterprise %} appliance. For more information, see "[Configuring TLS](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-tls)."
-
-You can use the `-x` flag to remove the ACME configuration.
-
-```shell
-ghe-ssl-acme -e
-```
-
-#### ghe-ssl-ca-certificate-install
-
-This utility allows you to install a custom root CA certificate on your {% data variables.product.prodname_enterprise %} server. The certificate must be in PEM format. Furthermore, if your certificate provider includes multiple CA certificates in a single file, you must separate them into individual files that you then pass to `ghe-ssl-ca-certificate-install` one at a time.
-
-Run this utility to add a certificate chain for S/MIME commit signature verification. For more information, see "[About commit signature verification](/enterprise/{{ currentVersion }}/user/articles/about-commit-signature-verification/)."
-
-Run this utility when {% data variables.product.product_location %} is unable to connect to another server because the latter is using a self-signed SSL certificate or an SSL certificate for which it doesn't provide the necessary CA bundle. One way to confirm this is to run `openssl s_client -connect host:port -verify 0 -CApath /etc/ssl/certs` from {% data variables.product.product_location %}. If the remote server's SSL certificate can be verified, your `SSL-Session` should have a return code of 0, as shown below.
-
-```
-SSL-Session:
-    Protocol  : TLSv1
-    Cipher    : AES128-SHA
-    Session-ID: C794EBCC3CBC10F747C9AFC029C03C1048FC99CFC34D13D7444E0F267C58DF4C
-    Session-ID-ctx:
-    Master-Key: 02A7C47CFD6EEC87D3C710E9DD87390E04EF82DDD7514AE03127D5DC1945FC0CAEFB5395791AEA598667EFA61B9EA8C5
-    Key-Arg   : None
-    Start Time: 1394581597
-    Timeout   : 300 (sec)
-    Verify return code: 0 (ok)
-```
-
-If, on the other hand, the remote server's SSL certificate can *not* be verified, your `SSL-Session` should have a nonzero return code:
-
-```
-SSL-Session:
-    Protocol  : TLSv1
-    Cipher    : AES128-SHA
-    Session-ID: 82CB288051A6DB66094C50A69CF1292AEE7E54C6B01B659B98AB336F8C33863E
-    Session-ID-ctx:
-    Master-Key: 01B025B2F764043A27919A8D1355AAECD8844FF0831B1D664042334790574A6F4025BAB085D4ED71D71AAB3091B849E5
-    Key-Arg   : None
-    Start Time: 1394581782
-    Timeout   : 300 (sec)
-    Verify return code: 27 (certificate not trusted)
-```
-
-You can use these additional options with the utility:
-- The `-r` flag allows you to uninstall a CA certificate.
-- The `-h` flag displays more usage information.
-
-```shell
-ghe-ssl-ca-certificate-install -c <em>/path/to/certificate</em>
-```
-
-#### ghe-ssl-generate-csr
-
-This utility allows you to generate a private key and certificate signing request (CSR), which you can share with a commercial or private certificate authority to get a valid certificate to use with your instance. For more information, see "[Configuring TLS](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-tls)."
-
-For more information about this command or for additional options, use the `-h` flag.
-
-```shell
-ghe-ssl-generate-csr
-```
-
-#### ghe-storage-extend
-
-Some platforms require this script to expand the user volume. For more information, see "[Increasing Storage Capacity](/enterprise/admin/guides/installation/increasing-storage-capacity/)".
-
-```shell
-$ ghe-storage-extend
-```
-
-#### ghe-version
-
-This utility prints the version, platform, and build of {% data variables.product.product_location %}.
-
-```shell
-$ ghe-version
-```
-
-#### ghe-webhook-logs
-
-This utility returns webhook delivery logs for administrators to review and identify any issues.
-
-```shell
-ghe-webhook-logs
-```
-
-To show all failed hook deliveries in the past day:
-{% if currentVersion ver_gt "enterprise-server@2.22" %}
-```shell
-ghe-webhook-logs -f -a <em>YYYY-MM-DD</em>
-```
-
-The date format should be `YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, or `YYYY-MM-DD HH:MM:SS (+/-) HH:M`.
-{% else %}
-```shell
-ghe-webhook-logs -f -a <em>YYYYMMDD</em>
-```
-{% endif %}
-
-To show the full hook payload, result, and any exceptions for the delivery:
-{% if currentVersion ver_gt "enterprise-server@2.22" %}
-```shell
-ghe-webhook-logs -g <em>delivery-guid</em>
-```
-{% else %}
-```shell
-ghe-webhook-logs -g <em>delivery-guid</em> -v
-```
-{% endif %}
-
-### Clustering
-
-#### ghe-cluster-status
-
-Check the health of your nodes and services in a cluster deployment of {% data variables.product.prodname_ghe_server %}.
-
-```shell
-$ ghe-cluster-status
-```
-
-#### ghe-cluster-support-bundle
-
-This utility creates a support bundle tarball containing important logs from each of the nodes in either a Geo-replication or Clustering configuration.
-
-By default, the command creates the tarball in */tmp*, but you can also have it `cat` the tarball to `STDOUT` for easy streaming over SSH. This is helpful in the case where the web UI is unresponsive or downloading a support bundle from */setup/support* doesn't work. You must use this command if you want to generate an *extended* bundle, containing older logs. You can also use this command to upload the cluster support bundle directly to {% data variables.product.prodname_enterprise %} support.
-
-To create a standard bundle:
-```shell
-$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -o' > cluster-support-bundle.tgz
-```
-
-To create an extended bundle:
-```shell
-$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -x -o' > cluster-support-bundle.tgz
-```
-
-To send a bundle to {% data variables.contact.github_support %}:
-```shell
-$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -u'
-```
-
-To send a bundle to {% data variables.contact.github_support %} and associate the bundle with a ticket:
-```shell
-$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -t <em>ticket-id</em>'
-```
-
-{% if currentVersion ver_gt "enterprise-server@2.21" %}
-#### ghe-cluster-failover
-
-Fail over from active cluster nodes to passive cluster nodes. For more information, see "[Initiating a failover to your replica cluster](/enterprise/admin/enterprise-management/initiating-a-failover-to-your-replica-cluster)."
-
-```shell
-ghe-cluster-failover
-```
-{% endif %}
-
-#### ghe-dpages
-
-This utility allows you to manage the distributed {% data variables.product.prodname_pages %} server.
-
-```shell
-ghe-dpages
-```
-
-To show a summary of repository location and health:
-```shell
-ghe-dpages status
-```
-
-To evacuate a {% data variables.product.prodname_pages %} storage service before evacuating a cluster node:
-```shell
-ghe-dpages evacuate pages-server-<em>UUID</em>
-```
-
-#### ghe-spokes
-
-This utility allows you to manage the three copies of each repository on the distributed git servers.
-
-```shell
-ghe-spokes
-```
-
-To show a summary of repository location and health:
-
-```shell
-ghe-spokes status
-```
-
-To show the servers in which the repository is stored:
-
-```shell
-ghe-spokes route
-```
-
-To evacuate storage services on a cluster node:
-
-```shell
-ghe-spokes server evacuate git-server-<em>UUID</em>
-```
-
-#### ghe-storage
-
-This utility allows you to evacuate all storage services before evacuating a cluster node.
-
-```shell
-ghe-storage evacuate storage-server-<em>UUID</em>
-```
-
-### Git
-
-#### ghe-btop
-
-A `top`-like interface for current Git operations.
-
-```shell
-ghe-btop [ <port number> | --help | --usage ]
-```
-
-#### ghe-repo
-
-This utility allows you to change to a repository's directory and open an interactive shell as the `git` user. You can perform manual inspection or maintenance of a repository via commands like `git-*` or `git-nw-*`.
-
-```shell
-ghe-repo <em>username</em>/<em>reponame</em>
-```
-
-#### ghe-repo-gc
-
-This utility manually repackages a repository network to optimize pack storage. If you have a large repository, running this command may help reduce its overall size. {% data variables.product.prodname_enterprise %} automatically runs this command throughout your interaction with a repository network.
-
-You can add the optional `--prune` argument to remove unreachable Git objects that aren't referenced from a branch, tag, or any other ref. This is particularly useful for immediately removing [previously expunged sensitive information](/enterprise/user/articles/remove-sensitive-data/).
-
-```shell
-ghe-repo-gc <em>username</em>/<em>reponame</em>
-```
-
-### Import and export
-
-#### ghe-migrator
-
-`ghe-migrator` is a hi-fidelity tool to help you migrate from one GitHub instance to another. You can consolidate your instances or move your organization, users, teams, and repositories from GitHub.com to {% data variables.product.prodname_enterprise %}.
-
-For more information, please see our guide on [migrating user, organization, and repository data](/enterprise/admin/guides/migrations/).
-
-#### git-import-detect
-
-Given a URL, detect which type of source control management system is at the other end. During a manual import this is likely already known, but this can be very useful in automated scripts.
-```shell
-git-import-detect
-```
-
-#### git-import-hg-raw
-
-This utility imports a Mercurial repository to this Git repository. For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
-```shell
-git-import-hg-raw
-```
-
-#### git-import-svn-raw
-
-This utility imports Subversion history and file data into a Git branch. This is a straight copy of the tree, ignoring any trunk or branch distinction. For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
-```shell
-git-import-svn-raw
-```
-
-#### git-import-tfs-raw
-
-This utility imports from Team Foundation Version Control (TFVC). For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
-```shell
-git-import-tfs-raw
-```
-
-#### git-import-rewrite
-
-This utility rewrites the imported repository. This gives you a chance to rename authors and, for Subversion and TFVC, produces Git branches based on folders. For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
-```shell
-git-import-rewrite
-```
-
-### Support
-
-#### ghe-diagnostics
-
-This utility performs a variety of checks and gathers information about your installation that you can send to support to help diagnose problems you're having.
-
-Currently, this utility's output is similar to downloading the diagnostics info in the {% data variables.enterprise.management_console %}, but may have additional improvements added to it over time that aren't available in the web UI. For more information, see "[Creating and sharing diagnostic files](/enterprise/admin/guides/enterprise-support/providing-data-to-github-support#creating-and-sharing-diagnostic-files)."
-
-```shell
-ghe-diagnostics
-```
-
-#### ghe-support-bundle
-
-{% data reusables.enterprise_enterprise_support.use_ghe_cluster_support_bundle %}
-This utility creates a support bundle tarball containing important logs from your instance.
-
-By default, the command creates the tarball in */tmp*, but you can also have it `cat` the tarball to `STDOUT` for easy streaming over SSH. This is helpful in the case where the web UI is unresponsive or downloading a support bundle from */setup/support* doesn't work. You must use this command if you want to generate an *extended* bundle, containing older logs. You can also use this command to upload the support bundle directly to {% data variables.product.prodname_enterprise %} support.
-
-To create a standard bundle:
-```shell
-$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -o' > support-bundle.tgz
-```
-
-To create an extended bundle:
-```shell
-$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -x -o' > support-bundle.tgz
-```
-
-To send a bundle to {% data variables.contact.github_support %}:
-```shell
-$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -u'
-```
-
-To send a bundle to {% data variables.contact.github_support %} and associate the bundle with a ticket:
-
-```shell
-$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -t <em>ticket-id</em>'
-```
-
-#### ghe-support-upload
-
-This utility sends information from your appliance to {% data variables.product.prodname_enterprise %} support. You can either specify a local file, or provide a stream of up to 100MB of data via `STDIN`. The uploaded data can optionally be associated with a support ticket.
-
-To send a file to {% data variables.contact.github_support %} and associate the file with a ticket:
-```shell
-ghe-support-upload -f <em>path/to/your/file</em> -t <em>ticket-id</em>
-```
-
-To upload data via `STDIN` and associating the data with a ticket:
-```shell
-<em>ghe-repl-status -vv</em> | ghe-support-upload -t <em>ticket-id</em> -d "<em>Verbose Replication Status</em>"
-```
-
-In this example, `ghe-repl-status -vv` sends verbose status information from a replica appliance. You should replace `ghe-repl-status -vv` with the specific data you'd like to stream to `STDIN`, and `Verbose Replication Status` with a brief description of the data. {% data reusables.enterprise_enterprise_support.support_will_ask_you_to_run_command %}
-
-### Upgrading {% data variables.product.prodname_ghe_server %}
-
-#### ghe-upgrade
-
-This utility installs or verifies an upgrade package. You can also use this utility to roll back a patch release if an upgrade fails or is interrupted. For more information, see "[Upgrading {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/guides/installation/upgrading-github-enterprise-server/)."
-
-To verify an upgrade package:
-```shell
-ghe-upgrade --verify <em>UPGRADE-PACKAGE-FILENAME</em>
-```
-
-To install an upgrade package:
-```shell
-ghe-upgrade <em>UPGRADE-PACKAGE-FILENAME</em>
-```
-
-{% data reusables.enterprise_installation.command-line-utilities-ghe-upgrade-rollback %}
-
-#### ghe-upgrade-scheduler
-
-This utility manages scheduled installation of upgrade packages. You can show, create new, or remove scheduled installations. You must create schedules using cron expressions. For more information, see the [Cron Wikipedia entry](https://en.wikipedia.org/wiki/Cron#Overview).
-
-To schedule a new installation for a package:
-```shell
-$ ghe-upgrade-scheduler -c "0 2 15 12 *" <em>UPGRADE-PACKAGE-FILENAME</em>
-```
-
-To show scheduled installations for a package:
-```shell
-$ ghe-upgrade-scheduler -s <em>UPGRADE PACKAGE FILENAME</em>
-> 0 2 15 12 * /usr/local/bin/ghe-upgrade -y -s <em>UPGRADE-PACKAGE-FILENAME</em> > /data/user/common/<em>UPGRADE-PACKAGE-FILENAME</em>.log 2>&1
-```
-
-To remove scheduled installations for a package:
-```shell
-$ ghe-upgrade-scheduler -r <em>UPGRADE PACKAGE FILENAME</em>
-```
-
-#### ghe-update-check
-
-This utility will check to see if a new patch release of {% data variables.product.prodname_enterprise %} is available. If it is, and if space is available on your instance, it will download the package. By default, it's saved to */var/lib/ghe-updates*. An administrator can then [perform the upgrade](/enterprise/admin/guides/installation/updating-the-virtual-machine-and-physical-resources/).
-
-A file containing the status of the download is available at */var/lib/ghe-updates/ghe-update-check.status*.
-
-To check for the latest {% data variables.product.prodname_enterprise %} release, use the `-i` switch.
-
-```shell
-$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-update-check'
-```
-
-### User management
-
-#### ghe-license-usage
-
-This utility exports a list of the installation's users in JSON format. If your instance is connected to {% data variables.product.prodname_ghe_cloud %}, {% data variables.product.prodname_ghe_server %} uses this information for reporting licensing information to {% data variables.product.prodname_ghe_cloud %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %} ](/enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
-
-By default, the list of users in the resulting JSON file is encrypted. Use the `-h` flag for more options.
-
-```shell
-ghe-license-usage
-```
-
-#### ghe-org-membership-update
-
-This utility will enforce the default organization membership visibility setting on all members in your instance. For more information, see "[Configuring visibility for organization membership](/enterprise/{{ currentVersion }}/admin/guides/user-management/configuring-visibility-for-organization-membership)." Setting options are `public` or `private`.
-
-```shell
-ghe-org-membership-update --visibility=<em>SETTING</em>
-```
-
-#### ghe-user-csv
-
-This utility exports a list of all the users in the installation into CSV format. The CSV file includes the email address, which type of user they are (e.g., admin, user), how many repositories they have, how many SSH keys, how many organization memberships, last logged IP address, etc. Use the `-h` flag for more options.
-
-```shell
-ghe-user-csv -o > users.csv
-```
-
-#### ghe-user-demote
-
-This utility demotes the specified user from admin status to that of a regular user. We recommend using the web UI to perform this action, but provide this utility in case the `ghe-user-promote` utility is run in error and you need to demote a user again from the CLI.
-
-```shell
-ghe-user-demote <em>some-user-name</em>
-```
-
-#### ghe-user-promote
-
-This utility promotes the specified user account to a site administrator.
-
-```shell
-ghe-user-promote <em>some-user-name</em>
-```
-
-#### ghe-user-suspend
-
-This utility suspends the specified user, preventing them from logging in, pushing, or pulling from your repositories.
-
-```shell
-ghe-user-suspend <em>some-user-name</em>
-```
-
-#### ghe-user-unsuspend
-
-This utility unsuspends the specified user, granting them access to login, push, and pull from your repositories.
-
-```shell
-ghe-user-unsuspend <em>some-user-name</em>
-```

content/admin/configuration/configuring-a-hostname.md

@@ -1,33 +0,0 @@
----
-title: Configuring a hostname
-intro: We recommend setting a hostname for your appliance instead of using a hard-coded IP address.
-redirect_from:
-  - /enterprise/admin/guides/installation/configuring-hostnames/
-  - /enterprise/admin/installation/configuring-a-hostname
-  - /enterprise/admin/configuration/configuring-a-hostname
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
----
-
-If you configure a hostname instead of a hard-coded IP address, you will be able to change the physical hardware that {% data variables.product.product_location %} runs on without affecting users or client software.
-
-The hostname setting in the {% data variables.enterprise.management_console %} should be set to an appropriate fully qualified domain name (FQDN) which is resolvable on the internet or within your internal network. For example, your hostname setting could be `github.companyname.com.` We also recommend enabling subdomain isolation for the chosen hostname to mitigate several cross-site scripting style vulnerabilities. For more information on hostname settings, see [Section 2.1 of the HTTP RFC](https://tools.ietf.org/html/rfc1123#section-2).
-
-{% data reusables.enterprise_installation.changing-hostname-not-supported %}
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.hostname-menu-item %}
-4. Type the hostname you'd like to set for {% data variables.product.product_location %}.
-  ![Field for setting a hostname](/assets/images/enterprise/management-console/hostname-field.png)
-5. To test the DNS and SSL settings for the new hostname, click **Test domain settings**.
-  ![Test domain settings button](/assets/images/enterprise/management-console/test-domain-settings.png)
-{% data reusables.enterprise_management_console.test-domain-settings-failure %}
-{% data reusables.enterprise_management_console.save-settings %}
-
-After you configure a hostname, we recommend that you enable subdomain isolation for {% data variables.product.product_location %}. For more information, see "[Enabling subdomain isolation](/enterprise/{{ currentVersion }}/admin/guides/installation/enabling-subdomain-isolation/)."

content/admin/configuration/configuring-an-outbound-web-proxy-server.md

@@ -1,34 +0,0 @@
----
-title: Configuring an outbound web proxy server
-intro: 'A proxy server provides an additional level of security for {% data variables.product.product_location %}.'
-redirect_from:
-  - /enterprise/admin/guides/installation/configuring-a-proxy-server/
-  - /enterprise/admin/installation/configuring-an-outbound-web-proxy-server
-  - /enterprise/admin/configuration/configuring-an-outbound-web-proxy-server
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
-  - Networking
----
-When a proxy server is enabled for {% data variables.product.product_location %}, outbound messages sent by {% data variables.product.prodname_ghe_server %} are first sent through the proxy server, unless the destination host is added as an HTTP proxy exclusion. Types of outbound messages include outgoing webhooks, uploading bundles, and fetching legacy avatars. The proxy server's URL is the protocol, domain or IP address, plus the port number, for example `http://127.0.0.1:8123`.
-
-{% note %}
-
-**Note:**  To connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}, your proxy configuration must allow connectivity to `github.com` and `api.github.com`. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}](/enterprise/{{ currentVersion }}/admin/guides/developer-workflow/connecting-github-enterprise-server-to-github-com)."
-
-{% endnote %}
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.privacy %}
-4. Under **HTTP Proxy Server**, type the URL of your proxy server.
-  ![Field to type the HTTP Proxy Server URL](/assets/images/enterprise/management-console/http-proxy-field.png)
-  
-5. Optionally, under **HTTP Proxy Exclusion**, type any hosts that do not require proxy access, separating hosts with commas. To exclude all hosts in a domain from requiring proxy access, you can use `.` as a wildcard prefix.  For example: `.octo-org.tentacle`
-  ![Field to type any HTTP Proxy Exclusions](/assets/images/enterprise/management-console/http-proxy-exclusion-field.png)
-
-{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-applications.md

@@ -1,25 +0,0 @@
----
-title: Configuring applications
-intro: 'You can configure internal application settings for {% data variables.product.product_location %}.'
-redirect_from:
-  - /enterprise/admin/installation/configuring-applications
-  - /enterprise/admin/configuration/configuring-applications
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
----
-
-### Adjusting image caching
-
-You can choose the amount of time that {% data variables.product.product_location %} caches avatars. When you increase the cache time, you increase the amount of time a user's avatar will take to load. Configuring the cache time with too low a value can overload {% data variables.product.product_location %} work processes. 
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-3. In the left sidebar, click **Applications**.
-![Applications tab in the settings sidebar](/assets/images/enterprise/management-console/sidebar-applications.png)
-4. Under "Avatar image cache time (seconds)", type the number of seconds that you would like {% data variables.product.product_location %} to cache avatar images.
-![Avatar image caching form field](/assets/images/enterprise/management-console/add-image-caching-value-field.png)
-{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-backups-on-your-appliance.md

@@ -1,125 +0,0 @@
----
-title: Configuring backups on your appliance
-shortTitle: Configuring backups
-redirect_from:
-  - /enterprise/admin/categories/backups-and-restores/
-  - /enterprise/admin/articles/backup-and-recovery/
-  - /enterprise/admin/articles/backing-up-github-enterprise/
-  - /enterprise/admin/articles/restoring-github-enterprise/
-  - /enterprise/admin/articles/backing-up-repository-data/
-  - /enterprise/admin/articles/restoring-enterprise-data/
-  - /enterprise/admin/articles/restoring-repository-data/
-  - /enterprise/admin/articles/backing-up-enterprise-data/
-  - /enterprise/admin/guides/installation/backups-and-disaster-recovery/
-  - /enterprise/admin/installation/configuring-backups-on-your-appliance
-  - /enterprise/admin/configuration/configuring-backups-on-your-appliance
-intro: 'As part of a disaster recovery plan, you can protect production data on {% data variables.product.product_location %} by configuring automated backups.'
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Backups
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
----
-
-### About {% data variables.product.prodname_enterprise_backup_utilities %}
-
-{% data variables.product.prodname_enterprise_backup_utilities %} is a backup system you install on a separate host, which takes backup snapshots of {% data variables.product.product_location %} at regular intervals over a secure SSH network connection. You can use a snapshot to restore an existing {% data variables.product.prodname_ghe_server %} instance to a previous state from the backup host.
-
-Only data added since the last snapshot will transfer over the network and occupy additional physical storage space. To minimize performance impact, backups are performed online under the lowest CPU/IO priority. You do not need to schedule a maintenance window to perform a backup.
-
-For more detailed information on features, requirements, and advanced usage, see the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#readme).
-
-### Prerequisites
-
-To use {% data variables.product.prodname_enterprise_backup_utilities %}, you must have a Linux or Unix host system separate from {% data variables.product.product_location %}.
-
-You can also integrate {% data variables.product.prodname_enterprise_backup_utilities %} into an existing environment for long-term permanent storage of critical data.
-
-We recommend that the backup host and {% data variables.product.product_location %} be geographically distant from each other. This ensures that backups are available for recovery in the event of a major disaster or network outage at the primary site.
-
-Physical storage requirements will vary based on Git repository disk usage and expected growth patterns:
-
-| Hardware | Recommendation |
-| -------- | --------- |
-| **vCPUs**  | 2 |
-| **Memory** | 2 GB |
-| **Storage** | Five times the primary instance's allocated storage |
-
-More resources may be required depending on your usage, such as user activity and selected integrations.
-
-### Installing {% data variables.product.prodname_enterprise_backup_utilities %}
-
-{% note %}
-
-**Note:** To ensure a recovered appliance is immediately available, perform backups targeting the primary instance even in a Geo-replication configuration.
-
-{% endnote %}
-
-1. Download the latest [{% data variables.product.prodname_enterprise_backup_utilities %} release](https://github.com/github/backup-utils/releases) and extract the file with the `tar` command.
-  ```shell
-  $ tar -xzvf /path/to/github-backup-utils-v<em>MAJOR.MINOR.PATCH</em>.tar.gz	  
-  ```
-2. Copy the included `backup.config-example` file to `backup.config` and open in an editor.
-3. Set the `GHE_HOSTNAME` value to your primary {% data variables.product.prodname_ghe_server %} instance's hostname or IP address.
-4. Set the `GHE_DATA_DIR` value to the filesystem location where you want to store backup snapshots.
-5. Open your primary instance's settings page at `https://HOSTNAME/setup/settings` and add the backup host's SSH key to the list of authorized SSH keys. For more information, see [Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-administrative-shell-ssh/).
-5. Verify SSH connectivity with {% data variables.product.product_location %} with the `ghe-host-check` command.
-  ```shell
-  $ bin/ghe-host-check		  
-  ```		  
-  6. To create an initial full backup, run the `ghe-backup` command.
-  ```shell
-  $ bin/ghe-backup		  
-  ```
-
-For more information on advanced usage, see the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#readme).
-
-### Scheduling a backup
-
-You can schedule regular backups on the backup host using the `cron(8)` command or a similar command scheduling service. The configured backup frequency will dictate the worst case recovery point objective (RPO) in your recovery plan. For example, if you have scheduled the backup to run every day at midnight, you could lose up to 24 hours of data in a disaster scenario. We recommend starting with an hourly backup schedule, guaranteeing a worst case maximum of one hour of data loss if the primary site data is destroyed.
-
-If backup attempts overlap, the `ghe-backup` command will abort with an error message, indicating the existence of a simultaneous backup. If this occurs, we recommended decreasing the frequency of your scheduled backups. For more information, see the "Scheduling backups" section of the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#scheduling-backups).
-
-### Restoring a backup
-
-In the event of prolonged outage or catastrophic event at the primary site, you can restore {% data variables.product.product_location %} by provisioning another {% data variables.product.prodname_enterprise %} appliance and performing a restore from the backup host. You must add the backup host's SSH key to the target {% data variables.product.prodname_enterprise %} appliance as an authorized SSH key before restoring an appliance.
-
-{%if currentVersion ver_gt "enterprise-server@2.22"%}
-{% note %}
-
-**Note:** If {% data variables.product.product_location %} has {% data variables.product.prodname_actions %} enabled, you must first configure the {% data variables.product.prodname_actions %} external storage provider on the replacement appliance before running the `ghe-restore` command. For more information, see "[Backing up and restoring {% data variables.product.prodname_ghe_server %} with {% data variables.product.prodname_actions %} enabled](/admin/github-actions/backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled)."
-
-{% endnote %}
-{% endif %}
-
-To restore {% data variables.product.product_location %} from the last successful snapshot, use the `ghe-restore` command. You should see output similar to this:
-
-```shell
-$ ghe-restore -c 169.154.1.1
-> Checking for leaked keys in the backup snapshot that is being restored ...
-> * No leaked keys found
-> Connect 169.154.1.1:122 OK (v2.9.0)
-
-> WARNING: All data on GitHub Enterprise appliance 169.154.1.1 (v2.9.0)
->          will be overwritten with data from snapshot 20170329T150710.
-> Please verify that this is the correct restore host before continuing.
-> Type 'yes' to continue: <em>yes</em>
-
-> Starting restore of 169.154.1.1:122 from snapshot 20170329T150710
-# ...output truncated
-> Completed restore of 169.154.1.1:122 from snapshot 20170329T150710
-> Visit https://169.154.1.1/setup/settings to review appliance configuration.
-```
-
-{% note %}
-
-**Note:** The network settings are excluded from the backup snapshot. You must manually configure the network on the target {% data variables.product.prodname_ghe_server %} appliance as required for your environment.
-
-{% endnote %}
-
-You can use these additional options with `ghe-restore` command:
-- The `-c` flag overwrites the settings, certificate, and license data on the target host even if it is already configured. Omit this flag if you are setting up a staging instance for testing purposes and you wish to retain the existing configuration on the target. For more information, see the "Using using backup and restore commands" section of the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#using-the-backup-and-restore-commands).
-- The `-s` flag allows you to select a different backup snapshot.

content/admin/configuration/configuring-built-in-firewall-rules.md

@@ -1,122 +0,0 @@
----
-title: Configuring built-in firewall rules
-intro: 'You can view default firewall rules and customize rules for {% data variables.product.product_location %}.'
-redirect_from:
-  - /enterprise/admin/guides/installation/configuring-firewall-settings/
-  - /enterprise/admin/installation/configuring-built-in-firewall-rules
-  - /enterprise/admin/configuration/configuring-built-in-firewall-rules
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
-  - Networking
----
-
-### About {% data variables.product.product_location %}'s firewall
-
-{% data variables.product.prodname_ghe_server %} uses Ubuntu's Uncomplicated Firewall (UFW) on the virtual appliance. For more information see "[UFW](https://help.ubuntu.com/community/UFW)" in the Ubuntu documentation. {% data variables.product.prodname_ghe_server %} automatically updates the firewall allowlist of allowed services with each release.
-
-After you install {% data variables.product.prodname_ghe_server %}, all required network ports are automatically opened to accept connections. Every non-required port is automatically configured as `deny`, and the default outgoing policy is configured as `allow`. Stateful tracking is enabled for any new connections; these are typically network packets with the `SYN` bit set. For more information, see "[Network ports](/enterprise/admin/guides/installation/network-ports)."
-
-The UFW firewall also opens several other ports that are required for {% data variables.product.prodname_ghe_server %} to operate properly. For more information on the UFW rule set, see [the UFW README](https://bazaar.launchpad.net/~jdstrand/ufw/0.30-oneiric/view/head:/README#L213).
-
-### Viewing the default firewall rules
-
-{% data reusables.enterprise_installation.ssh-into-instance %}
-2. To view the default firewall rules, use the `sudo ufw status` command. You should see output similar to this:
-  ```shell
-  $ sudo ufw status
-  > Status: active
-  > To                         Action      From
-  > --                         ------      ----
-  > ghe-1194                   ALLOW       Anywhere
-  > ghe-122                    ALLOW       Anywhere
-  > ghe-161                    ALLOW       Anywhere
-  > ghe-22                     ALLOW       Anywhere
-  > ghe-25                     ALLOW       Anywhere
-  > ghe-443                    ALLOW       Anywhere
-  > ghe-80                     ALLOW       Anywhere
-  > ghe-8080                   ALLOW       Anywhere
-  > ghe-8443                   ALLOW       Anywhere
-  > ghe-9418                   ALLOW       Anywhere
-  > ghe-1194 (v6)              ALLOW       Anywhere (v6)
-  > ghe-122 (v6)               ALLOW       Anywhere (v6)
-  > ghe-161 (v6)               ALLOW       Anywhere (v6)
-  > ghe-22 (v6)                ALLOW       Anywhere (v6)
-  > ghe-25 (v6)                ALLOW       Anywhere (v6)
-  > ghe-443 (v6)               ALLOW       Anywhere (v6)
-  > ghe-80 (v6)                ALLOW       Anywhere (v6)
-  > ghe-8080 (v6)              ALLOW       Anywhere (v6)
-  > ghe-8443 (v6)              ALLOW       Anywhere (v6)
-  > ghe-9418 (v6)              ALLOW       Anywhere (v6)
-  ```
-
-### Adding custom firewall rules
-
-{% warning %}
-
-**Warning:** Before you add custom firewall rules, back up your current rules in case you need to reset to a known working state. If you're locked out of your server, contact {% data variables.contact.contact_ent_support %} to reconfigure the original firewall rules. Restoring the original firewall rules involves downtime for your server.
-
-{% endwarning %}
-
-1. Configure a custom firewall rule.
-2. Check the status of each new rule with the `status numbered` command.
-  ```shell
-  $ sudo ufw status numbered
-  ```
-3. To back up your custom firewall rules, use the `cp`command to move the rules to a new file.
-  ```shell
-  $ sudo cp -r /lib/ufw ~/ufw.backup
-  ```
-
-After you upgrade {% data variables.product.product_location %}, you must reapply your custom firewall rules. We recommend that you create a script to reapply your firewall custom rules.
-
-### Restoring the default firewall rules
-
-If something goes wrong after you change the firewall rules, you can reset the rules from your original backup.
-
-{% warning %}
-
-**Warning:** If you didn't back up the original rules before making changes to the firewall, contact {% data variables.contact.contact_ent_support %} for further assistance.
-
-{% endwarning %}
-
-{% data reusables.enterprise_installation.ssh-into-instance %}
-2. To restore the previous backup rules, copy them back to the firewall with the `cp` command.
-  ```shell
-  $ sudo cp -f ~/ufw.backup/*rules /lib/ufw
-  ```
-3. Restart the firewall with the `systemctl` command.
-  ```shell
-  $ sudo systemctl restart ufw
-  ```
-4. Confirm that the rules are back to their defaults with the `ufw status` command.
-  ```shell
-  $ sudo ufw status
-  > Status: active
-  > To                         Action      From
-  > --                         ------      ----
-  > ghe-1194                   ALLOW       Anywhere
-  > ghe-122                    ALLOW       Anywhere
-  > ghe-161                    ALLOW       Anywhere
-  > ghe-22                     ALLOW       Anywhere
-  > ghe-25                     ALLOW       Anywhere
-  > ghe-443                    ALLOW       Anywhere
-  > ghe-80                     ALLOW       Anywhere
-  > ghe-8080                   ALLOW       Anywhere
-  > ghe-8443                   ALLOW       Anywhere
-  > ghe-9418                   ALLOW       Anywhere
-  > ghe-1194 (v6)              ALLOW       Anywhere (v6)
-  > ghe-122 (v6)               ALLOW       Anywhere (v6)
-  > ghe-161 (v6)               ALLOW       Anywhere (v6)
-  > ghe-22 (v6)                ALLOW       Anywhere (v6)
-  > ghe-25 (v6)                ALLOW       Anywhere (v6)
-  > ghe-443 (v6)               ALLOW       Anywhere (v6)
-  > ghe-80 (v6)                ALLOW       Anywhere (v6)
-  > ghe-8080 (v6)              ALLOW       Anywhere (v6)
-  > ghe-8443 (v6)              ALLOW       Anywhere (v6)
-  > ghe-9418 (v6)              ALLOW       Anywhere (v6)
-  ```

content/admin/configuration/configuring-data-encryption-for-your-enterprise.md

@@ -1,24 +0,0 @@
----
-title: Configuring data encryption for your enterprise
-shortTitle: Configuring data encryption
-intro: 'For encryption at rest, you can provide your own encryption key to encrypt your data under your encryption policies.'
-versions:
-  github-ae: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Security
----
-
-{% note %}
-
-**Note:** Configuring encryption at rest with a customer-managed key is currently in beta and subject to change.
-
-{% endnote %}
-
-### About data encryption
-
-To provide a high level of security, {% data variables.product.product_name %} encrypts your data while at rest in the data centers and while your data is in transit between users' machines and the data centers.
-
-For encryption in transit, {% data variables.product.product_name %} uses Transport Layer Security (TLS). For encryption at rest, {% data variables.product.product_name %} provides a default RSA key. 

content/admin/configuration/configuring-dns-nameservers.md

@@ -1,40 +0,0 @@
----
-title: Configuring DNS nameservers
-intro: '{% data variables.product.prodname_ghe_server %} uses the dynamic host configuration protocol (DHCP) for DNS settings when DHCP leases provide nameservers. If nameservers are not provided by a dynamic host configuration protocol (DHCP) lease, or if you need to use specific DNS settings, you can specify the nameservers manually.'
-redirect_from:
-  - /enterprise/admin/guides/installation/about-dns-nameservers/
-  - /enterprise/admin/installation/configuring-dns-nameservers
-  - /enterprise/admin/configuration/configuring-dns-nameservers
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
-  - Networking
----
-
-The nameservers you specify must resolve {% data variables.product.product_location %}'s hostname.
-
-{% data reusables.enterprise_installation.changing-hostname-not-supported %}
-
-### Configuring nameservers using the virtual machine console
-
-{% data reusables.enterprise_installation.open-vm-console-start %}
-2. Configure nameservers for your instance.
-{% data reusables.enterprise_installation.vm-console-done %}
-
-### Configuring nameservers using the administrative shell
-
-{% data reusables.enterprise_installation.ssh-into-instance %}
-2. To edit your nameservers, enter:
-  ```shell
-  $ sudo vim /etc/resolvconf/resolv.conf.d/head
-  ```
-3. Append any `nameserver` entries, then save the file.
-4. After verifying your changes, save the file.
-5. To add your new nameserver entries to {% data variables.product.product_location %}, enter:
-  ```shell
-  $ sudo service resolvconf restart
-  ```

content/admin/configuration/configuring-email-for-notifications.md

@@ -1,188 +0,0 @@
----
-title: Configuring email for notifications
-intro: 'To make it easy for users to respond quickly to activity on {% data variables.product.product_name %}, you can configure {% data variables.product.product_location %} to send email notifications for issue, pull request, and commit comments.'
-redirect_from:
-  - /enterprise/admin/guides/installation/email-configuration/
-  - /enterprise/admin/articles/configuring-email/
-  - /enterprise/admin/articles/troubleshooting-email/
-  - /enterprise/admin/articles/email-configuration-and-troubleshooting/
-  - /enterprise/admin/user-management/configuring-email-for-notifications
-versions:
-  enterprise-server: '*'
-  github-ae: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
-  - Notifications
----
-
-{% if currentVersion == "github-ae@latest" %}
-Enterprise owners can configure email for notifications.
-{% endif %}
-### Configuring SMTP for your enterprise
-
-{% if enterpriseServerVersions contains currentVersion %}
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-2. At the top of the page, click **Settings**.
-![Settings tab](/assets/images/enterprise/management-console/settings-tab.png)
-3. In the left sidebar, click **Email**.
-![Email tab](/assets/images/enterprise/management-console/email-sidebar.png)
-4. Select **Enable email**. This will enable both outbound and inbound email, however for inbound email to work you will also need to configure your DNS settings as described below in "[Configuring DNS and firewall
-settings to allow incoming emails](#configuring-dns-and-firewall-settings-to-allow-incoming-emails)."
-![Enable outbound email](/assets/images/enterprise/management-console/enable-outbound-email.png)
-5. Type the settings for your SMTP server.
-      - In the **Server address** field, type the address of your SMTP server.
-      - In the **Port** field, type the port that your SMTP server uses to send email.
-      - In the **Domain** field, type the domain name that your SMTP server will send with a HELO response, if any.
-      - Select the **Authentication** dropdown, and choose the type of encryption used by your SMTP server.
-      - In the **No-reply email address** field, type the email address to use in the From and To fields for all notification emails.      
-6. If you want to discard all incoming emails that are addressed to the no-reply email address, select **Discard email addressed to the no-reply email address**.
-![Checkbox to discard emails addressed to the no-reply email address](/assets/images/enterprise/management-console/discard-noreply-emails.png)
-7. Under **Support**, choose a type of link to offer additional support to your users.
-    - **Email:** An internal email address.
-    - **URL:** A link to an internal support site. You must include either `http://` or `https://`.
-  ![Support email or URL](/assets/images/enterprise/management-console/support-email-url.png)
-8. [Test email delivery](#testing-email-delivery).
-{% elsif currentVersion == "github-ae@latest" %}
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.email-tab %}
-2. Select **Enable email**.
-  !["Enable" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-enable-email-configure.png)
-3. Type the settings for your email server.
-    - In the **Server address** field, type the address of your SMTP server.
-    - In the **Port** field, type the port that your SMTP server uses to send email.
-    - In the **Domain** field, type the domain name that your SMTP server will send with a HELO response, if any.
-    - Select the **Authentication** dropdown, and choose the type of encryption used by your SMTP server.
-    - In the **No-reply email address** field, type the email address to use in the From and To fields for all notification emails.
-4. If you want to discard all incoming emails that are addressed to the no-reply email address, select **Discard email addressed to the no-reply email address**.
-  !["Discard" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-discard-email.png)
-5. Click **Test email settings**.
-  !["Test email settings" button for email settings configuration](/assets/images/enterprise/configuration/ae-test-email.png)
-6. Under "Send test email to," type the email address where you want to send a test email, then click **Send test email**.
-  !["Send test email" button for email settings configuration](/assets/images/enterprise/configuration/ae-send-test-email.png)
-7. Click **Save**.
-  !["Save" button for enterprise support contact configuration](/assets/images/enterprise/configuration/ae-save.png)
-{% endif %}
-
-{% if enterpriseServerVersions contains currentVersion %}
-### Testing email delivery
-
-1. At the top of the **Email** section, click **Test email settings**.
-![Test email settings](/assets/images/enterprise/management-console/test-email.png)
-2. In the **Send test email to** field, type an address to send the test email to.
-![Test email address](/assets/images/enterprise/management-console/test-email-address.png)
-3. Click **Send test email**.
-![Send test email](/assets/images/enterprise/management-console/test-email-address-send.png)
-
-  {% tip %}
-
-  **Tip:** If SMTP errors occur while sending a test email—such as an immediate delivery failure or an outgoing mail configuration error—you will see them in the Test email settings dialog box.
-
-  {% endtip %}
-
-4. If the test email fails, [troubleshoot your email settings](#troubleshooting-email-delivery).
-5. When the test email succeeds, at the bottom of the page, click **Save settings**.
-![Save settings button](/assets/images/enterprise/management-console/save-settings.png)
-6. Wait for the configuration run to complete.
-![Configuring your instance](/assets/images/enterprise/management-console/configuration-run.png)
-
-### Configuring DNS and firewall settings to allow incoming emails
-
-If you want to allow email replies to notifications, you must configure your DNS settings.
-
-1. Ensure that port 25 on the instance is accessible to your SMTP server.
-2. Create an A record that points to `reply.[hostname]`. Depending on your DNS provider and instance host configuration, you may be able to instead create a single A record that points to `*.[hostname]`.
-3. Create an MX record that points to `reply.[hostname]` so that emails to that domain are routed to the instance.
-4. Create an MX record that points `noreply.[hostname]` to `[hostname]` so that replies to the `cc` address in notification emails are routed to the instance. For more information, see {% if currentVersion ver_gt "enterprise-server@2.20" %}"[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications){% else %}"[About email notifications](/github/receiving-notifications-about-activity-on-github/about-email-notifications){% endif %}."
-
-### Troubleshooting email delivery
-
-#### Create a Support Bundle
-
-If you cannot determine what is wrong from the displayed error message, you can download a [support bundle](/enterprise/{{ currentVersion }}/admin/guides/enterprise-support/providing-data-to-github-support) containing the entire SMTP conversation between your mail server and {% data variables.product.prodname_ghe_server %}. Once you've downloaded and extracted the bundle, check the entries in *enterprise-manage-logs/unicorn.log* for the entire SMTP conversation log and any related errors.
-
-The unicorn log should show a transaction similar to the following:
-
-```shell
-This is a test email generated from https://10.0.0.68/setup/settings
-Connection opened: smtp.yourdomain.com:587
--> "220 smtp.yourdomain.com ESMTP nt3sm2942435pbc.14\r\n"
-<- "EHLO yourdomain.com\r\n"
--> "250-smtp.yourdomain.com at your service, [1.2.3.4]\r\n"
--> "250-SIZE 35882577\r\n"
--> "250-8BITMIME\r\n"
--> "250-STARTTLS\r\n"
--> "250-ENHANCEDSTATUSCODES\r\n"
--> "250 PIPELINING\r\n"
-<- "STARTTLS\r\n"
--> "220 2.0.0 Ready to start TLS\r\n"
-TLS connection started
-<- "EHLO yourdomain.com\r\n"
--> "250-smtp.yourdomain.com at your service, [1.2.3.4]\r\n"
--> "250-SIZE 35882577\r\n"
--> "250-8BITMIME\r\n"
--> "250-AUTH LOGIN PLAIN XOAUTH\r\n"
--> "250-ENHANCEDSTATUSCODES\r\n"
--> "250 PIPELINING\r\n"
-<- "AUTH LOGIN\r\n"
--> "334 VXNlcm5hbWU6\r\n"
-<- "dGhpc2lzbXlAYWRkcmVzcy5jb20=\r\n"
--> "334 UGFzc3dvcmQ6\r\n"
-<- "aXRyZWFsbHl3YXM=\r\n"
--> "535-5.7.1 Username and Password not accepted. Learn more at\r\n"
--> "535 5.7.1 http://support.yourdomain.com/smtp/auth-not-accepted nt3sm2942435pbc.14\r\n"
-```
-
-This log shows that the appliance:
-
-* Opened a connection with the SMTP server (`Connection opened: smtp.yourdomain.com:587`).
-* Successfully made a connection and chose to use TLS (`TLS connection started`).
-* The `login` authentication type was performed (`<- "AUTH LOGIN\r\n"`).
-* The SMTP Server rejected the authentication as invalid (`-> "535-5.7.1 Username and Password not accepted.`).
-
-#### Check {% data variables.product.product_location %} logs
-
-If you need to verify that your inbound email is functioning, there are two log files that you can examine on your instance: To verify that */var/log/mail.log* and */var/log/mail-replies/metroplex.log*.
-
-*/var/log/mail.log* verifies that messages are reaching your server. Here's an example of a successful email reply:
-
-```
-Oct 30 00:47:18 54-171-144-1 postfix/smtpd[13210]: connect from st11p06mm-asmtp002.mac.com[17.172.124.250]
-Oct 30 00:47:19 54-171-144-1 postfix/smtpd[13210]: 51DC9163323: client=st11p06mm-asmtp002.mac.com[17.172.124.250]
-Oct 30 00:47:19 54-171-144-1 postfix/cleanup[13216]: 51DC9163323: message-id=<b2b9c260-4aaa-4a93-acbb-0b2ddda68579@me.com>
-Oct 30 00:47:19 54-171-144-1 postfix/qmgr[17250]: 51DC9163323: from=<tcook@icloud.com>, size=5048, nrcpt=1 (queue active)
-Oct 30 00:47:19 54-171-144-1 postfix/virtual[13217]: 51DC9163323: to=<reply+i-1-1801beb4df676a79250d1e61e54ab763822c207d-5@reply.ghe.tjl2.co.ie>, relay=virtual, delay=0.12, delays=0.11/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
-Oct 30 00:47:19 54-171-144-1 postfix/qmgr[17250]: 51DC9163323: removed
-Oct 30 00:47:19 54-171-144-1 postfix/smtpd[13210]: disconnect from st11p06mm-asmtp002.mac.com[17.172.124.250]
-```
-
-Note that the client first connects; then, the queue becomes active. Then, the message is delivered, the client is removed from the queue, and the session disconnects.
-
-*/var/log/mail-replies/metroplex.log* shows whether inbound emails are being processed to add to issues and pull requests as replies. Here's an example of a successful message:
-
-```
-[2014-10-30T00:47:23.306 INFO (5284) #] metroplex: processing <b2b9c260-4aaa-4a93-acbb-0b2ddda68579@me.com>
-[2014-10-30T00:47:23.333 DEBUG (5284) #] Matched /data/user/mail/reply/new/1414630039.Vfc00I12000eM445784.ghe-tjl2-co-ie
-[2014-10-30T00:47:23.334 DEBUG (5284) #] Moving /data/user/mail/reply/new/1414630039.Vfc00I12000eM445784.ghe-tjl2-co-ie => /data/user/incoming-mail/success
-```
-
-You'll notice that `metroplex` catches the inbound message, processes it, then moves the file over to `/data/user/incoming-mail/success`.{% endif %}
-
-#### Verify your DNS settings
-
-In order to properly process inbound emails, you must configure a valid A Record (or CNAME), as well as an MX Record. For more information, see "[Configuring DNS and firewall settings to allow incoming emails](#configuring-dns-and-firewall-settings-to-allow-incoming-emails)."
-
-#### Check firewall or AWS Security Group settings
-
-If {% data variables.product.product_location %} is behind a firewall or is being served through an AWS Security Group, make sure port 25 is open to all mail servers that send emails to `reply@reply.[hostname]`.
-
-#### Contact support
-{% if enterpriseServerVersions contains currentVersion %}
-If you're still unable to resolve the problem, contact {% data variables.contact.contact_ent_support %}. Please attach the output file from `http(s)://[hostname]/setup/diagnostics` to your email to help us troubleshoot your problem.
-{% elsif currentVersion == "github-ae@latest" %}
-You can contact {% data variables.contact.github_support %} for help configuring email for notifications to be sent through your SMTP server. For more information, see "[Receiving help from {% data variables.contact.github_support %}](/admin/enterprise-support/receiving-help-from-github-support)."
-{% endif %}

content/admin/configuration/configuring-github-pages-for-your-enterprise.md

@@ -1,72 +0,0 @@
----
-title: Configuring GitHub Pages for your enterprise
-intro: 'You can enable or disable {% data variables.product.prodname_pages %} for your enterprise and choose whether to make sites publicly accessible.'
-redirect_from:
-  - /enterprise/admin/guides/installation/disabling-github-enterprise-pages/
-  - /enterprise/admin/guides/installation/configuring-github-enterprise-pages/
-  - /enterprise/admin/installation/configuring-github-pages-on-your-appliance
-  - /enterprise/admin/configuration/configuring-github-pages-on-your-appliance
-  - /admin/configuration/configuring-github-pages-on-your-appliance
-  - /enterprise/admin/guides/installation/configuring-github-pages-for-your-enterprise/
-versions:
-  enterprise-server: '*'
-  github-ae: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Pages
----
-
-### Enabling public sites for {% data variables.product.prodname_pages %}
-
-{% if enterpriseServerVersions contains currentVersion %}If private mode is enabled on your enterprise, the {% else %}The {% endif %}public cannot access {% data variables.product.prodname_pages %} sites hosted by your enterprise unless you enable public sites.
-
-{% warning %}
-
-**Warning:** If you enable public sites for {% data variables.product.prodname_pages %}, every site in every repository on your enterprise will be accessible to the public.
-
-{% endwarning %}
-
-{% if enterpriseServerVersions contains currentVersion %}
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.pages-tab %}
-4. Select **Public Pages**.
-  ![Checkbox to enable Public Pages](/assets/images/enterprise/management-console/public-pages-checkbox.png)
-{% data reusables.enterprise_management_console.save-settings %}
-{% elsif currentVersion == "github-ae@latest" %}
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.policies-tab %}
-{% data reusables.enterprise-accounts.pages-tab %}
-5. Under "Pages policies", select **Public {% data variables.product.prodname_pages %}**.
-  ![Checkbox to enable public {% data variables.product.prodname_pages %}](/assets/images/enterprise/business-accounts/public-github-pages-checkbox.png)
-{% data reusables.enterprise-accounts.pages-policies-save %}
-{% endif %}
-
-### Disabling {% data variables.product.prodname_pages %} for your enterprise
-
-{% if enterpriseServerVersions contains currentVersion %}
-If subdomain isolation is disabled for your enterprise, you should also disable {% data variables.product.prodname_pages %} to protect yourself from potential security vulnerabilities. For more information, see "[Enabling subdomain isolation](/admin/configuration/enabling-subdomain-isolation)."
-{% endif %}
-
-{% if enterpriseServerVersions contains currentVersion %}
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.pages-tab %}
-4. Unselect **Enable Pages**.
-  ![Checkbox to disable {% data variables.product.prodname_pages %}](/assets/images/enterprise/management-console/pages-select-button.png)
-{% data reusables.enterprise_management_console.save-settings %}
-{% elsif currentVersion == "github-ae@latest" %}
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.policies-tab %}
-{% data reusables.enterprise-accounts.pages-tab %}
-5. Under "Pages policies", deselect **Enable {% data variables.product.prodname_pages %}**.
-  ![Checkbox to disable {% data variables.product.prodname_pages %}](/assets/images/enterprise/business-accounts/enable-github-pages-checkbox.png)
-{% data reusables.enterprise-accounts.pages-policies-save %}
-{% endif %}
-
-{% if enterpriseServerVersions contains currentVersion %}
-### Further reading
-
-- "[Enabling private mode](/admin/configuration/enabling-private-mode)"
-{% endif %}

content/admin/configuration/configuring-network-settings.md

@@ -1,17 +0,0 @@
----
-title: Configuring network settings
-redirect_from:
-  - /enterprise/admin/guides/installation/dns-hostname-subdomain-isolation-and-ssl/
-  - /enterprise/admin/articles/about-dns-ssl-and-subdomain-settings/
-  - /enterprise/admin/articles/configuring-dns-ssl-and-subdomain-settings/
-  - /enterprise/admin/guides/installation/configuring-your-github-enterprise-network-settings/
-  - /enterprise/admin/installation/configuring-your-github-enterprise-server-network-settings
-  - /enterprise/admin/configuration/configuring-network-settings
-intro: 'Configure {% data variables.product.prodname_ghe_server %} with the DNS nameservers and hostname required in your network. You can also configure a proxy server or firewall rules. You must allow access to certain ports for administrative and user purposes.'
-mapTopic: true
-versions:
-  enterprise-server: '*'
-topics:
-  - Enterprise
----
-

content/admin/configuration/configuring-network-settings/configuring-a-hostname.md

@@ -0,0 +1,33 @@
+---
+title: Configuring a hostname
+intro: We recommend setting a hostname for your appliance instead of using a hard-coded IP address.
+redirect_from:
+  - /enterprise/admin/guides/installation/configuring-hostnames/
+  - /enterprise/admin/installation/configuring-a-hostname
+  - /enterprise/admin/configuration/configuring-a-hostname
+  - /admin/configuration/configuring-a-hostname
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+---
+If you configure a hostname instead of a hard-coded IP address, you will be able to change the physical hardware that {% data variables.product.product_location %} runs on without affecting users or client software.
+
+The hostname setting in the {% data variables.enterprise.management_console %} should be set to an appropriate fully qualified domain name (FQDN) which is resolvable on the internet or within your internal network. For example, your hostname setting could be `github.companyname.com.` We also recommend enabling subdomain isolation for the chosen hostname to mitigate several cross-site scripting style vulnerabilities. For more information on hostname settings, see [Section 2.1 of the HTTP RFC](https://tools.ietf.org/html/rfc1123#section-2).
+
+{% data reusables.enterprise_installation.changing-hostname-not-supported %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.hostname-menu-item %}
+4. Type the hostname you'd like to set for {% data variables.product.product_location %}.
+  ![Field for setting a hostname](/assets/images/enterprise/management-console/hostname-field.png)
+5. To test the DNS and SSL settings for the new hostname, click **Test domain settings**.
+  ![Test domain settings button](/assets/images/enterprise/management-console/test-domain-settings.png)
+{% data reusables.enterprise_management_console.test-domain-settings-failure %}
+{% data reusables.enterprise_management_console.save-settings %}
+
+After you configure a hostname, we recommend that you enable subdomain isolation for {% data variables.product.product_location %}. For more information, see "[Enabling subdomain isolation](/enterprise/{{ currentVersion }}/admin/guides/installation/enabling-subdomain-isolation/)."

content/admin/configuration/configuring-network-settings/configuring-an-outbound-web-proxy-server.md

@@ -0,0 +1,35 @@
+---
+title: Configuring an outbound web proxy server
+intro: 'A proxy server provides an additional level of security for {% data variables.product.product_location %}.'
+redirect_from:
+  - /enterprise/admin/guides/installation/configuring-a-proxy-server/
+  - /enterprise/admin/installation/configuring-an-outbound-web-proxy-server
+  - /enterprise/admin/configuration/configuring-an-outbound-web-proxy-server
+  - /admin/configuration/configuring-an-outbound-web-proxy-server
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Networking
+---
+When a proxy server is enabled for {% data variables.product.product_location %}, outbound messages sent by {% data variables.product.prodname_ghe_server %} are first sent through the proxy server, unless the destination host is added as an HTTP proxy exclusion. Types of outbound messages include outgoing webhooks, uploading bundles, and fetching legacy avatars. The proxy server's URL is the protocol, domain or IP address, plus the port number, for example `http://127.0.0.1:8123`.
+
+{% note %}
+
+**Note:**  To connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}, your proxy configuration must allow connectivity to `github.com` and `api.github.com`. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}](/enterprise/{{ currentVersion }}/admin/guides/developer-workflow/connecting-github-enterprise-server-to-github-com)."
+
+{% endnote %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.privacy %}
+4. Under **HTTP Proxy Server**, type the URL of your proxy server.
+  ![Field to type the HTTP Proxy Server URL](/assets/images/enterprise/management-console/http-proxy-field.png)
+  
+5. Optionally, under **HTTP Proxy Exclusion**, type any hosts that do not require proxy access, separating hosts with commas. To exclude all hosts in a domain from requiring proxy access, you can use `.` as a wildcard prefix.  For example: `.octo-org.tentacle`
+  ![Field to type any HTTP Proxy Exclusions](/assets/images/enterprise/management-console/http-proxy-exclusion-field.png)
+
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-network-settings/configuring-built-in-firewall-rules.md

@@ -0,0 +1,122 @@
+---
+title: Configuring built-in firewall rules
+intro: 'You can view default firewall rules and customize rules for {% data variables.product.product_location %}.'
+redirect_from:
+  - /enterprise/admin/guides/installation/configuring-firewall-settings/
+  - /enterprise/admin/installation/configuring-built-in-firewall-rules
+  - /enterprise/admin/configuration/configuring-built-in-firewall-rules
+  - /admin/configuration/configuring-built-in-firewall-rules
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Networking
+---
+### About {% data variables.product.product_location %}'s firewall
+
+{% data variables.product.prodname_ghe_server %} uses Ubuntu's Uncomplicated Firewall (UFW) on the virtual appliance. For more information see "[UFW](https://help.ubuntu.com/community/UFW)" in the Ubuntu documentation. {% data variables.product.prodname_ghe_server %} automatically updates the firewall allowlist of allowed services with each release.
+
+After you install {% data variables.product.prodname_ghe_server %}, all required network ports are automatically opened to accept connections. Every non-required port is automatically configured as `deny`, and the default outgoing policy is configured as `allow`. Stateful tracking is enabled for any new connections; these are typically network packets with the `SYN` bit set. For more information, see "[Network ports](/enterprise/admin/guides/installation/network-ports)."
+
+The UFW firewall also opens several other ports that are required for {% data variables.product.prodname_ghe_server %} to operate properly. For more information on the UFW rule set, see [the UFW README](https://bazaar.launchpad.net/~jdstrand/ufw/0.30-oneiric/view/head:/README#L213).
+
+### Viewing the default firewall rules
+
+{% data reusables.enterprise_installation.ssh-into-instance %}
+2. To view the default firewall rules, use the `sudo ufw status` command. You should see output similar to this:
+  ```shell
+  $ sudo ufw status
+  > Status: active
+  > To                         Action      From
+  > --                         ------      ----
+  > ghe-1194                   ALLOW       Anywhere
+  > ghe-122                    ALLOW       Anywhere
+  > ghe-161                    ALLOW       Anywhere
+  > ghe-22                     ALLOW       Anywhere
+  > ghe-25                     ALLOW       Anywhere
+  > ghe-443                    ALLOW       Anywhere
+  > ghe-80                     ALLOW       Anywhere
+  > ghe-8080                   ALLOW       Anywhere
+  > ghe-8443                   ALLOW       Anywhere
+  > ghe-9418                   ALLOW       Anywhere
+  > ghe-1194 (v6)              ALLOW       Anywhere (v6)
+  > ghe-122 (v6)               ALLOW       Anywhere (v6)
+  > ghe-161 (v6)               ALLOW       Anywhere (v6)
+  > ghe-22 (v6)                ALLOW       Anywhere (v6)
+  > ghe-25 (v6)                ALLOW       Anywhere (v6)
+  > ghe-443 (v6)               ALLOW       Anywhere (v6)
+  > ghe-80 (v6)                ALLOW       Anywhere (v6)
+  > ghe-8080 (v6)              ALLOW       Anywhere (v6)
+  > ghe-8443 (v6)              ALLOW       Anywhere (v6)
+  > ghe-9418 (v6)              ALLOW       Anywhere (v6)
+  ```
+
+### Adding custom firewall rules
+
+{% warning %}
+
+**Warning:** Before you add custom firewall rules, back up your current rules in case you need to reset to a known working state. If you're locked out of your server, contact {% data variables.contact.contact_ent_support %} to reconfigure the original firewall rules. Restoring the original firewall rules involves downtime for your server.
+
+{% endwarning %}
+
+1. Configure a custom firewall rule.
+2. Check the status of each new rule with the `status numbered` command.
+  ```shell
+  $ sudo ufw status numbered
+  ```
+3. To back up your custom firewall rules, use the `cp`command to move the rules to a new file.
+  ```shell
+  $ sudo cp -r /lib/ufw ~/ufw.backup
+  ```
+
+After you upgrade {% data variables.product.product_location %}, you must reapply your custom firewall rules. We recommend that you create a script to reapply your firewall custom rules.
+
+### Restoring the default firewall rules
+
+If something goes wrong after you change the firewall rules, you can reset the rules from your original backup.
+
+{% warning %}
+
+**Warning:** If you didn't back up the original rules before making changes to the firewall, contact {% data variables.contact.contact_ent_support %} for further assistance.
+
+{% endwarning %}
+
+{% data reusables.enterprise_installation.ssh-into-instance %}
+2. To restore the previous backup rules, copy them back to the firewall with the `cp` command.
+  ```shell
+  $ sudo cp -f ~/ufw.backup/*rules /lib/ufw
+  ```
+3. Restart the firewall with the `systemctl` command.
+  ```shell
+  $ sudo systemctl restart ufw
+  ```
+4. Confirm that the rules are back to their defaults with the `ufw status` command.
+  ```shell
+  $ sudo ufw status
+  > Status: active
+  > To                         Action      From
+  > --                         ------      ----
+  > ghe-1194                   ALLOW       Anywhere
+  > ghe-122                    ALLOW       Anywhere
+  > ghe-161                    ALLOW       Anywhere
+  > ghe-22                     ALLOW       Anywhere
+  > ghe-25                     ALLOW       Anywhere
+  > ghe-443                    ALLOW       Anywhere
+  > ghe-80                     ALLOW       Anywhere
+  > ghe-8080                   ALLOW       Anywhere
+  > ghe-8443                   ALLOW       Anywhere
+  > ghe-9418                   ALLOW       Anywhere
+  > ghe-1194 (v6)              ALLOW       Anywhere (v6)
+  > ghe-122 (v6)               ALLOW       Anywhere (v6)
+  > ghe-161 (v6)               ALLOW       Anywhere (v6)
+  > ghe-22 (v6)                ALLOW       Anywhere (v6)
+  > ghe-25 (v6)                ALLOW       Anywhere (v6)
+  > ghe-443 (v6)               ALLOW       Anywhere (v6)
+  > ghe-80 (v6)                ALLOW       Anywhere (v6)
+  > ghe-8080 (v6)              ALLOW       Anywhere (v6)
+  > ghe-8443 (v6)              ALLOW       Anywhere (v6)
+  > ghe-9418 (v6)              ALLOW       Anywhere (v6)
+  ```

content/admin/configuration/configuring-network-settings/configuring-dns-nameservers.md

@@ -0,0 +1,40 @@
+---
+title: Configuring DNS nameservers
+intro: '{% data variables.product.prodname_ghe_server %} uses the dynamic host configuration protocol (DHCP) for DNS settings when DHCP leases provide nameservers. If nameservers are not provided by a dynamic host configuration protocol (DHCP) lease, or if you need to use specific DNS settings, you can specify the nameservers manually.'
+redirect_from:
+  - /enterprise/admin/guides/installation/about-dns-nameservers/
+  - /enterprise/admin/installation/configuring-dns-nameservers
+  - /enterprise/admin/configuration/configuring-dns-nameservers
+  - /admin/configuration/configuring-dns-nameservers
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Networking
+---
+The nameservers you specify must resolve {% data variables.product.product_location %}'s hostname.
+
+{% data reusables.enterprise_installation.changing-hostname-not-supported %}
+
+### Configuring nameservers using the virtual machine console
+
+{% data reusables.enterprise_installation.open-vm-console-start %}
+2. Configure nameservers for your instance.
+{% data reusables.enterprise_installation.vm-console-done %}
+
+### Configuring nameservers using the administrative shell
+
+{% data reusables.enterprise_installation.ssh-into-instance %}
+2. To edit your nameservers, enter:
+  ```shell
+  $ sudo vim /etc/resolvconf/resolv.conf.d/head
+  ```
+3. Append any `nameserver` entries, then save the file.
+4. After verifying your changes, save the file.
+5. To add your new nameserver entries to {% data variables.product.product_location %}, enter:
+  ```shell
+  $ sudo service resolvconf restart
+  ```

content/admin/configuration/configuring-network-settings/configuring-the-ip-address-using-the-virtual-machine-console.md

@@ -0,0 +1,28 @@
+---
+title: Configuring the IP address using the virtual machine console
+intro: 'By default, {% data variables.product.prodname_ghe_server %} retrieves network settings via the dynamic host configuration protocol (DHCP). If your platform supports it, or if DHCP is unavailable, you can also configure the network settings using the virtual machine console.'
+redirect_from:
+  - /enterprise/admin/installation/configuring-the-ip-address-using-the-virtual-machine-console
+  - /enterprise/admin/configuration/configuring-the-ip-address-using-the-virtual-machine-console
+  - /admin/configuration/configuring-the-ip-address-using-the-virtual-machine-console
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Networking
+---
+{% note %}
+
+**Note:** We do not support adding additional network adapters to {% data variables.product.prodname_ghe_server %}.
+
+{% endnote %}
+
+{% data reusables.enterprise_installation.open-vm-console-start %}
+3. Choose to configure the `IPv4` or `IPv6` protocol.
+  ![Options to choose the IPv4 or the IPv6 protocol](/assets/images/enterprise/network-configuration/IPv4-or-IPv6-protocol.png)
+4. Configure options for the protocol you chose.
+  ![Menu with IP protocol options](/assets/images/enterprise/network-configuration/network-settings-selection.png)
+{% data reusables.enterprise_installation.vm-console-done %}

content/admin/configuration/configuring-network-settings/configuring-tls.md

@@ -0,0 +1,82 @@
+---
+title: Configuring TLS
+intro: 'You can configure Transport Layer Security (TLS) on {% data variables.product.product_location %} so that you can use a certificate that is signed by a trusted certificate authority.'
+redirect_from:
+  - /enterprise/admin/articles/ssl-configuration/
+  - /enterprise/admin/guides/installation/about-tls/
+  - /enterprise/admin/installation/configuring-tls
+  - /enterprise/admin/configuration/configuring-tls
+  - /admin/configuration/configuring-tls
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Networking
+  - Security
+---
+### About Transport Layer Security
+
+TLS, which replaced SSL, is enabled and configured with a self-signed certificate when {% data variables.product.prodname_ghe_server %} is started for the first time. As self-signed certificates are not trusted by web browsers and Git clients, these clients will report certificate warnings until you disable TLS or upload a certificate signed by a trusted authority, such as Let's Encrypt.
+
+The {% data variables.product.prodname_ghe_server %} appliance will send HTTP Strict Transport Security headers when SSL is enabled. Disabling TLS will cause users to lose access to the appliance, because their browsers will not allow a protocol downgrade to HTTP. For more information, see "[HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)" on Wikipedia.
+
+{% data reusables.enterprise_installation.terminating-tls %}
+
+To allow users to use FIDO U2F for two-factor authentication, you must enable TLS for your instance. For more information, see "[Configuring two-factor authentication](/articles/configuring-two-factor-authentication)."
+
+### Prerequisites
+
+To use TLS in production, you must have a certificate in an unencrypted PEM format signed by a trusted certificate authority.
+
+Your certificate will also need Subject Alternative Names configured for the subdomains listed in "[Enabling subdomain isolation](/enterprise/{{ currentVersion }}/admin/guides/installation/enabling-subdomain-isolation#about-subdomain-isolation)" and will need to include the full certificate chain if it has been signed by an intermediate certificate authority. For more information, see "[Subject Alternative Name](http://en.wikipedia.org/wiki/SubjectAltName)" on Wikipedia.
+
+You can generate a certificate signing request (CSR) for your instance using the `ghe-ssl-generate-csr` command. For more information, see "[Command-line utilities](/enterprise/{{ currentVersion }}/admin/guides/installation/command-line-utilities/#ghe-ssl-generate-csr)."
+
+### Uploading a custom TLS certificate
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.privacy %}
+{% data reusables.enterprise_management_console.select-tls-only %}
+4. Under "TLS Protocol support", select the protocols you want to allow.
+  ![Radio buttons with options to choose TLS protocols](/assets/images/enterprise/management-console/tls-protocol-support.png)
+5. Under "Certificate", click **Choose File** to choose a TLS certificate or certificate chain (in PEM format) to install. This file will usually have a *.pem*, *.crt*, or *.cer* extension.
+  ![Button to find TLS certificate file](/assets/images/enterprise/management-console/install-tls-certificate.png)
+6. Under "Unencrypted key", click **Choose File** to choose a TLS key (in PEM format) to install. This file will usually have a *.key* extension.
+  ![Button to find TLS key file](/assets/images/enterprise/management-console/install-tls-key.png)
+
+  {% warning %}
+
+  **Warning**: Your TLS key must not have a passphrase. For more information, see "[Removing the passphrase from your key file](/enterprise/{{ currentVersion }}/admin/guides/installation/troubleshooting-ssl-errors#removing-the-passphrase-from-your-key-file)".
+
+  {% endwarning %}
+{% data reusables.enterprise_management_console.save-settings %}
+
+### About Let's Encrypt support
+
+Let's Encrypt is a public certificate authority that issues free, automated TLS certificates that are trusted by browsers using the ACME protocol. You can automatically obtain and renew Let's Encrypt certificates on your appliance without any required manual maintenance.
+
+{% data reusables.enterprise_installation.lets-encrypt-prerequisites %}
+
+When you enable automation of TLS certificate management using Let's Encrypt, {% data variables.product.product_location %} will contact the Let's Encrypt servers to obtain a certificate. To renew a certificate, Let's Encrypt servers must validate control of the configured domain name with inbound HTTP requests.
+
+You can also use the `ghe-ssl-acme` command line utility on {% data variables.product.product_location %} to automatically generate a Let's Encrypt certificate. For more information, see "[Command-line utilities](/enterprise/{{ currentVersion }}/admin/guides/installation/command-line-utilities#ghe-ssl-acme)."
+
+### Configuring TLS using Let's Encrypt
+
+{% data reusables.enterprise_installation.lets-encrypt-prerequisites %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.privacy %}
+{% data reusables.enterprise_management_console.select-tls-only %}
+5. Select **Enable automation of TLS certificate management using Let's Encrypt**.
+  ![Checkbox to enable Let's Encrypt](/assets/images/enterprise/management-console/lets-encrypt-checkbox.png)
+{% data reusables.enterprise_management_console.save-settings %}
+{% data reusables.enterprise_management_console.privacy %}
+7. Click **Request TLS certificate**.
+  ![Request TLS certificate button](/assets/images/enterprise/management-console/request-tls-button.png)
+8. Click **Save configuration**.

content/admin/configuration/configuring-network-settings/enabling-subdomain-isolation.md

@@ -0,0 +1,72 @@
+---
+title: Enabling subdomain isolation
+intro: 'You can set up subdomain isolation to securely separate user-supplied content from other portions of your {% data variables.product.prodname_ghe_server %} appliance.'
+redirect_from:
+  - /enterprise/admin/guides/installation/about-subdomain-isolation/
+  - /enterprise/admin/installation/enabling-subdomain-isolation
+  - /enterprise/admin/configuration/enabling-subdomain-isolation
+  - /admin/configuration/enabling-subdomain-isolation
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Networking
+  - Security
+---
+### About subdomain isolation
+
+Subdomain isolation mitigates cross-site scripting and other related vulnerabilities. For more information, see "[Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting)" on Wikipedia. We highly recommend that you enable subdomain isolation on {% data variables.product.product_location %}.
+
+When subdomain isolation is enabled, {% data variables.product.prodname_ghe_server %} replaces several paths with subdomains.
+
+{% if currentVersion == "enterprise-server@2.22" %}
+To use Docker with {% data variables.product.prodname_registry %}, you must also enable subdomain isolation. For more information, see "[Working with the Docker registry](/enterprise/{{ currentVersion }}/user/packages/working-with-a-github-packages-registry/working-with-the-docker-registry)."
+
+{% data reusables.package_registry.packages-ghes-release-stage %}
+
+{% endif %}
+
+| Path without subdomain isolation  | Path with subdomain isolation   |
+| --- | --- |
+| `http(s)://HOSTNAME/assets/`      | `http(s)://assets.HOSTNAME/`      |
+| `http(s)://HOSTNAME/avatars/`     | `http(s)://avatars.HOSTNAME/`     |
+| `http(s)://HOSTNAME/codeload/`    | `http(s)://codeload.HOSTNAME/`    |
+| `http(s)://HOSTNAME/gist/`        | `http(s)://gist.HOSTNAME/`        |
+| `http(s)://HOSTNAME/media/`       | `http(s)://media.HOSTNAME/`       |
+| `http(s)://HOSTNAME/pages/`       | `http(s)://pages.HOSTNAME/`       |
+| `http(s)://HOSTNAME/raw/`         | `http(s)://raw.HOSTNAME/`         |
+| `http(s)://HOSTNAME/render/`      | `http(s)://render.HOSTNAME/`      |
+| `http(s)://HOSTNAME/reply/`       | `http(s)://reply.HOSTNAME/`       |
+| `http(s)://HOSTNAME/uploads/`     | `http(s)://uploads.HOSTNAME/`     |{% if currentVersion == "enterprise-server@2.22" %}
+|  N/A, Docker with {% data variables.product.prodname_registry %} will not work with subdomain isolation disabled for the {% data variables.product.prodname_registry %} 2.22 beta. | `http(s)://docker.HOSTNAME/` |{% endif %} {% if currentVersion ver_gt "enterprise-server@2.22" %}
+| `https://HOSTNAME/_registry/docker/` | `http(s)://docker.HOSTNAME/`{% endif %}{% if currentVersion ver_gt "enterprise-server@2.22" %}
+| `https://HOSTNAME/_registry/npm/` | `https://npm.HOSTNAME/`
+| `https://HOSTNAME/_registry/rubygems/` | `https://rubygems.HOSTNAME/`
+| `https://HOSTNAME/_registry/maven/` | `https://maven.HOSTNAME/`
+| `https://HOSTNAME/_registry/nuget/` | `https://nuget.HOSTNAME/`{% endif %}
+
+### Prerequisites
+
+{% data reusables.enterprise_installation.disable-github-pages-warning %}
+
+Before you enable subdomain isolation, you must configure your network settings for your new domain.
+
+- Specify a valid domain name as your hostname, instead of an IP address. For more information, see "[Configuring a hostname](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-a-hostname)."
+
+{% data reusables.enterprise_installation.changing-hostname-not-supported %}
+
+- Set up a wildcard Domain Name System (DNS) record or individual DNS records for the subdomains listed above. We recommend creating an A record for `*.HOSTNAME` that points to your server's IP address so you don't have to create multiple records for each subdomain.
+- Get a wildcard Transport Layer Security (TLS) certificate for `*.HOSTNAME` with a Subject Alternative Name (SAN) for both `HOSTNAME` and the wildcard domain `*.HOSTNAME`. For example, if your hostname is `github.octoinc.com`, get a certificate with the Common Name value set to `*.github.octoinc.com` and a SAN value set to both `github.octoinc.com` and `*.github.octoinc.com`.
+- Enable TLS on your appliance. For more information, see "[Configuring TLS](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-tls/)."
+
+### Enabling subdomain isolation
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.hostname-menu-item %}
+4. Select **Subdomain isolation (recommended)**.
+  ![Checkbox to enable subdomain isolation](/assets/images/enterprise/management-console/subdomain-isolation.png)
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-network-settings/index.md

@@ -0,0 +1,27 @@
+---
+title: Configuring network settings
+redirect_from:
+  - /enterprise/admin/guides/installation/dns-hostname-subdomain-isolation-and-ssl/
+  - /enterprise/admin/articles/about-dns-ssl-and-subdomain-settings/
+  - /enterprise/admin/articles/configuring-dns-ssl-and-subdomain-settings/
+  - /enterprise/admin/guides/installation/configuring-your-github-enterprise-network-settings/
+  - /enterprise/admin/installation/configuring-your-github-enterprise-server-network-settings
+  - /enterprise/admin/configuration/configuring-network-settings
+intro: 'Configure {% data variables.product.prodname_ghe_server %} with the DNS nameservers and hostname required in your network. You can also configure a proxy server or firewall rules. You must allow access to certain ports for administrative and user purposes.'
+versions:
+  enterprise-server: '*'
+topics:
+  - Enterprise
+children:
+  - /configuring-the-ip-address-using-the-virtual-machine-console
+  - /configuring-dns-nameservers
+  - /configuring-a-hostname
+  - /validating-your-domain-settings
+  - /configuring-tls
+  - /enabling-subdomain-isolation
+  - /configuring-an-outbound-web-proxy-server
+  - /configuring-built-in-firewall-rules
+  - /network-ports
+  - /using-github-enterprise-server-with-a-load-balancer
+---
+

content/admin/configuration/configuring-network-settings/network-ports.md

@@ -0,0 +1,53 @@
+---
+title: Network ports
+redirect_from:
+  - /enterprise/admin/articles/configuring-firewalls/
+  - /enterprise/admin/articles/firewall/
+  - /enterprise/admin/guides/installation/network-configuration/
+  - /enterprise/admin/guides/installation/network-ports-to-open/
+  - /enterprise/admin/installation/network-ports
+  - /enterprise/admin/configuration/network-ports
+  - /admin/configuration/network-ports
+intro: 'Open network ports selectively based on the network services you need to expose for administrators, end users, and email support.'
+versions:
+  enterprise-server: '*'
+type: reference
+topics:
+  - Enterprise
+  - Infrastructure
+  - Networking
+  - Security
+---
+### Administrative ports
+
+Some administrative ports are required to configure {% data variables.product.product_location %} and run certain features. Administrative ports are not required for basic application use by end users.
+
+| Port | Service | Description |
+|---|---|---|
+| 8443 | HTTPS | Secure web-based {% data variables.enterprise.management_console %}. Required for basic installation and configuration. |
+| 8080 | HTTP | Plain-text web-based {% data variables.enterprise.management_console %}. Not required unless SSL is disabled manually. |
+| 122 | SSH | Shell access for {% data variables.product.product_location %}. Required to be open to incoming connections from all other nodes in a High Availability configuration. The default SSH port (22) is dedicated to Git and SSH application network traffic. |
+| 1194/UDP | VPN | Secure replication network tunnel in High Availability configuration. Required to be open to all other nodes in the configuration.|
+| 123/UDP| NTP | Required for time protocol operation. |
+| 161/UDP | SNMP | Required for network monitoring protocol operation. |
+
+### Application ports for end users
+
+Application ports provide web application and Git access for end users.
+
+| Port | Service | Description |
+|---|---|---|
+| 443 | HTTPS | Access to the web application and Git over HTTPS. |
+| 80 | HTTP | Access to the web application. All requests are redirected to the HTTPS port when SSL is enabled. |
+| 22 | SSH | Access to Git over SSH. Supports clone, fetch, and push operations to public and private repositories. |
+| 9418 | Git | Git protocol port supports clone and fetch operations to public repositories with unencrypted network communication. {% data reusables.enterprise_installation.when-9418-necessary %} |
+
+{% data reusables.enterprise_installation.terminating-tls %}
+
+### Email ports
+
+Email ports must be accessible directly or via relay for inbound email support for end users.
+
+| Port | Service | Description |
+|---|---|---|
+| 25 | SMTP | Support for SMTP with encryption (STARTTLS). |

content/admin/configuration/configuring-network-settings/using-github-enterprise-server-with-a-load-balancer.md

@@ -0,0 +1,63 @@
+---
+title: Using GitHub Enterprise Server with a load balancer
+intro: 'Use a load balancer in front of a single {% data variables.product.prodname_ghe_server %} appliance or a pair of appliances in a High Availability configuration.'
+redirect_from:
+  - /enterprise/admin/guides/installation/using-github-enterprise-with-a-load-balancer/
+  - /enterprise/admin/installation/using-github-enterprise-server-with-a-load-balancer
+  - /enterprise/admin/configuration/using-github-enterprise-server-with-a-load-balancer
+  - /admin/configuration/using-github-enterprise-server-with-a-load-balancer
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - High availability
+  - Infrastructure
+  - Networking
+---
+{% data reusables.enterprise_clustering.load_balancer_intro %}
+
+{% data reusables.enterprise_clustering.load_balancer_dns %}
+
+### Handling client connection information
+
+Because client connections to {% data variables.product.prodname_ghe_server %} come from the load balancer, the client IP address can be lost.
+
+{% data reusables.enterprise_clustering.proxy_preference %}
+
+{% data reusables.enterprise_clustering.proxy_xff_firewall_warning %}
+
+#### Enabling PROXY protocol support on {% data variables.product.product_location %}
+
+We strongly recommend enabling PROXY protocol support for both your appliance and the load balancer. Use the instructions provided by your vendor to enable the PROXY protocol on your load balancer. For more information, see [the PROXY protocol documentation](http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt).
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.privacy %}
+3. Under **External load balancers**, select **Enable support for PROXY protocol**.
+![Checkbox to enable support for PROXY protocol](/assets/images/enterprise/management-console/enable-proxy.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% data reusables.enterprise_clustering.proxy_protocol_ports %}
+
+#### Enabling X-Forwarded-For support on {% data variables.product.product_location %}
+
+{% data reusables.enterprise_clustering.x-forwarded-for %}
+
+{% data reusables.enterprise_installation.terminating-tls %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.privacy %}
+3. Under **External load balancers**, select **Allow HTTP X-Forwarded-For header**.
+![Checkbox to allow the HTTP X-Forwarded-For header](/assets/images/enterprise/management-console/allow-xff.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% data reusables.enterprise_clustering.without_proxy_protocol_ports %}
+
+### Configuring health checks
+
+Health checks allow a load balancer to stop sending traffic to a node that is not responding if a pre-configured check fails on that node. If the appliance is offline due to maintenance or unexpected failure, the load balancer can display a status page. In a High Availability (HA) configuration, a load balancer can be used as part of a failover strategy. However, automatic failover of HA pairs is not supported. You must manually promote the replica appliance before it will begin serving requests. For more information, see "[Configuring {% data variables.product.prodname_ghe_server %} for High Availability](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-github-enterprise-server-for-high-availability/)."
+
+{% data reusables.enterprise_clustering.health_checks %}
+{% data reusables.enterprise_site_admin_settings.maintenance-mode-status %}

content/admin/configuration/configuring-network-settings/validating-your-domain-settings.md

@@ -0,0 +1,23 @@
+---
+title: Validating your domain settings
+intro: 'Ensure that your domain settings are properly configured before booting up {% data variables.product.product_location %} for the first time.'
+redirect_from:
+  - /enterprise/admin/installation/validating-your-domain-settings
+  - /enterprise/admin/configuration/validating-your-domain-settings
+  - /admin/configuration/validating-your-domain-settings
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Networking
+---
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.hostname-menu-item %}
+4. To test your appliance's DNS and SSL settings, click **Test domain settings**.
+  ![Test domain settings button](/assets/images/enterprise/management-console/test-domain-settings.png)
+{% data reusables.enterprise_management_console.test-domain-settings-failure %}
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-rate-limits.md

@@ -1,58 +0,0 @@
----
-title: Configuring rate limits
-intro: 'You can set rate limits for {% data variables.product.prodname_ghe_server %} using the {% data variables.enterprise.management_console %}.'
-redirect_from:
-  - /enterprise/admin/installation/configuring-rate-limits
-  - /enterprise/admin/configuration/configuring-rate-limits
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Infrastructure
-  - Performance
----
-
-### Enabling rate limits for {% data variables.product.prodname_enterprise_api %}
-
-Enabling rate limits on {% data variables.product.prodname_enterprise_api %} can prevent overuse of resources by individual or unauthenticated users. For more information, see "[Resources in the REST API](/rest/overview/resources-in-the-rest-api#rate-limiting)."
-
-{% if currentVersion ver_gt "enterprise-server@2.21" %}
-You can exempt a list of users from API rate limits using the `ghe-config` utility in the administrative shell. For more information, see "[Command-line utilities](/enterprise/admin/configuration/command-line-utilities#ghe-config)."
-{% endif %}
-
-{% note %}
-
-**Note:** The {% data variables.enterprise.management_console %} lists the time period (per minute or per hour) for each rate limit.
-
-{% endnote %}
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-2. Under "Rate Limiting", select **Enable API Rate Limiting**.
-![Checkbox for enabling API rate limiting](/assets/images/enterprise/management-console/api-rate-limits-checkbox.png)
-3. Type limits for authenticated and unauthenticated requests for each API, or accept the pre-filled default limits.
-{% data reusables.enterprise_management_console.save-settings %}
-
-### Enabling abuse rate limits
-
-Setting abuse rate limits protects the overall level of service on {% data variables.product.product_location %}.
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-2. Under "Rate Limiting", select **Enable Abuse Rate Limiting**.
-  ![Checkbox for enabling abuse rate limiting](/assets/images/enterprise/management-console/abuse-rate-limits-checkbox.png)
-3. Type limits for Total Requests, CPU Limit, and CPU Limit for Searching, or accept the pre-filled default limits.
-{% data reusables.enterprise_management_console.save-settings %}
-
-### Enabling Git rate limits
-
-You can apply Git rate limits per repository network or per user ID. Git rate limits are expressed in concurrent operations per minute, and are adaptive based on the current CPU load.
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-2. Under "Rate Limiting", select **Enable Git Rate Limiting**.
-![Checkbox for enabling Git rate limiting](/assets/images/enterprise/management-console/git-rate-limits-checkbox.png)
-3. Type limits for each repository network or user ID.
-  ![Fields for repository network and user ID limits](/assets/images/enterprise/management-console/example-git-rate-limits.png)
-{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-the-ip-address-using-the-virtual-machine-console.md

@@ -1,30 +0,0 @@
----
-title: Configuring the IP address using the virtual machine console
-intro: 'By default, {% data variables.product.prodname_ghe_server %} retrieves network settings via the dynamic host configuration protocol (DHCP). If your platform supports it, or if DHCP is unavailable, you can also configure the network settings using the virtual machine console.'
-redirect_from:
-  - /enterprise/admin/installation/configuring-the-ip-address-using-the-virtual-machine-console
-  - /enterprise/admin/configuration/configuring-the-ip-address-using-the-virtual-machine-console
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
-  - Networking
----
-
-{% note %}
-
-**Note:** We do not support adding additional network adapters to {% data variables.product.prodname_ghe_server %}.
-
-{% endnote %}
-
-{% data reusables.enterprise_installation.open-vm-console-start %}
-3. Choose to configure the `IPv4` or `IPv6` protocol.
-  ![Options to choose the IPv4 or the IPv6 protocol](/assets/images/enterprise/network-configuration/IPv4-or-IPv6-protocol.png)
-4. Configure options for the protocol you chose.
-  ![Menu with IP protocol options](/assets/images/enterprise/network-configuration/network-settings-selection.png)
-{% data reusables.enterprise_installation.vm-console-done %}
-
-

content/admin/configuration/configuring-time-synchronization.md

@@ -1,49 +0,0 @@
----
-title: Configuring time synchronization
-intro: '{% data variables.product.prodname_ghe_server %} automatically synchronizes its clock by connecting to NTP servers. You can set the NTP servers that are used to synchronize the clock, or you can use the default NTP servers.'
-redirect_from:
-  - /enterprise/admin/articles/adjusting-the-clock/
-  - /enterprise/admin/articles/configuring-time-zone-and-ntp-settings/
-  - /enterprise/admin/articles/setting-ntp-servers/
-  - /enterprise/admin/categories/time/
-  - /enterprise/admin/installation/configuring-time-synchronization
-  - /enterprise/admin/configuration/configuring-time-synchronization
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
-  - Networking
----
-
-### Changing the default NTP servers
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-2. In the left sidebar, click **Time**.
-    ![The Time button in the {% data variables.enterprise.management_console %} sidebar](/assets/images/enterprise/management-console/sidebar-time.png)
-3. Under "Primary NTP server," type the hostname of the primary NTP server. Under "Secondary NTP server," type the hostname of the secondary NTP server.
-    ![The fields for primary and secondary NTP servers in the {% data variables.enterprise.management_console %}](/assets/images/enterprise/management-console/ntp-servers.png)
-4. At the bottom of the page, click **Save settings**.
-    ![The Save settings button in the {% data variables.enterprise.management_console %}](/assets/images/enterprise/management-console/save-settings.png)
-5. Wait for the configuration run to complete.
-
-### Correcting a large time drift
-
-The NTP protocol continuously corrects small time synchronization discrepancies. You can use the administrative shell to synchronize time immediately.
-
-{% note %}
-
-**Notes:**
- - You can't modify the Coordinated Universal Time (UTC) zone.
- - You should prevent your hypervisor from trying to set the virtual machine's clock. For more information, see the documentation provided by the virtualization provider.
-
-{% endnote %}
-
-- Use the `chronyc` command to synchronize the server with the configured NTP server. For example:
-
-```shell
-$ sudo chronyc -a makestep
-```

content/admin/configuration/configuring-tls.md

@@ -1,82 +0,0 @@
----
-title: Configuring TLS
-intro: 'You can configure Transport Layer Security (TLS) on {% data variables.product.product_location %} so that you can use a certificate that is signed by a trusted certificate authority.'
-redirect_from:
-  - /enterprise/admin/articles/ssl-configuration/
-  - /enterprise/admin/guides/installation/about-tls/
-  - /enterprise/admin/installation/configuring-tls
-  - /enterprise/admin/configuration/configuring-tls
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
-  - Networking
-  - Security
----
-
-### About Transport Layer Security
-
-TLS, which replaced SSL, is enabled and configured with a self-signed certificate when {% data variables.product.prodname_ghe_server %} is started for the first time. As self-signed certificates are not trusted by web browsers and Git clients, these clients will report certificate warnings until you disable TLS or upload a certificate signed by a trusted authority, such as Let's Encrypt.
-
-The {% data variables.product.prodname_ghe_server %} appliance will send HTTP Strict Transport Security headers when SSL is enabled. Disabling TLS will cause users to lose access to the appliance, because their browsers will not allow a protocol downgrade to HTTP. For more information, see "[HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)" on Wikipedia.
-
-{% data reusables.enterprise_installation.terminating-tls %}
-
-To allow users to use FIDO U2F for two-factor authentication, you must enable TLS for your instance. For more information, see "[Configuring two-factor authentication](/articles/configuring-two-factor-authentication)."
-
-### Prerequisites
-
-To use TLS in production, you must have a certificate in an unencrypted PEM format signed by a trusted certificate authority.
-
-Your certificate will also need Subject Alternative Names configured for the subdomains listed in "[Enabling subdomain isolation](/enterprise/{{ currentVersion }}/admin/guides/installation/enabling-subdomain-isolation#about-subdomain-isolation)" and will need to include the full certificate chain if it has been signed by an intermediate certificate authority. For more information, see "[Subject Alternative Name](http://en.wikipedia.org/wiki/SubjectAltName)" on Wikipedia.
-
-You can generate a certificate signing request (CSR) for your instance using the `ghe-ssl-generate-csr` command. For more information, see "[Command-line utilities](/enterprise/{{ currentVersion }}/admin/guides/installation/command-line-utilities/#ghe-ssl-generate-csr)."
-
-### Uploading a custom TLS certificate
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.privacy %}
-{% data reusables.enterprise_management_console.select-tls-only %}
-4. Under "TLS Protocol support", select the protocols you want to allow.
-  ![Radio buttons with options to choose TLS protocols](/assets/images/enterprise/management-console/tls-protocol-support.png)
-5. Under "Certificate", click **Choose File** to choose a TLS certificate or certificate chain (in PEM format) to install. This file will usually have a *.pem*, *.crt*, or *.cer* extension.
-  ![Button to find TLS certificate file](/assets/images/enterprise/management-console/install-tls-certificate.png)
-6. Under "Unencrypted key", click **Choose File** to choose a TLS key (in PEM format) to install. This file will usually have a *.key* extension.
-  ![Button to find TLS key file](/assets/images/enterprise/management-console/install-tls-key.png)
-
-  {% warning %}
-
-  **Warning**: Your TLS key must not have a passphrase. For more information, see "[Removing the passphrase from your key file](/enterprise/{{ currentVersion }}/admin/guides/installation/troubleshooting-ssl-errors#removing-the-passphrase-from-your-key-file)".
-
-  {% endwarning %}
-{% data reusables.enterprise_management_console.save-settings %}
-
-### About Let's Encrypt support
-
-Let's Encrypt is a public certificate authority that issues free, automated TLS certificates that are trusted by browsers using the ACME protocol. You can automatically obtain and renew Let's Encrypt certificates on your appliance without any required manual maintenance.
-
-{% data reusables.enterprise_installation.lets-encrypt-prerequisites %}
-
-When you enable automation of TLS certificate management using Let's Encrypt, {% data variables.product.product_location %} will contact the Let's Encrypt servers to obtain a certificate. To renew a certificate, Let's Encrypt servers must validate control of the configured domain name with inbound HTTP requests.
-
-You can also use the `ghe-ssl-acme` command line utility on {% data variables.product.product_location %} to automatically generate a Let's Encrypt certificate. For more information, see "[Command-line utilities](/enterprise/{{ currentVersion }}/admin/guides/installation/command-line-utilities#ghe-ssl-acme)."
-
-### Configuring TLS using Let's Encrypt
-
-{% data reusables.enterprise_installation.lets-encrypt-prerequisites %}
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.privacy %}
-{% data reusables.enterprise_management_console.select-tls-only %}
-5. Select **Enable automation of TLS certificate management using Let's Encrypt**.
-  ![Checkbox to enable Let's Encrypt](/assets/images/enterprise/management-console/lets-encrypt-checkbox.png)
-{% data reusables.enterprise_management_console.save-settings %}
-{% data reusables.enterprise_management_console.privacy %}
-7. Click **Request TLS certificate**.
-  ![Request TLS certificate button](/assets/images/enterprise/management-console/request-tls-button.png)
-8. Click **Save configuration**.

content/admin/configuration/configuring-your-enterprise.md

@@ -1,18 +0,0 @@
----
-title: Configuring your enterprise
-intro: 'After {% data variables.product.product_name %} is up and running, you can configure your enterprise to suit your organization''s needs.'
-redirect_from:
-  - /enterprise/admin/guides/installation/basic-configuration/
-  - /enterprise/admin/guides/installation/administrative-tools/
-  - /enterprise/admin/articles/restricting-ssh-access-to-specific-hosts/
-  - /enterprise/admin/guides/installation/configuring-the-github-enterprise-appliance/
-  - /enterprise/admin/installation/configuring-the-github-enterprise-server-appliance
-  - /enterprise/admin/configuration/configuring-your-enterprise
-mapTopic: true
-versions:
-  enterprise-server: '*'
-  github-ae: '*'
-topics:
-  - Enterprise
----
-

content/admin/configuration/configuring-your-enterprise/about-enterprise-configuration.md

@@ -0,0 +1,34 @@
+---
+title: About enterprise configuration
+intro: 'You can use the site admin dashboard{% if enterpriseServerVersions contains currentVersion %}, {% data variables.enterprise.management_console %}, and administrative shell (SSH) {% elsif currentVersion == "github-ae@latest" %} and enterprise settings or contact support{% endif %} to manage your enterprise.'
+versions:
+  enterprise-server: '*'
+  github-ae: '*'
+type: overview
+topics:
+  - Enterprise
+  - Fundamentals
+  - SSH
+redirect_from:
+  - /admin/configuration/about-enterprise-configuration
+---
+{% if enterpriseServerVersions contains currentVersion %}
+{% data reusables.enterprise_site_admin_settings.about-the-site-admin-dashboard %} For more information, see "[Site admin dashboard](/admin/configuration/site-admin-dashboard)."
+
+{% data reusables.enterprise_site_admin_settings.about-the-management-console %} For more information, see "[Accessing the management console](/admin/configuration/accessing-the-management-console)."
+
+{% data reusables.enterprise_site_admin_settings.about-ssh-access %} For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)."
+{% endif %}
+
+{% if currentVersion == "github-ae@latest" %}
+The first time you access your enterprise, you will complete an initial configuration to get {% data variables.product.product_name %} ready to use. The initial configuration includes connecting your enterprise with an identity provider (IdP), authenticating with SAML SSO, configuring policies for repositories and organizations in your enterprise, and configuring SMTP for outbound email. For more information, see "[Initializing {% data variables.product.prodname_ghe_managed %}](/admin/configuration/initializing-github-ae)."
+
+Later, you can use the site admin dashboard and enterprise settings to further configure your enterprise, manage users, organizations and repositories, and set policies that reduce risk and increase quality. 
+
+All enterprises are configured with subdomain isolation and support for TLS 1.2 and higher for encrypted traffic only.
+{% endif %}
+
+### Further reading
+
+- "[Managing users, organizations, and repositories](/admin/user-management)"
+- "[Setting policies for your enterprise](/admin/policies)"

content/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh.md

@@ -0,0 +1,78 @@
+---
+title: Accessing the administrative shell (SSH)
+redirect_from:
+  - /enterprise/admin/articles/ssh-access/
+  - /enterprise/admin/articles/adding-an-ssh-key-for-shell-access/
+  - /enterprise/admin/guides/installation/administrative-shell-ssh-access/
+  - /enterprise/admin/articles/troubleshooting-ssh-permission-denied-publickey/
+  - /enterprise/admin/2.13/articles/troubleshooting-ssh-permission-denied-publickey/
+  - /enterprise/admin/2.14/articles/troubleshooting-ssh-permission-denied-publickey/
+  - /enterprise/admin/2.15/articles/troubleshooting-ssh-permission-denied-publickey/
+  - /enterprise/admin/installation/accessing-the-administrative-shell-ssh
+  - /enterprise/admin/configuration/accessing-the-administrative-shell-ssh
+  - /admin/configuration/accessing-the-administrative-shell-ssh
+intro: '{% data reusables.enterprise_site_admin_settings.about-ssh-access %}'
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - SSH
+---
+### About administrative shell access
+
+If you have SSH access to the administrative shell, you can run {% data variables.product.prodname_ghe_server %}'s command line utilities. SSH access is also useful for troubleshooting, running backups, and configuring replication. Administrative SSH access is managed separately from Git SSH access and is accessible only via port 122.
+
+### Enabling access to the administrative shell via SSH
+
+To enable administrative SSH access, you must add your SSH public key to your instance's list of authorized keys.
+
+{% tip %}
+
+**Tip:** Changes to authorized SSH keys take effect immediately.
+
+{% endtip %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+3. Under "SSH access", paste your key into the text box, then click **Add key**.
+  ![Text box and button for adding an SSH key](/assets/images/enterprise/settings/add-authorized-ssh-key-admin-shell.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+### Connecting to the administrative shell over SSH
+
+After you've added your SSH key to the list, connect to the instance over SSH as the `admin` user on port 122.
+
+```shell
+$ ssh -p 122 admin@github.example.com
+Last login: Sun Nov 9 07:53:29 2014 from 169.254.1.1
+admin@github-example-com:~$ █
+```
+
+#### Troubleshooting SSH connection problems
+
+If you encounter the `Permission denied (publickey)` error when you try to connect to {% data variables.product.product_location %} via SSH, confirm that you are connecting over port 122. You may need to explicitly specify which private SSH key to use.
+
+To specify a private SSH key using the command line, run `ssh` with the `-i` argument.
+
+```shell
+ssh -i /path/to/ghe_private_key -p 122 admin@<em>hostname</em>
+```
+
+You can also specify a private SSH key using the SSH configuration file (`~/.ssh/config`).
+
+```shell
+Host <em>hostname</em>
+  IdentityFile /path/to/ghe_private_key
+  User admin
+  Port 122
+```
+
+### Accessing the administrative shell using the local console
+
+In an emergency situation, for example if SSH is unavailable, you can access the administrative shell locally. Sign in as the `admin` user and use the password established during initial setup of {% data variables.product.prodname_ghe_server %}.
+
+### Access limitations for the administrative shell
+
+Administrative shell access is permitted for troubleshooting and performing documented operations procedures only. Modifying system and application files, running programs, or installing unsupported software packages may void your support contract. Please contact {% data variables.contact.contact_ent_support %} if you have a question about the activities allowed by your support contract.

content/admin/configuration/configuring-your-enterprise/accessing-the-management-console.md

@@ -0,0 +1,54 @@
+---
+title: Accessing the management console
+intro: '{% data reusables.enterprise_site_admin_settings.about-the-management-console %}'
+redirect_from:
+  - /enterprise/admin/articles/about-the-management-console/
+  - /enterprise/admin/articles/management-console-for-emergency-recovery/
+  - /enterprise/admin/articles/web-based-management-console/
+  - /enterprise/admin/categories/management-console/
+  - /enterprise/admin/articles/accessing-the-management-console/
+  - /enterprise/admin/guides/installation/web-based-management-console/
+  - /enterprise/admin/installation/accessing-the-management-console
+  - /enterprise/admin/configuration/accessing-the-management-console
+  - /admin/configuration/accessing-the-management-console
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+---
+### About the {% data variables.enterprise.management_console %}
+
+Use the {% data variables.enterprise.management_console %} for basic administrative activities:
+- **Initial setup**: Walk through the initial setup process when first launching {% data variables.product.product_location %} by visiting {% data variables.product.product_location %}'s IP address in your browser.
+- **Configuring basic settings for your instance**: Configure DNS, hostname, SSL, user authentication, email, monitoring services, and log forwarding on the Settings page.
+- **Scheduling maintenance windows**: Take {% data variables.product.product_location %} offline while performing maintenance using the {% data variables.enterprise.management_console %} or administrative shell.
+- **Troubleshooting**: Generate a support bundle or view high level diagnostic information.
+- **License management**: View or update your {% data variables.product.prodname_enterprise %} license.
+
+You can always reach the {% data variables.enterprise.management_console %} using {% data variables.product.product_location %}'s IP address, even when the instance is in maintenance mode, or there is a critical application failure or hostname or SSL misconfiguration.
+
+To access the {% data variables.enterprise.management_console %}, you must use the administrator password established during initial setup of {% data variables.product.product_location %}. You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations.
+
+### Accessing the {% data variables.enterprise.management_console %} as a site administrator
+
+The first time that you access the {% data variables.enterprise.management_console %} as a site administrator, you must upload your {% data variables.product.prodname_enterprise %} license file to authenticate into the app. For more information, see "[Managing your {% data variables.product.prodname_enterprise %} license](/enterprise/{{ currentVersion }}/admin/guides/installation/managing-your-github-enterprise-license)."
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.type-management-console-password %}
+
+### Accessing the {% data variables.enterprise.management_console %} as an unauthenticated user
+
+1. Visit this URL in your browser, replacing `hostname` with your actual {% data variables.product.prodname_ghe_server %} hostname or IP address:
+  ```shell
+  http(s)://HOSTNAME/setup
+  ```
+{% data reusables.enterprise_management_console.type-management-console-password %}
+
+### Unlocking the {% data variables.enterprise.management_console %} after failed login attempts
+
+The {% data variables.enterprise.management_console %} locks after ten failed login attempts are made in the span of ten minutes. You must wait for the login screen to automatically unlock before attempting to log in again. The login screen automatically unlocks as soon as the previous ten minute period contains fewer than ten failed login attempts. The counter resets after a successful login occurs.
+
+To immediately unlock the {% data variables.enterprise.management_console %}, use the `ghe-reactivate-admin-login` command via the administrative shell. For more information, see "[Command line utilities](/enterprise/{{ currentVersion }}/admin/guides/installation/command-line-utilities#ghe-reactivate-admin-login)" and "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-administrative-shell-ssh/)."

content/admin/configuration/configuring-your-enterprise/command-line-utilities.md

@@ -0,0 +1,830 @@
+---
+title: Command-line utilities
+intro: '{% data variables.product.prodname_ghe_server %} includes a variety of utilities to help resolve particular problems or perform specific tasks.'
+redirect_from:
+  - /enterprise/admin/articles/viewing-all-services/
+  - /enterprise/admin/articles/command-line-utilities/
+  - /enterprise/admin/installation/command-line-utilities
+  - /enterprise/admin/configuration/command-line-utilities
+  - /admin/configuration/command-line-utilities
+miniTocMaxHeadingLevel: 4
+versions:
+  enterprise-server: '*'
+type: reference
+topics:
+  - Enterprise
+  - SSH
+---
+You can execute these commands from anywhere on the VM after signing in as an SSH admin user. For more information, see "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-administrative-shell-ssh/)."
+
+### General
+
+#### ghe-announce
+
+This utility sets a banner at the top of every {% data variables.product.prodname_enterprise %} page. You can use it to broadcast a message to your users.
+
+{% if currentVersion ver_gt "enterprise-server@2.21" %}
+You can also set an announcement banner using the enterprise settings on {% data variables.product.product_name %}. For more information, see "[Customizing user messages on your instance](/enterprise/admin/user-management/customizing-user-messages-on-your-instance#creating-a-global-announcement-banner)."
+{% endif %}
+
+```shell
+# Sets a message that's visible to everyone
+$ ghe-announce -s MESSAGE
+> Announcement message set.
+# Removes a previously set message
+$ ghe-announce -u
+> Removed the announcement message
+```
+
+#### ghe-check-disk-usage
+
+This utility checks the disk for large files or files that have been deleted but still have open file handles. This should be run when you're trying to free up space on the root partition.
+
+```shell
+ghe-check-disk-usage
+```
+
+#### ghe-cleanup-caches
+
+This utility cleans up a variety of caches that might potentially take up extra disk space on the root volume. If you find your root volume disk space usage increasing notably over time it would be a good idea to run this utility to see if it helps reduce overall usage.
+
+```shell
+ghe-cleanup-caches
+```
+#### ghe-cleanup-settings
+
+This utility wipes all existing {% data variables.enterprise.management_console %} settings.
+
+{% tip %}
+
+**Tip**: {% data reusables.enterprise_enterprise_support.support_will_ask_you_to_run_command %}
+
+{% endtip %}
+
+```shell
+ghe-cleanup-settings
+```
+
+#### ghe-config
+
+With this utility, you can both retrieve and modify the configuration settings of {% data variables.product.product_location %}.
+
+```shell
+$ ghe-config <em>core.github-hostname</em>
+# Gets the configuration value of `core.github-hostname`
+$ ghe-config <em>core.github-hostname</em> <em>'example.com'</em>
+# Sets the configuration value of `core.github-hostname` to `example.com`
+$ ghe-config -l
+# Lists all the configuration values
+```
+Allows you to find the universally unique identifier (UUID) of your node in `cluster.conf`.
+
+```shell
+  $ ghe-config <em>HOSTNAME</em>.uuid
+```
+
+{% if currentVersion ver_gt "enterprise-server@2.21" %}
+Allows you to exempt a list of users from API rate limits. For more information, see "[Resources in the REST API](/rest/overview/resources-in-the-rest-api#rate-limiting)."
+
+``` shell
+$ ghe-config app.github.rate-limiting-exempt-users "<em>hubot</em> <em>github-actions</em>"
+# Exempts the users hubot and github-actions from rate limits
+```
+{% endif %}
+
+#### ghe-config-apply
+
+This utility applies {% data variables.enterprise.management_console %} settings, reloads system services, prepares a storage device, reloads application services, and runs any pending database migrations. It is equivalent to clicking **Save settings** in the {% data variables.enterprise.management_console %}'s web UI or to sending a POST request to [the `/setup/api/configure` endpoint](/enterprise/{{ currentVersion }}/user/rest/reference/enterprise-admin#management-console).
+
+You will probably never need to run this manually, but it's available if you want to automate the process of saving your settings via SSH.
+
+```shell
+ghe-config-apply
+```
+
+#### ghe-console
+
+This utility opens the GitHub Rails console on your {% data variables.product.prodname_enterprise %} appliance. {% data reusables.command_line.use_with_support_only %}
+
+```shell
+ghe-console
+```
+
+#### ghe-dbconsole
+
+This utility opens a MySQL database session on your {% data variables.product.prodname_enterprise %} appliance. {% data reusables.command_line.use_with_support_only %}
+
+```shell
+ghe-dbconsole
+```
+
+#### ghe-es-index-status
+This utility returns a summary of Elasticsearch indexes in CSV format.
+
+Print an index summary with a header row to `STDOUT`:
+```shell
+$ ghe-es-index-status -do
+> warning: parser/current is loading parser/ruby23, which recognizes
+> warning: 2.3.3-compliant syntax, but you are running 2.3.4.
+> warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
+> Name,Primary,Searchable,Writable,UpToDate,RepairProgress,Version
+> code-search-1,true,true,true,true,100.0,72e27df7c631b45e026b42bfef059328fa040e17
+> commits-5,true,true,true,true,100.0,7ed28813100c47813ef654c0ee2bb9abf21ab744
+> gists-4,true,true,true,true,100.0,cf8e7d04fcf2564c902e2873c424a279cc41079d
+> issues-4,false,false,false,true,100.0,d0bb08f71eebf6e7b070572aa399b185dbdc8a76
+> issues-5,true,true,true,true,100.0,d0bb08f71eebf6e7b070572aa399b185dbdc8a76
+> projects-2,true,true,true,true,100.0,c5cac1c4b3c66d42e609d088d174dbc3dd44469a
+> pull-requests-6,true,true,true,true,100.0,6a466ad6b896a3499509990979bf9a18d7d41de3
+> repos-6,true,true,true,true,100.0,6c8b5fbba0fc1e409558db411d05e092c1387082
+> users-5,true,true,true,true,100.0,38984875552bb826c9ec42999f409cb2e95556eb
+> wikis-4,true,true,true,true,100.0,2613dec44bd14e14577803ac1f9e4b7e07a7c234
+```
+
+Print an index summary and pipe results to `column` for readability:
+
+```shell
+$ ghe-es-index-status -do | column -ts,
+> warning: parser/current is loading parser/ruby23, which recognizes
+> warning: 2.3.3-compliant syntax, but you are running 2.3.4.
+> warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
+> Name             Primary  Searchable  Writable  UpToDate  RepairProgress  Version
+> code-search-1    true     true        true      true      100.0           72e27df7c631b45e026b42bfef059328fa040e17
+> commits-5        true     true        true      true      100.0           7ed28813100c47813ef654c0ee2bb9abf21ab744
+> gists-4          true     true        true      true      100.0           cf8e7d04fcf2564c902e2873c424a279cc41079d
+> issues-4         false    false       false     true      100.0           d0bb08f71eebf6e7b070572aa399b185dbdc8a76
+> issues-5         true     true        true      true      100.0           d0bb08f71eebf6e7b070572aa399b185dbdc8a76
+> projects-2       true     true        true      true      100.0           c5cac1c4b3c66d42e609d088d174dbc3dd44469a
+> pull-requests-6  true     true        true      true      100.0           6a466ad6b896a3499509990979bf9a18d7d41de3
+> repos-6          true     true        true      true      100.0           6c8b5fbba0fc1e409558db411d05e092c1387082
+> users-5          true     true        true      true      100.0           38984875552bb826c9ec42999f409cb2e95556eb
+> wikis-4          true     true        true      true      100.0           2613dec44bd14e14577803ac1f9e4b7e07a7c234
+```
+
+#### ghe-legacy-github-services-report
+
+This utility lists repositories on your appliance that use {% data variables.product.prodname_dotcom %} Services, an integration method that will be discontinued on October 1, 2018. Users on your appliance may have set up {% data variables.product.prodname_dotcom %} Services to create notifications for pushes to certain repositories. For more information, see "[Announcing the deprecation of {% data variables.product.prodname_dotcom %} Services](https://developer.github.com/changes/2018-04-25-github-services-deprecation/)" on {% data variables.product.prodname_blog %} or "[Replacing {% data variables.product.prodname_dotcom %} Services](/developers/overview/replacing-github-services)." For more information about this command or for additional options, use the `-h` flag.
+
+```shell
+ghe-legacy-github-services-report
+
+```
+
+#### ghe-logs-tail
+
+This utility lets you tail log all relevant log files from your installation. You can pass options in to limit the logs to specific sets. Use the -h flag for additional options.
+
+```shell
+ghe-logs-tail
+```
+
+#### ghe-maintenance
+
+This utility allows you to control the state of the installation's maintenance mode. It's designed to be used primarily by the {% data variables.enterprise.management_console %} behind-the-scenes, but it can be used directly.
+
+```shell
+ghe-maintenance -h
+```
+
+#### ghe-motd
+
+This utility re-displays the message of the day (MOTD) that administrators see when accessing the instance via the administrative shell. The output contains an overview of the instance's state.
+
+```shell
+ghe-motd
+```
+
+#### ghe-nwo
+
+This utility returns a repository's name and owner based on the repository ID.  
+
+```shell
+ghe-nwo <em>REPOSITORY_ID</em>
+```
+
+#### ghe-org-admin-promote
+
+Use this command to give organization owner privileges to users with site admin privileges on the appliance, or to give organization owner privileges to any single user in a single organization. You must specify a user and/or an organization. The `ghe-org-admin-promote` command will always ask for confirmation before running unless you use the `-y` flag to bypass the confirmation.
+
+You can use these options with the utility:
+
+- The `-u` flag specifies a username. Use this flag to give organization owner privileges to a specific user. Omit the `-u` flag to promote all site admins to the specified organization.
+- The `-o` flag specifies an organization. Use this flag to give owner privileges in a specific organization. Omit the `-o` flag to give owner permissions in all organizations to the specified site admin.
+- The `-a` flag gives owner privileges in all organizations to all site admins.
+- The `-y` flag bypasses the manual confirmation.
+
+This utility cannot promote a non-site admin to be an owner of all organizations. You can promote an ordinary user account to a site admin with [ghe-user-promote](#ghe-user-promote).
+
+Give organization owner privileges in a specific organization to a specific site admin
+
+```shell
+ghe-org-admin-promote -u <em>USERNAME</em> -o <em>ORGANIZATION</em>
+```
+
+Give organization owner privileges in all organizations to a specific site admin
+
+```shell
+ghe-org-admin-promote -u <em>USERNAME</em>
+```
+
+Give organization owner privileges in a specific organization to all site admins
+
+```shell
+ghe-org-admin-promote -o <em>ORGANIZATION</em>
+```
+
+Give organization owner privileges in all organizations to all site admins
+
+```shell
+ghe-org-admin-promote -a
+```
+
+#### ghe-reactivate-admin-login
+
+Use this command to immediately unlock the {% data variables.enterprise.management_console %} after 10 failed login attempts in the span of 10 minutes.
+
+```shell
+$ ghe-reactivate-admin-login
+```
+
+#### ghe-resque-info
+
+This utility displays information on background jobs, both active and in the queue. It provides the same job count numbers as the admin stats bar at the top of every page.
+
+This utility can help identify whether the Resque server is having problems processing background jobs. Any of the following scenarios might be indicative of a problem with Resque:
+
+* The number of background jobs is increasing, while the active jobs remain the same.
+* The event feeds are not updating.
+* Webhooks are not being triggered.
+* The web interface is not updating after a Git push.
+
+If you suspect Resque is failing, contact {% data variables.contact.contact_ent_support %} for help.
+
+With this command, you can also pause or resume jobs in the queue.
+
+```shell
+$ ghe-resque-info
+# lists queues and the number of currently queued jobs
+$ ghe-resque-info -p <em>QUEUE</em>
+# pauses the specified queue
+$ ghe-resque-info -r <em>QUEUE</em>
+# resumes the specified queue
+```
+
+#### ghe-saml-mapping-csv
+
+This utility can help map SAML records.
+
+To create a CSV file containing all the SAML mapping for your {% data variables.product.product_name %} users:
+```shell
+$ ghe-saml-mapping-csv -d
+```
+
+To perform a dry run of updating SAML mappings with new values:
+```shell
+$ ghe-saml-mapping-csv -u -n -f /path/to/file
+```
+
+To update SAML mappings with new values:
+```shell
+$ ghe-saml-mapping-csv -u -f /path/to/file
+```
+
+#### ghe-service-list
+
+This utility lists all of the services that have been started or stopped (are running or waiting) on your appliance.
+
+```shell
+$ ghe-service-list
+start/running
+  - github-resqued, process 12711
+  - github-unicorn, process 12726
+  - github-gitauth, process 12743
+  - git-daemon, process 12755
+  - babeld, process 12771
+  - github-svn-proxy, process 12802
+  - gist-unicorn, process 12832
+  - gist-resqued, process 12881
+  - render-unicorn, process 12939
+  - hookshot-unicorn, process 13076
+  - nodeload2, process 13192
+  - slumlord-unicorn, process 13304
+  - ghe-storage, process 2012
+  - enterprise-manage-unicorn, process 2024
+  - enterprise-manage-resque, process 2053
+
+stop/waiting
+  - ghe-replica-mode
+```
+
+{% tip %}
+
+The service names returned from this command can be used with [`systemctl`](https://www.freedesktop.org/software/systemd/man/systemctl.html) commands to stop, start, or restart these services manually, if needed. For example:
+
+```shell
+$ sudo systemctl restart github-resqued
+```
+
+Stopping services will cause downtime on your installation, so we recommend you contact {% data variables.contact.contact_ent_support %} before stopping or restarting any service.
+
+{% endtip %}
+
+#### ghe-set-password
+
+With `ghe-set-password`, you can set a new password to authenticate into the [{% data variables.enterprise.management_console %}](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-management-console).
+
+```shell
+ghe-set-password <new_password>
+```
+
+#### ghe-ssh-check-host-keys
+
+This utility checks the existing SSH host keys against the list of known leaked SSH host keys.
+
+```shell
+$ ghe-ssh-check-host-keys
+```
+
+If a leaked host key is found the utility exits with status `1` and a message:
+```shell
+> One or more of your SSH host keys were found in the blacklist.
+> Please reset your host keys using ghe-ssh-roll-host-keys.
+```
+
+If a leaked host key was not found, the utility exits with status `0` and a message:
+```shell
+> The SSH host keys were not found in the SSH host key blacklist.
+> No additional steps are needed/recommended at this time.
+```
+
+#### ghe-ssh-roll-host-keys
+
+This utility rolls the SSH host keys and replaces them with newly generated keys.
+
+```shell
+$ sudo ghe-ssh-roll-host-keys
+Proceed with rolling SSH host keys? This will delete the
+existing keys in /etc/ssh/ssh_host_* and generate new ones. [y/N]
+
+# Press 'Y' to confirm deleting, or use the -y switch to bypass this prompt
+
+> SSH host keys have successfully been rolled.
+```
+
+#### ghe-ssh-weak-fingerprints
+
+This utility returns a report of known weak SSH keys stored on the {% data variables.product.prodname_enterprise %} appliance. You can optionally revoke user keys as a bulk action. The utility will report weak system keys, which you must manually revoke in the [{% data variables.enterprise.management_console %}](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-management-console).
+
+```shell
+# Print a report of weak user and system SSH keys
+$ ghe-ssh-weak-fingerprints
+
+# Revoke all weak user keys
+$ ghe-ssh-weak-fingerprints --revoke
+```
+
+#### ghe-ssl-acme
+
+This utility allows you to install a Let's Encrypt certificate on your {% data variables.product.prodname_enterprise %} appliance. For more information, see "[Configuring TLS](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-tls)."
+
+You can use the `-x` flag to remove the ACME configuration.
+
+```shell
+ghe-ssl-acme -e
+```
+
+#### ghe-ssl-ca-certificate-install
+
+This utility allows you to install a custom root CA certificate on your {% data variables.product.prodname_enterprise %} server. The certificate must be in PEM format. Furthermore, if your certificate provider includes multiple CA certificates in a single file, you must separate them into individual files that you then pass to `ghe-ssl-ca-certificate-install` one at a time.
+
+Run this utility to add a certificate chain for S/MIME commit signature verification. For more information, see "[About commit signature verification](/enterprise/{{ currentVersion }}/user/articles/about-commit-signature-verification/)."
+
+Run this utility when {% data variables.product.product_location %} is unable to connect to another server because the latter is using a self-signed SSL certificate or an SSL certificate for which it doesn't provide the necessary CA bundle. One way to confirm this is to run `openssl s_client -connect host:port -verify 0 -CApath /etc/ssl/certs` from {% data variables.product.product_location %}. If the remote server's SSL certificate can be verified, your `SSL-Session` should have a return code of 0, as shown below.
+
+```
+SSL-Session:
+    Protocol  : TLSv1
+    Cipher    : AES128-SHA
+    Session-ID: C794EBCC3CBC10F747C9AFC029C03C1048FC99CFC34D13D7444E0F267C58DF4C
+    Session-ID-ctx:
+    Master-Key: 02A7C47CFD6EEC87D3C710E9DD87390E04EF82DDD7514AE03127D5DC1945FC0CAEFB5395791AEA598667EFA61B9EA8C5
+    Key-Arg   : None
+    Start Time: 1394581597
+    Timeout   : 300 (sec)
+    Verify return code: 0 (ok)
+```
+
+If, on the other hand, the remote server's SSL certificate can *not* be verified, your `SSL-Session` should have a nonzero return code:
+
+```
+SSL-Session:
+    Protocol  : TLSv1
+    Cipher    : AES128-SHA
+    Session-ID: 82CB288051A6DB66094C50A69CF1292AEE7E54C6B01B659B98AB336F8C33863E
+    Session-ID-ctx:
+    Master-Key: 01B025B2F764043A27919A8D1355AAECD8844FF0831B1D664042334790574A6F4025BAB085D4ED71D71AAB3091B849E5
+    Key-Arg   : None
+    Start Time: 1394581782
+    Timeout   : 300 (sec)
+    Verify return code: 27 (certificate not trusted)
+```
+
+You can use these additional options with the utility:
+- The `-r` flag allows you to uninstall a CA certificate.
+- The `-h` flag displays more usage information.
+
+```shell
+ghe-ssl-ca-certificate-install -c <em>/path/to/certificate</em>
+```
+
+#### ghe-ssl-generate-csr
+
+This utility allows you to generate a private key and certificate signing request (CSR), which you can share with a commercial or private certificate authority to get a valid certificate to use with your instance. For more information, see "[Configuring TLS](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-tls)."
+
+For more information about this command or for additional options, use the `-h` flag.
+
+```shell
+ghe-ssl-generate-csr
+```
+
+#### ghe-storage-extend
+
+Some platforms require this script to expand the user volume. For more information, see "[Increasing Storage Capacity](/enterprise/admin/guides/installation/increasing-storage-capacity/)".
+
+```shell
+$ ghe-storage-extend
+```
+
+#### ghe-version
+
+This utility prints the version, platform, and build of {% data variables.product.product_location %}.
+
+```shell
+$ ghe-version
+```
+
+#### ghe-webhook-logs
+
+This utility returns webhook delivery logs for administrators to review and identify any issues.
+
+```shell
+ghe-webhook-logs
+```
+
+To show all failed hook deliveries in the past day:
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+```shell
+ghe-webhook-logs -f -a <em>YYYY-MM-DD</em>
+```
+
+The date format should be `YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, or `YYYY-MM-DD HH:MM:SS (+/-) HH:M`.
+{% else %}
+```shell
+ghe-webhook-logs -f -a <em>YYYYMMDD</em>
+```
+{% endif %}
+
+To show the full hook payload, result, and any exceptions for the delivery:
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+```shell
+ghe-webhook-logs -g <em>delivery-guid</em>
+```
+{% else %}
+```shell
+ghe-webhook-logs -g <em>delivery-guid</em> -v
+```
+{% endif %}
+
+### Clustering
+
+#### ghe-cluster-status
+
+Check the health of your nodes and services in a cluster deployment of {% data variables.product.prodname_ghe_server %}.
+
+```shell
+$ ghe-cluster-status
+```
+
+#### ghe-cluster-support-bundle
+
+This utility creates a support bundle tarball containing important logs from each of the nodes in either a Geo-replication or Clustering configuration.
+
+By default, the command creates the tarball in */tmp*, but you can also have it `cat` the tarball to `STDOUT` for easy streaming over SSH. This is helpful in the case where the web UI is unresponsive or downloading a support bundle from */setup/support* doesn't work. You must use this command if you want to generate an *extended* bundle, containing older logs. You can also use this command to upload the cluster support bundle directly to {% data variables.product.prodname_enterprise %} support.
+
+To create a standard bundle:
+```shell
+$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -o' > cluster-support-bundle.tgz
+```
+
+To create an extended bundle:
+```shell
+$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -x -o' > cluster-support-bundle.tgz
+```
+
+To send a bundle to {% data variables.contact.github_support %}:
+```shell
+$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -u'
+```
+
+To send a bundle to {% data variables.contact.github_support %} and associate the bundle with a ticket:
+```shell
+$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -t <em>ticket-id</em>'
+```
+
+{% if currentVersion ver_gt "enterprise-server@2.21" %}
+#### ghe-cluster-failover
+
+Fail over from active cluster nodes to passive cluster nodes. For more information, see "[Initiating a failover to your replica cluster](/enterprise/admin/enterprise-management/initiating-a-failover-to-your-replica-cluster)."
+
+```shell
+ghe-cluster-failover
+```
+{% endif %}
+
+#### ghe-dpages
+
+This utility allows you to manage the distributed {% data variables.product.prodname_pages %} server.
+
+```shell
+ghe-dpages
+```
+
+To show a summary of repository location and health:
+```shell
+ghe-dpages status
+```
+
+To evacuate a {% data variables.product.prodname_pages %} storage service before evacuating a cluster node:
+```shell
+ghe-dpages evacuate pages-server-<em>UUID</em>
+```
+
+#### ghe-spokes
+
+This utility allows you to manage the three copies of each repository on the distributed git servers.
+
+```shell
+ghe-spokes
+```
+
+To show a summary of repository location and health:
+
+```shell
+ghe-spokes status
+```
+
+To show the servers in which the repository is stored:
+
+```shell
+ghe-spokes route
+```
+
+To evacuate storage services on a cluster node:
+
+```shell
+ghe-spokes server evacuate git-server-<em>UUID</em>
+```
+
+#### ghe-storage
+
+This utility allows you to evacuate all storage services before evacuating a cluster node.
+
+```shell
+ghe-storage evacuate storage-server-<em>UUID</em>
+```
+
+### Git
+
+#### ghe-btop
+
+A `top`-like interface for current Git operations.
+
+```shell
+ghe-btop [ <port number> | --help | --usage ]
+```
+
+#### ghe-repo
+
+This utility allows you to change to a repository's directory and open an interactive shell as the `git` user. You can perform manual inspection or maintenance of a repository via commands like `git-*` or `git-nw-*`.
+
+```shell
+ghe-repo <em>username</em>/<em>reponame</em>
+```
+
+#### ghe-repo-gc
+
+This utility manually repackages a repository network to optimize pack storage. If you have a large repository, running this command may help reduce its overall size. {% data variables.product.prodname_enterprise %} automatically runs this command throughout your interaction with a repository network.
+
+You can add the optional `--prune` argument to remove unreachable Git objects that aren't referenced from a branch, tag, or any other ref. This is particularly useful for immediately removing [previously expunged sensitive information](/enterprise/user/articles/remove-sensitive-data/).
+
+```shell
+ghe-repo-gc <em>username</em>/<em>reponame</em>
+```
+
+### Import and export
+
+#### ghe-migrator
+
+`ghe-migrator` is a hi-fidelity tool to help you migrate from one GitHub instance to another. You can consolidate your instances or move your organization, users, teams, and repositories from GitHub.com to {% data variables.product.prodname_enterprise %}.
+
+For more information, please see our guide on [migrating user, organization, and repository data](/enterprise/admin/guides/migrations/).
+
+#### git-import-detect
+
+Given a URL, detect which type of source control management system is at the other end. During a manual import this is likely already known, but this can be very useful in automated scripts.
+```shell
+git-import-detect
+```
+
+#### git-import-hg-raw
+
+This utility imports a Mercurial repository to this Git repository. For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
+```shell
+git-import-hg-raw
+```
+
+#### git-import-svn-raw
+
+This utility imports Subversion history and file data into a Git branch. This is a straight copy of the tree, ignoring any trunk or branch distinction. For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
+```shell
+git-import-svn-raw
+```
+
+#### git-import-tfs-raw
+
+This utility imports from Team Foundation Version Control (TFVC). For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
+```shell
+git-import-tfs-raw
+```
+
+#### git-import-rewrite
+
+This utility rewrites the imported repository. This gives you a chance to rename authors and, for Subversion and TFVC, produces Git branches based on folders. For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
+```shell
+git-import-rewrite
+```
+
+### Support
+
+#### ghe-diagnostics
+
+This utility performs a variety of checks and gathers information about your installation that you can send to support to help diagnose problems you're having.
+
+Currently, this utility's output is similar to downloading the diagnostics info in the {% data variables.enterprise.management_console %}, but may have additional improvements added to it over time that aren't available in the web UI. For more information, see "[Creating and sharing diagnostic files](/enterprise/admin/guides/enterprise-support/providing-data-to-github-support#creating-and-sharing-diagnostic-files)."
+
+```shell
+ghe-diagnostics
+```
+
+#### ghe-support-bundle
+
+{% data reusables.enterprise_enterprise_support.use_ghe_cluster_support_bundle %}
+This utility creates a support bundle tarball containing important logs from your instance.
+
+By default, the command creates the tarball in */tmp*, but you can also have it `cat` the tarball to `STDOUT` for easy streaming over SSH. This is helpful in the case where the web UI is unresponsive or downloading a support bundle from */setup/support* doesn't work. You must use this command if you want to generate an *extended* bundle, containing older logs. You can also use this command to upload the support bundle directly to {% data variables.product.prodname_enterprise %} support.
+
+To create a standard bundle:
+```shell
+$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -o' > support-bundle.tgz
+```
+
+To create an extended bundle:
+```shell
+$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -x -o' > support-bundle.tgz
+```
+
+To send a bundle to {% data variables.contact.github_support %}:
+```shell
+$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -u'
+```
+
+To send a bundle to {% data variables.contact.github_support %} and associate the bundle with a ticket:
+
+```shell
+$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -t <em>ticket-id</em>'
+```
+
+#### ghe-support-upload
+
+This utility sends information from your appliance to {% data variables.product.prodname_enterprise %} support. You can either specify a local file, or provide a stream of up to 100MB of data via `STDIN`. The uploaded data can optionally be associated with a support ticket.
+
+To send a file to {% data variables.contact.github_support %} and associate the file with a ticket:
+```shell
+ghe-support-upload -f <em>path/to/your/file</em> -t <em>ticket-id</em>
+```
+
+To upload data via `STDIN` and associating the data with a ticket:
+```shell
+<em>ghe-repl-status -vv</em> | ghe-support-upload -t <em>ticket-id</em> -d "<em>Verbose Replication Status</em>"
+```
+
+In this example, `ghe-repl-status -vv` sends verbose status information from a replica appliance. You should replace `ghe-repl-status -vv` with the specific data you'd like to stream to `STDIN`, and `Verbose Replication Status` with a brief description of the data. {% data reusables.enterprise_enterprise_support.support_will_ask_you_to_run_command %}
+
+### Upgrading {% data variables.product.prodname_ghe_server %}
+
+#### ghe-upgrade
+
+This utility installs or verifies an upgrade package. You can also use this utility to roll back a patch release if an upgrade fails or is interrupted. For more information, see "[Upgrading {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/guides/installation/upgrading-github-enterprise-server/)."
+
+To verify an upgrade package:
+```shell
+ghe-upgrade --verify <em>UPGRADE-PACKAGE-FILENAME</em>
+```
+
+To install an upgrade package:
+```shell
+ghe-upgrade <em>UPGRADE-PACKAGE-FILENAME</em>
+```
+
+{% data reusables.enterprise_installation.command-line-utilities-ghe-upgrade-rollback %}
+
+#### ghe-upgrade-scheduler
+
+This utility manages scheduled installation of upgrade packages. You can show, create new, or remove scheduled installations. You must create schedules using cron expressions. For more information, see the [Cron Wikipedia entry](https://en.wikipedia.org/wiki/Cron#Overview).
+
+To schedule a new installation for a package:
+```shell
+$ ghe-upgrade-scheduler -c "0 2 15 12 *" <em>UPGRADE-PACKAGE-FILENAME</em>
+```
+
+To show scheduled installations for a package:
+```shell
+$ ghe-upgrade-scheduler -s <em>UPGRADE PACKAGE FILENAME</em>
+> 0 2 15 12 * /usr/local/bin/ghe-upgrade -y -s <em>UPGRADE-PACKAGE-FILENAME</em> > /data/user/common/<em>UPGRADE-PACKAGE-FILENAME</em>.log 2>&1
+```
+
+To remove scheduled installations for a package:
+```shell
+$ ghe-upgrade-scheduler -r <em>UPGRADE PACKAGE FILENAME</em>
+```
+
+#### ghe-update-check
+
+This utility will check to see if a new patch release of {% data variables.product.prodname_enterprise %} is available. If it is, and if space is available on your instance, it will download the package. By default, it's saved to */var/lib/ghe-updates*. An administrator can then [perform the upgrade](/enterprise/admin/guides/installation/updating-the-virtual-machine-and-physical-resources/).
+
+A file containing the status of the download is available at */var/lib/ghe-updates/ghe-update-check.status*.
+
+To check for the latest {% data variables.product.prodname_enterprise %} release, use the `-i` switch.
+
+```shell
+$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-update-check'
+```
+
+### User management
+
+#### ghe-license-usage
+
+This utility exports a list of the installation's users in JSON format. If your instance is connected to {% data variables.product.prodname_ghe_cloud %}, {% data variables.product.prodname_ghe_server %} uses this information for reporting licensing information to {% data variables.product.prodname_ghe_cloud %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %} ](/enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
+
+By default, the list of users in the resulting JSON file is encrypted. Use the `-h` flag for more options.
+
+```shell
+ghe-license-usage
+```
+
+#### ghe-org-membership-update
+
+This utility will enforce the default organization membership visibility setting on all members in your instance. For more information, see "[Configuring visibility for organization membership](/enterprise/{{ currentVersion }}/admin/guides/user-management/configuring-visibility-for-organization-membership)." Setting options are `public` or `private`.
+
+```shell
+ghe-org-membership-update --visibility=<em>SETTING</em>
+```
+
+#### ghe-user-csv
+
+This utility exports a list of all the users in the installation into CSV format. The CSV file includes the email address, which type of user they are (e.g., admin, user), how many repositories they have, how many SSH keys, how many organization memberships, last logged IP address, etc. Use the `-h` flag for more options.
+
+```shell
+ghe-user-csv -o > users.csv
+```
+
+#### ghe-user-demote
+
+This utility demotes the specified user from admin status to that of a regular user. We recommend using the web UI to perform this action, but provide this utility in case the `ghe-user-promote` utility is run in error and you need to demote a user again from the CLI.
+
+```shell
+ghe-user-demote <em>some-user-name</em>
+```
+
+#### ghe-user-promote
+
+This utility promotes the specified user account to a site administrator.
+
+```shell
+ghe-user-promote <em>some-user-name</em>
+```
+
+#### ghe-user-suspend
+
+This utility suspends the specified user, preventing them from logging in, pushing, or pulling from your repositories.
+
+```shell
+ghe-user-suspend <em>some-user-name</em>
+```
+
+#### ghe-user-unsuspend
+
+This utility unsuspends the specified user, granting them access to login, push, and pull from your repositories.
+
+```shell
+ghe-user-unsuspend <em>some-user-name</em>
+```

content/admin/configuration/configuring-your-enterprise/configuring-applications.md

@@ -0,0 +1,25 @@
+---
+title: Configuring applications
+intro: 'You can configure internal application settings for {% data variables.product.product_location %}.'
+redirect_from:
+  - /enterprise/admin/installation/configuring-applications
+  - /enterprise/admin/configuration/configuring-applications
+  - /admin/configuration/configuring-applications
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+---
+### Adjusting image caching
+
+You can choose the amount of time that {% data variables.product.product_location %} caches avatars. When you increase the cache time, you increase the amount of time a user's avatar will take to load. Configuring the cache time with too low a value can overload {% data variables.product.product_location %} work processes. 
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+3. In the left sidebar, click **Applications**.
+![Applications tab in the settings sidebar](/assets/images/enterprise/management-console/sidebar-applications.png)
+4. Under "Avatar image cache time (seconds)", type the number of seconds that you would like {% data variables.product.product_location %} to cache avatar images.
+![Avatar image caching form field](/assets/images/enterprise/management-console/add-image-caching-value-field.png)
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-your-enterprise/configuring-backups-on-your-appliance.md

@@ -0,0 +1,125 @@
+---
+title: Configuring backups on your appliance
+shortTitle: Configuring backups
+redirect_from:
+  - /enterprise/admin/categories/backups-and-restores/
+  - /enterprise/admin/articles/backup-and-recovery/
+  - /enterprise/admin/articles/backing-up-github-enterprise/
+  - /enterprise/admin/articles/restoring-github-enterprise/
+  - /enterprise/admin/articles/backing-up-repository-data/
+  - /enterprise/admin/articles/restoring-enterprise-data/
+  - /enterprise/admin/articles/restoring-repository-data/
+  - /enterprise/admin/articles/backing-up-enterprise-data/
+  - /enterprise/admin/guides/installation/backups-and-disaster-recovery/
+  - /enterprise/admin/installation/configuring-backups-on-your-appliance
+  - /enterprise/admin/configuration/configuring-backups-on-your-appliance
+  - /admin/configuration/configuring-backups-on-your-appliance
+intro: 'As part of a disaster recovery plan, you can protect production data on {% data variables.product.product_location %} by configuring automated backups.'
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Backups
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+---
+### About {% data variables.product.prodname_enterprise_backup_utilities %}
+
+{% data variables.product.prodname_enterprise_backup_utilities %} is a backup system you install on a separate host, which takes backup snapshots of {% data variables.product.product_location %} at regular intervals over a secure SSH network connection. You can use a snapshot to restore an existing {% data variables.product.prodname_ghe_server %} instance to a previous state from the backup host.
+
+Only data added since the last snapshot will transfer over the network and occupy additional physical storage space. To minimize performance impact, backups are performed online under the lowest CPU/IO priority. You do not need to schedule a maintenance window to perform a backup.
+
+For more detailed information on features, requirements, and advanced usage, see the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#readme).
+
+### Prerequisites
+
+To use {% data variables.product.prodname_enterprise_backup_utilities %}, you must have a Linux or Unix host system separate from {% data variables.product.product_location %}.
+
+You can also integrate {% data variables.product.prodname_enterprise_backup_utilities %} into an existing environment for long-term permanent storage of critical data.
+
+We recommend that the backup host and {% data variables.product.product_location %} be geographically distant from each other. This ensures that backups are available for recovery in the event of a major disaster or network outage at the primary site.
+
+Physical storage requirements will vary based on Git repository disk usage and expected growth patterns:
+
+| Hardware | Recommendation |
+| -------- | --------- |
+| **vCPUs**  | 2 |
+| **Memory** | 2 GB |
+| **Storage** | Five times the primary instance's allocated storage |
+
+More resources may be required depending on your usage, such as user activity and selected integrations.
+
+### Installing {% data variables.product.prodname_enterprise_backup_utilities %}
+
+{% note %}
+
+**Note:** To ensure a recovered appliance is immediately available, perform backups targeting the primary instance even in a Geo-replication configuration.
+
+{% endnote %}
+
+1. Download the latest [{% data variables.product.prodname_enterprise_backup_utilities %} release](https://github.com/github/backup-utils/releases) and extract the file with the `tar` command.
+  ```shell
+  $ tar -xzvf /path/to/github-backup-utils-v<em>MAJOR.MINOR.PATCH</em>.tar.gz	  
+  ```
+2. Copy the included `backup.config-example` file to `backup.config` and open in an editor.
+3. Set the `GHE_HOSTNAME` value to your primary {% data variables.product.prodname_ghe_server %} instance's hostname or IP address.
+4. Set the `GHE_DATA_DIR` value to the filesystem location where you want to store backup snapshots.
+5. Open your primary instance's settings page at `https://HOSTNAME/setup/settings` and add the backup host's SSH key to the list of authorized SSH keys. For more information, see [Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-administrative-shell-ssh/).
+5. Verify SSH connectivity with {% data variables.product.product_location %} with the `ghe-host-check` command.
+  ```shell
+  $ bin/ghe-host-check		  
+  ```		  
+  6. To create an initial full backup, run the `ghe-backup` command.
+  ```shell
+  $ bin/ghe-backup		  
+  ```
+
+For more information on advanced usage, see the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#readme).
+
+### Scheduling a backup
+
+You can schedule regular backups on the backup host using the `cron(8)` command or a similar command scheduling service. The configured backup frequency will dictate the worst case recovery point objective (RPO) in your recovery plan. For example, if you have scheduled the backup to run every day at midnight, you could lose up to 24 hours of data in a disaster scenario. We recommend starting with an hourly backup schedule, guaranteeing a worst case maximum of one hour of data loss if the primary site data is destroyed.
+
+If backup attempts overlap, the `ghe-backup` command will abort with an error message, indicating the existence of a simultaneous backup. If this occurs, we recommended decreasing the frequency of your scheduled backups. For more information, see the "Scheduling backups" section of the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#scheduling-backups).
+
+### Restoring a backup
+
+In the event of prolonged outage or catastrophic event at the primary site, you can restore {% data variables.product.product_location %} by provisioning another {% data variables.product.prodname_enterprise %} appliance and performing a restore from the backup host. You must add the backup host's SSH key to the target {% data variables.product.prodname_enterprise %} appliance as an authorized SSH key before restoring an appliance.
+
+{%if currentVersion ver_gt "enterprise-server@2.22"%}
+{% note %}
+
+**Note:** If {% data variables.product.product_location %} has {% data variables.product.prodname_actions %} enabled, you must first configure the {% data variables.product.prodname_actions %} external storage provider on the replacement appliance before running the `ghe-restore` command. For more information, see "[Backing up and restoring {% data variables.product.prodname_ghe_server %} with {% data variables.product.prodname_actions %} enabled](/admin/github-actions/backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled)."
+
+{% endnote %}
+{% endif %}
+
+To restore {% data variables.product.product_location %} from the last successful snapshot, use the `ghe-restore` command. You should see output similar to this:
+
+```shell
+$ ghe-restore -c 169.154.1.1
+> Checking for leaked keys in the backup snapshot that is being restored ...
+> * No leaked keys found
+> Connect 169.154.1.1:122 OK (v2.9.0)
+
+> WARNING: All data on GitHub Enterprise appliance 169.154.1.1 (v2.9.0)
+>          will be overwritten with data from snapshot 20170329T150710.
+> Please verify that this is the correct restore host before continuing.
+> Type 'yes' to continue: <em>yes</em>
+
+> Starting restore of 169.154.1.1:122 from snapshot 20170329T150710
+# ...output truncated
+> Completed restore of 169.154.1.1:122 from snapshot 20170329T150710
+> Visit https://169.154.1.1/setup/settings to review appliance configuration.
+```
+
+{% note %}
+
+**Note:** The network settings are excluded from the backup snapshot. You must manually configure the network on the target {% data variables.product.prodname_ghe_server %} appliance as required for your environment.
+
+{% endnote %}
+
+You can use these additional options with `ghe-restore` command:
+- The `-c` flag overwrites the settings, certificate, and license data on the target host even if it is already configured. Omit this flag if you are setting up a staging instance for testing purposes and you wish to retain the existing configuration on the target. For more information, see the "Using using backup and restore commands" section of the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#using-the-backup-and-restore-commands).
+- The `-s` flag allows you to select a different backup snapshot.

content/admin/configuration/configuring-your-enterprise/configuring-data-encryption-for-your-enterprise.md

@@ -0,0 +1,25 @@
+---
+title: Configuring data encryption for your enterprise
+shortTitle: Configuring data encryption
+intro: 'For encryption at rest, you can provide your own encryption key to encrypt your data under your encryption policies.'
+versions:
+  github-ae: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Security
+redirect_from:
+  - /admin/configuration/configuring-data-encryption-for-your-enterprise
+---
+{% note %}
+
+**Note:** Configuring encryption at rest with a customer-managed key is currently in beta and subject to change.
+
+{% endnote %}
+
+### About data encryption
+
+To provide a high level of security, {% data variables.product.product_name %} encrypts your data while at rest in the data centers and while your data is in transit between users' machines and the data centers.
+
+For encryption in transit, {% data variables.product.product_name %} uses Transport Layer Security (TLS). For encryption at rest, {% data variables.product.product_name %} provides a default RSA key.

content/admin/configuration/configuring-your-enterprise/configuring-email-for-notifications.md

@@ -0,0 +1,188 @@
+---
+title: Configuring email for notifications
+intro: 'To make it easy for users to respond quickly to activity on {% data variables.product.product_name %}, you can configure {% data variables.product.product_location %} to send email notifications for issue, pull request, and commit comments.'
+redirect_from:
+  - /enterprise/admin/guides/installation/email-configuration/
+  - /enterprise/admin/articles/configuring-email/
+  - /enterprise/admin/articles/troubleshooting-email/
+  - /enterprise/admin/articles/email-configuration-and-troubleshooting/
+  - /enterprise/admin/user-management/configuring-email-for-notifications
+  - /admin/configuration/configuring-email-for-notifications
+versions:
+  enterprise-server: '*'
+  github-ae: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Notifications
+---
+{% if currentVersion == "github-ae@latest" %}
+Enterprise owners can configure email for notifications.
+{% endif %}
+### Configuring SMTP for your enterprise
+
+{% if enterpriseServerVersions contains currentVersion %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+2. At the top of the page, click **Settings**.
+![Settings tab](/assets/images/enterprise/management-console/settings-tab.png)
+3. In the left sidebar, click **Email**.
+![Email tab](/assets/images/enterprise/management-console/email-sidebar.png)
+4. Select **Enable email**. This will enable both outbound and inbound email, however for inbound email to work you will also need to configure your DNS settings as described below in "[Configuring DNS and firewall
+settings to allow incoming emails](#configuring-dns-and-firewall-settings-to-allow-incoming-emails)."
+![Enable outbound email](/assets/images/enterprise/management-console/enable-outbound-email.png)
+5. Type the settings for your SMTP server.
+      - In the **Server address** field, type the address of your SMTP server.
+      - In the **Port** field, type the port that your SMTP server uses to send email.
+      - In the **Domain** field, type the domain name that your SMTP server will send with a HELO response, if any.
+      - Select the **Authentication** dropdown, and choose the type of encryption used by your SMTP server.
+      - In the **No-reply email address** field, type the email address to use in the From and To fields for all notification emails.      
+6. If you want to discard all incoming emails that are addressed to the no-reply email address, select **Discard email addressed to the no-reply email address**.
+![Checkbox to discard emails addressed to the no-reply email address](/assets/images/enterprise/management-console/discard-noreply-emails.png)
+7. Under **Support**, choose a type of link to offer additional support to your users.
+    - **Email:** An internal email address.
+    - **URL:** A link to an internal support site. You must include either `http://` or `https://`.
+  ![Support email or URL](/assets/images/enterprise/management-console/support-email-url.png)
+8. [Test email delivery](#testing-email-delivery).
+{% elsif currentVersion == "github-ae@latest" %}
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.email-tab %}
+2. Select **Enable email**.
+  !["Enable" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-enable-email-configure.png)
+3. Type the settings for your email server.
+    - In the **Server address** field, type the address of your SMTP server.
+    - In the **Port** field, type the port that your SMTP server uses to send email.
+    - In the **Domain** field, type the domain name that your SMTP server will send with a HELO response, if any.
+    - Select the **Authentication** dropdown, and choose the type of encryption used by your SMTP server.
+    - In the **No-reply email address** field, type the email address to use in the From and To fields for all notification emails.
+4. If you want to discard all incoming emails that are addressed to the no-reply email address, select **Discard email addressed to the no-reply email address**.
+  !["Discard" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-discard-email.png)
+5. Click **Test email settings**.
+  !["Test email settings" button for email settings configuration](/assets/images/enterprise/configuration/ae-test-email.png)
+6. Under "Send test email to," type the email address where you want to send a test email, then click **Send test email**.
+  !["Send test email" button for email settings configuration](/assets/images/enterprise/configuration/ae-send-test-email.png)
+7. Click **Save**.
+  !["Save" button for enterprise support contact configuration](/assets/images/enterprise/configuration/ae-save.png)
+{% endif %}
+
+{% if enterpriseServerVersions contains currentVersion %}
+### Testing email delivery
+
+1. At the top of the **Email** section, click **Test email settings**.
+![Test email settings](/assets/images/enterprise/management-console/test-email.png)
+2. In the **Send test email to** field, type an address to send the test email to.
+![Test email address](/assets/images/enterprise/management-console/test-email-address.png)
+3. Click **Send test email**.
+![Send test email](/assets/images/enterprise/management-console/test-email-address-send.png)
+
+  {% tip %}
+
+  **Tip:** If SMTP errors occur while sending a test email—such as an immediate delivery failure or an outgoing mail configuration error—you will see them in the Test email settings dialog box.
+
+  {% endtip %}
+
+4. If the test email fails, [troubleshoot your email settings](#troubleshooting-email-delivery).
+5. When the test email succeeds, at the bottom of the page, click **Save settings**.
+![Save settings button](/assets/images/enterprise/management-console/save-settings.png)
+6. Wait for the configuration run to complete.
+![Configuring your instance](/assets/images/enterprise/management-console/configuration-run.png)
+
+### Configuring DNS and firewall settings to allow incoming emails
+
+If you want to allow email replies to notifications, you must configure your DNS settings.
+
+1. Ensure that port 25 on the instance is accessible to your SMTP server.
+2. Create an A record that points to `reply.[hostname]`. Depending on your DNS provider and instance host configuration, you may be able to instead create a single A record that points to `*.[hostname]`.
+3. Create an MX record that points to `reply.[hostname]` so that emails to that domain are routed to the instance.
+4. Create an MX record that points `noreply.[hostname]` to `[hostname]` so that replies to the `cc` address in notification emails are routed to the instance. For more information, see {% if currentVersion ver_gt "enterprise-server@2.20" %}"[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications){% else %}"[About email notifications](/github/receiving-notifications-about-activity-on-github/about-email-notifications){% endif %}."
+
+### Troubleshooting email delivery
+
+#### Create a Support Bundle
+
+If you cannot determine what is wrong from the displayed error message, you can download a [support bundle](/enterprise/{{ currentVersion }}/admin/guides/enterprise-support/providing-data-to-github-support) containing the entire SMTP conversation between your mail server and {% data variables.product.prodname_ghe_server %}. Once you've downloaded and extracted the bundle, check the entries in *enterprise-manage-logs/unicorn.log* for the entire SMTP conversation log and any related errors.
+
+The unicorn log should show a transaction similar to the following:
+
+```shell
+This is a test email generated from https://10.0.0.68/setup/settings
+Connection opened: smtp.yourdomain.com:587
+-> "220 smtp.yourdomain.com ESMTP nt3sm2942435pbc.14\r\n"
+<- "EHLO yourdomain.com\r\n"
+-> "250-smtp.yourdomain.com at your service, [1.2.3.4]\r\n"
+-> "250-SIZE 35882577\r\n"
+-> "250-8BITMIME\r\n"
+-> "250-STARTTLS\r\n"
+-> "250-ENHANCEDSTATUSCODES\r\n"
+-> "250 PIPELINING\r\n"
+<- "STARTTLS\r\n"
+-> "220 2.0.0 Ready to start TLS\r\n"
+TLS connection started
+<- "EHLO yourdomain.com\r\n"
+-> "250-smtp.yourdomain.com at your service, [1.2.3.4]\r\n"
+-> "250-SIZE 35882577\r\n"
+-> "250-8BITMIME\r\n"
+-> "250-AUTH LOGIN PLAIN XOAUTH\r\n"
+-> "250-ENHANCEDSTATUSCODES\r\n"
+-> "250 PIPELINING\r\n"
+<- "AUTH LOGIN\r\n"
+-> "334 VXNlcm5hbWU6\r\n"
+<- "dGhpc2lzbXlAYWRkcmVzcy5jb20=\r\n"
+-> "334 UGFzc3dvcmQ6\r\n"
+<- "aXRyZWFsbHl3YXM=\r\n"
+-> "535-5.7.1 Username and Password not accepted. Learn more at\r\n"
+-> "535 5.7.1 http://support.yourdomain.com/smtp/auth-not-accepted nt3sm2942435pbc.14\r\n"
+```
+
+This log shows that the appliance:
+
+* Opened a connection with the SMTP server (`Connection opened: smtp.yourdomain.com:587`).
+* Successfully made a connection and chose to use TLS (`TLS connection started`).
+* The `login` authentication type was performed (`<- "AUTH LOGIN\r\n"`).
+* The SMTP Server rejected the authentication as invalid (`-> "535-5.7.1 Username and Password not accepted.`).
+
+#### Check {% data variables.product.product_location %} logs
+
+If you need to verify that your inbound email is functioning, there are two log files that you can examine on your instance: To verify that */var/log/mail.log* and */var/log/mail-replies/metroplex.log*.
+
+*/var/log/mail.log* verifies that messages are reaching your server. Here's an example of a successful email reply:
+
+```
+Oct 30 00:47:18 54-171-144-1 postfix/smtpd[13210]: connect from st11p06mm-asmtp002.mac.com[17.172.124.250]
+Oct 30 00:47:19 54-171-144-1 postfix/smtpd[13210]: 51DC9163323: client=st11p06mm-asmtp002.mac.com[17.172.124.250]
+Oct 30 00:47:19 54-171-144-1 postfix/cleanup[13216]: 51DC9163323: message-id=<b2b9c260-4aaa-4a93-acbb-0b2ddda68579@me.com>
+Oct 30 00:47:19 54-171-144-1 postfix/qmgr[17250]: 51DC9163323: from=<tcook@icloud.com>, size=5048, nrcpt=1 (queue active)
+Oct 30 00:47:19 54-171-144-1 postfix/virtual[13217]: 51DC9163323: to=<reply+i-1-1801beb4df676a79250d1e61e54ab763822c207d-5@reply.ghe.tjl2.co.ie>, relay=virtual, delay=0.12, delays=0.11/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
+Oct 30 00:47:19 54-171-144-1 postfix/qmgr[17250]: 51DC9163323: removed
+Oct 30 00:47:19 54-171-144-1 postfix/smtpd[13210]: disconnect from st11p06mm-asmtp002.mac.com[17.172.124.250]
+```
+
+Note that the client first connects; then, the queue becomes active. Then, the message is delivered, the client is removed from the queue, and the session disconnects.
+
+*/var/log/mail-replies/metroplex.log* shows whether inbound emails are being processed to add to issues and pull requests as replies. Here's an example of a successful message:
+
+```
+[2014-10-30T00:47:23.306 INFO (5284) #] metroplex: processing <b2b9c260-4aaa-4a93-acbb-0b2ddda68579@me.com>
+[2014-10-30T00:47:23.333 DEBUG (5284) #] Matched /data/user/mail/reply/new/1414630039.Vfc00I12000eM445784.ghe-tjl2-co-ie
+[2014-10-30T00:47:23.334 DEBUG (5284) #] Moving /data/user/mail/reply/new/1414630039.Vfc00I12000eM445784.ghe-tjl2-co-ie => /data/user/incoming-mail/success
+```
+
+You'll notice that `metroplex` catches the inbound message, processes it, then moves the file over to `/data/user/incoming-mail/success`.{% endif %}
+
+#### Verify your DNS settings
+
+In order to properly process inbound emails, you must configure a valid A Record (or CNAME), as well as an MX Record. For more information, see "[Configuring DNS and firewall settings to allow incoming emails](#configuring-dns-and-firewall-settings-to-allow-incoming-emails)."
+
+#### Check firewall or AWS Security Group settings
+
+If {% data variables.product.product_location %} is behind a firewall or is being served through an AWS Security Group, make sure port 25 is open to all mail servers that send emails to `reply@reply.[hostname]`.
+
+#### Contact support
+{% if enterpriseServerVersions contains currentVersion %}
+If you're still unable to resolve the problem, contact {% data variables.contact.contact_ent_support %}. Please attach the output file from `http(s)://[hostname]/setup/diagnostics` to your email to help us troubleshoot your problem.
+{% elsif currentVersion == "github-ae@latest" %}
+You can contact {% data variables.contact.github_support %} for help configuring email for notifications to be sent through your SMTP server. For more information, see "[Receiving help from {% data variables.contact.github_support %}](/admin/enterprise-support/receiving-help-from-github-support)."
+{% endif %}

content/admin/configuration/configuring-your-enterprise/configuring-github-pages-for-your-enterprise.md

@@ -0,0 +1,72 @@
+---
+title: Configuring GitHub Pages for your enterprise
+intro: 'You can enable or disable {% data variables.product.prodname_pages %} for your enterprise and choose whether to make sites publicly accessible.'
+redirect_from:
+  - /enterprise/admin/guides/installation/disabling-github-enterprise-pages/
+  - /enterprise/admin/guides/installation/configuring-github-enterprise-pages/
+  - /enterprise/admin/installation/configuring-github-pages-on-your-appliance
+  - /enterprise/admin/configuration/configuring-github-pages-on-your-appliance
+  - /admin/configuration/configuring-github-pages-on-your-appliance
+  - /enterprise/admin/guides/installation/configuring-github-pages-for-your-enterprise/
+  - /admin/configuration/configuring-github-pages-for-your-enterprise
+versions:
+  enterprise-server: '*'
+  github-ae: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Pages
+---
+### Enabling public sites for {% data variables.product.prodname_pages %}
+
+{% if enterpriseServerVersions contains currentVersion %}If private mode is enabled on your enterprise, the {% else %}The {% endif %}public cannot access {% data variables.product.prodname_pages %} sites hosted by your enterprise unless you enable public sites.
+
+{% warning %}
+
+**Warning:** If you enable public sites for {% data variables.product.prodname_pages %}, every site in every repository on your enterprise will be accessible to the public.
+
+{% endwarning %}
+
+{% if enterpriseServerVersions contains currentVersion %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.pages-tab %}
+4. Select **Public Pages**.
+  ![Checkbox to enable Public Pages](/assets/images/enterprise/management-console/public-pages-checkbox.png)
+{% data reusables.enterprise_management_console.save-settings %}
+{% elsif currentVersion == "github-ae@latest" %}
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.pages-tab %}
+5. Under "Pages policies", select **Public {% data variables.product.prodname_pages %}**.
+  ![Checkbox to enable public {% data variables.product.prodname_pages %}](/assets/images/enterprise/business-accounts/public-github-pages-checkbox.png)
+{% data reusables.enterprise-accounts.pages-policies-save %}
+{% endif %}
+
+### Disabling {% data variables.product.prodname_pages %} for your enterprise
+
+{% if enterpriseServerVersions contains currentVersion %}
+If subdomain isolation is disabled for your enterprise, you should also disable {% data variables.product.prodname_pages %} to protect yourself from potential security vulnerabilities. For more information, see "[Enabling subdomain isolation](/admin/configuration/enabling-subdomain-isolation)."
+{% endif %}
+
+{% if enterpriseServerVersions contains currentVersion %}
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.pages-tab %}
+4. Unselect **Enable Pages**.
+  ![Checkbox to disable {% data variables.product.prodname_pages %}](/assets/images/enterprise/management-console/pages-select-button.png)
+{% data reusables.enterprise_management_console.save-settings %}
+{% elsif currentVersion == "github-ae@latest" %}
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.pages-tab %}
+5. Under "Pages policies", deselect **Enable {% data variables.product.prodname_pages %}**.
+  ![Checkbox to disable {% data variables.product.prodname_pages %}](/assets/images/enterprise/business-accounts/enable-github-pages-checkbox.png)
+{% data reusables.enterprise-accounts.pages-policies-save %}
+{% endif %}
+
+{% if enterpriseServerVersions contains currentVersion %}
+### Further reading
+
+- "[Enabling private mode](/admin/configuration/enabling-private-mode)"
+{% endif %}

content/admin/configuration/configuring-your-enterprise/configuring-rate-limits.md

@@ -0,0 +1,58 @@
+---
+title: Configuring rate limits
+intro: 'You can set rate limits for {% data variables.product.prodname_ghe_server %} using the {% data variables.enterprise.management_console %}.'
+redirect_from:
+  - /enterprise/admin/installation/configuring-rate-limits
+  - /enterprise/admin/configuration/configuring-rate-limits
+  - /admin/configuration/configuring-rate-limits
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Infrastructure
+  - Performance
+---
+### Enabling rate limits for {% data variables.product.prodname_enterprise_api %}
+
+Enabling rate limits on {% data variables.product.prodname_enterprise_api %} can prevent overuse of resources by individual or unauthenticated users. For more information, see "[Resources in the REST API](/rest/overview/resources-in-the-rest-api#rate-limiting)."
+
+{% if currentVersion ver_gt "enterprise-server@2.21" %}
+You can exempt a list of users from API rate limits using the `ghe-config` utility in the administrative shell. For more information, see "[Command-line utilities](/enterprise/admin/configuration/command-line-utilities#ghe-config)."
+{% endif %}
+
+{% note %}
+
+**Note:** The {% data variables.enterprise.management_console %} lists the time period (per minute or per hour) for each rate limit.
+
+{% endnote %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+2. Under "Rate Limiting", select **Enable API Rate Limiting**.
+![Checkbox for enabling API rate limiting](/assets/images/enterprise/management-console/api-rate-limits-checkbox.png)
+3. Type limits for authenticated and unauthenticated requests for each API, or accept the pre-filled default limits.
+{% data reusables.enterprise_management_console.save-settings %}
+
+### Enabling abuse rate limits
+
+Setting abuse rate limits protects the overall level of service on {% data variables.product.product_location %}.
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+2. Under "Rate Limiting", select **Enable Abuse Rate Limiting**.
+  ![Checkbox for enabling abuse rate limiting](/assets/images/enterprise/management-console/abuse-rate-limits-checkbox.png)
+3. Type limits for Total Requests, CPU Limit, and CPU Limit for Searching, or accept the pre-filled default limits.
+{% data reusables.enterprise_management_console.save-settings %}
+
+### Enabling Git rate limits
+
+You can apply Git rate limits per repository network or per user ID. Git rate limits are expressed in concurrent operations per minute, and are adaptive based on the current CPU load.
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+2. Under "Rate Limiting", select **Enable Git Rate Limiting**.
+![Checkbox for enabling Git rate limiting](/assets/images/enterprise/management-console/git-rate-limits-checkbox.png)
+3. Type limits for each repository network or user ID.
+  ![Fields for repository network and user ID limits](/assets/images/enterprise/management-console/example-git-rate-limits.png)
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-your-enterprise/configuring-time-synchronization.md

@@ -0,0 +1,49 @@
+---
+title: Configuring time synchronization
+intro: '{% data variables.product.prodname_ghe_server %} automatically synchronizes its clock by connecting to NTP servers. You can set the NTP servers that are used to synchronize the clock, or you can use the default NTP servers.'
+redirect_from:
+  - /enterprise/admin/articles/adjusting-the-clock/
+  - /enterprise/admin/articles/configuring-time-zone-and-ntp-settings/
+  - /enterprise/admin/articles/setting-ntp-servers/
+  - /enterprise/admin/categories/time/
+  - /enterprise/admin/installation/configuring-time-synchronization
+  - /enterprise/admin/configuration/configuring-time-synchronization
+  - /admin/configuration/configuring-time-synchronization
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Networking
+---
+### Changing the default NTP servers
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+2. In the left sidebar, click **Time**.
+    ![The Time button in the {% data variables.enterprise.management_console %} sidebar](/assets/images/enterprise/management-console/sidebar-time.png)
+3. Under "Primary NTP server," type the hostname of the primary NTP server. Under "Secondary NTP server," type the hostname of the secondary NTP server.
+    ![The fields for primary and secondary NTP servers in the {% data variables.enterprise.management_console %}](/assets/images/enterprise/management-console/ntp-servers.png)
+4. At the bottom of the page, click **Save settings**.
+    ![The Save settings button in the {% data variables.enterprise.management_console %}](/assets/images/enterprise/management-console/save-settings.png)
+5. Wait for the configuration run to complete.
+
+### Correcting a large time drift
+
+The NTP protocol continuously corrects small time synchronization discrepancies. You can use the administrative shell to synchronize time immediately.
+
+{% note %}
+
+**Notes:**
+ - You can't modify the Coordinated Universal Time (UTC) zone.
+ - You should prevent your hypervisor from trying to set the virtual machine's clock. For more information, see the documentation provided by the virtualization provider.
+
+{% endnote %}
+
+- Use the `chronyc` command to synchronize the server with the configured NTP server. For example:
+
+```shell
+$ sudo chronyc -a makestep
+```

content/admin/configuration/configuring-your-enterprise/enabling-and-scheduling-maintenance-mode.md

@@ -0,0 +1,72 @@
+---
+title: Enabling and scheduling maintenance mode
+intro: 'Some standard maintenance procedures, such as upgrading {% data variables.product.product_location %} or restoring backups, require the instance to be taken offline for normal use.'
+redirect_from:
+  - /enterprise/admin/maintenance-mode/
+  - /enterprise/admin/categories/maintenance-mode/
+  - /enterprise/admin/articles/maintenance-mode/
+  - /enterprise/admin/articles/enabling-maintenance-mode/
+  - /enterprise/admin/articles/disabling-maintenance-mode/
+  - /enterprise/admin/guides/installation/maintenance-mode/
+  - /enterprise/admin/installation/enabling-and-scheduling-maintenance-mode
+  - /enterprise/admin/configuration/enabling-and-scheduling-maintenance-mode
+  - /admin/configuration/enabling-and-scheduling-maintenance-mode
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Fundamentals
+  - Maintenance
+  - Upgrades
+---
+### About maintenance mode
+
+Some types of operations require that you take {% data variables.product.product_location %} offline and put it into maintenance mode:
+- Upgrading to a new version of {% data variables.product.prodname_ghe_server %}
+- Increasing CPU, memory, or storage resources allocated to the virtual machine
+- Migrating data from one virtual machine to another
+- Restoring data from a {% data variables.product.prodname_enterprise_backup_utilities %} snapshot
+- Troubleshooting certain types of critical application issues
+
+We recommend that you schedule a maintenance window for at least 30 minutes in the future to give users time to prepare. When a maintenance window is scheduled, all users will see a banner when accessing the site.
+
+![End user banner about scheduled maintenance](/assets/images/enterprise/maintenance/maintenance-scheduled.png)
+
+When the instance is in maintenance mode, all normal HTTP and Git access is refused. Git fetch, clone, and push operations are also rejected with an error message indicating that the site is temporarily unavailable. Visiting the site in a browser results in a maintenance page.
+
+![The maintenance mode splash screen](/assets/images/enterprise/maintenance/maintenance-mode-maintenance-page.png)
+
+### Enabling maintenance mode immediately or scheduling a maintenance window for a later time
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+2. At the top of the {% data variables.enterprise.management_console %}, click **Maintenance**.
+  ![Maintenance tab](/assets/images/enterprise/management-console/maintenance-tab.png)
+3. Under "Enable and schedule", decide whether to enable maintenance mode immediately or to schedule a maintenance window for a future time.
+    - To enable maintenance mode immediately, use the drop-down menu and click **now**.
+    ![Drop-down menu with the option to enable maintenance mode now selected](/assets/images/enterprise/maintenance/enable-maintenance-mode-now.png)
+    - To schedule a maintenance window for a future time, use the drop-down menu and click a start time.
+    ![Drop-down menu with the option to schedule a maintenance window in two hours selected](/assets/images/enterprise/maintenance/schedule-maintenance-mode-two-hours.png)
+4. Select **Enable maintenance mode**.
+  ![Checkbox for enabling or scheduling maintenance mode](/assets/images/enterprise/maintenance/enable-maintenance-mode-checkbox.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+### Scheduling maintenance mode with {% data variables.product.prodname_enterprise_api %}
+
+You can schedule maintenance for different times or dates with {% data variables.product.prodname_enterprise_api %}. For more information, see "[Management Console](/enterprise/{{ currentVersion }}/user/rest/reference/enterprise-admin#enable-or-disable-maintenance-mode)."
+
+### Enabling or disabling maintenance mode for all nodes in a cluster
+
+With the `ghe-cluster-maintenance` utility, you can set or unset maintenance mode for every node in a cluster.
+
+```shell
+$ ghe-cluster-maintenance -h
+# Shows options
+$ ghe-cluster-maintenance -q
+# Queries the current mode
+$ ghe-cluster-maintenance -s
+# Sets maintenance mode
+$ ghe-cluster-maintenance -u
+# Unsets maintenance mode
+```

content/admin/configuration/configuring-your-enterprise/enabling-private-mode.md

@@ -0,0 +1,35 @@
+---
+title: Enabling private mode
+intro: 'In private mode, {% data variables.product.prodname_ghe_server %} requires every user to sign in to access the installation.'
+redirect_from:
+  - /enterprise/admin/articles/private-mode/
+  - /enterprise/admin/guides/installation/security/
+  - /enterprise/admin/guides/installation/securing-your-instance/
+  - /enterprise/admin/installation/enabling-private-mode
+  - /enterprise/admin/configuration/enabling-private-mode
+  - /admin/configuration/enabling-private-mode
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Access management
+  - Authentication
+  - Enterprise
+  - Fundamentals
+  - Infrastructure
+  - Networking
+  - Privacy
+  - Security
+---
+You must enable private mode if {% data variables.product.product_location %} is publicly accessible over the Internet. In private mode, users cannot anonymously clone repositories over `git://`. If built-in authentication is also enabled, an administrator must invite new users to create an account on the instance. For more information, see "[Using built-in authentication](/enterprise/{{ currentVersion }}/admin/guides/user-management/using-built-in-authentication)."
+
+{% data reusables.enterprise_installation.image-urls-viewable-warning %}
+
+With private mode enabled, you can allow unauthenticated Git operations (and anyone with network access to {% data variables.product.product_location %}) to read a public repository's code on your instance with anonymous Git read access enabled. For more information, see "[Allowing admins to enable anonymous Git read access to public repositories](/enterprise/{{ currentVersion }}/admin/guides/user-management/allowing-admins-to-enable-anonymous-git-read-access-to-public-repositories)."
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.privacy %}
+4. Select **Private mode**.
+  ![Checkbox for enabling private mode](/assets/images/enterprise/management-console/private-mode-checkbox.png)
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-your-enterprise/index.md

@@ -0,0 +1,37 @@
+---
+title: Configuring your enterprise
+intro: 'After {% data variables.product.product_name %} is up and running, you can configure your enterprise to suit your organization''s needs.'
+redirect_from:
+  - /enterprise/admin/guides/installation/basic-configuration/
+  - /enterprise/admin/guides/installation/administrative-tools/
+  - /enterprise/admin/articles/restricting-ssh-access-to-specific-hosts/
+  - /enterprise/admin/guides/installation/configuring-the-github-enterprise-appliance/
+  - /enterprise/admin/installation/configuring-the-github-enterprise-server-appliance
+  - /enterprise/admin/configuration/configuring-your-enterprise
+versions:
+  enterprise-server: '*'
+  github-ae: '*'
+topics:
+  - Enterprise
+children:
+  - /about-enterprise-configuration
+  - /initializing-github-ae
+  - /accessing-the-management-console
+  - /accessing-the-administrative-shell-ssh
+  - /configuring-data-encryption-for-your-enterprise
+  - /enabling-and-scheduling-maintenance-mode
+  - /configuring-backups-on-your-appliance
+  - /site-admin-dashboard
+  - /enabling-private-mode
+  - /managing-github-for-mobile-for-your-enterprise
+  - /configuring-email-for-notifications
+  - /verifying-or-approving-a-domain-for-your-enterprise
+  - /configuring-rate-limits
+  - /configuring-applications
+  - /troubleshooting-ssl-errors
+  - /configuring-time-synchronization
+  - /command-line-utilities
+  - /restricting-network-traffic-to-your-enterprise
+  - /configuring-github-pages-for-your-enterprise
+---
+

content/admin/configuration/configuring-your-enterprise/initializing-github-ae.md

@@ -0,0 +1,123 @@
+---
+title: Initializing GitHub AE
+intro: 'To get your enterprise ready to use, you can complete the initial configuration of {% data variables.product.product_name %}.'
+versions:
+  github-ae: '*'
+type: how_to
+topics:
+  - Enterprise
+redirect_from:
+  - /admin/configuration/initializing-github-ae
+---
+### About initialization
+
+Before you can initialize your enterprise, you must purchase {% data variables.product.product_name %}. For more information, contact {% data variables.contact.contact_enterprise_sales %}.
+
+After you purchase {% data variables.product.product_name %}, we'll ask you to provide an email address and username for the person you want to initialize the enterprise. Your dedicated technical account manager in {% data variables.contact.enterprise_support %} will create an account for the enterprise owner and send the enterprise owner an email to log into {% data variables.product.product_name %} and complete the initialization. Make sure the information you provide matches the intended enterprise owner's information in the IdP. For more information about enterprise owners, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/roles-in-an-enterprise#enterprise-owner)."
+
+During initialization, the enterprise owner will name your enterprise, configure SAML SSO, create policies for all organizations in your enterprise, and configure a support contact for your users.
+
+### Prerequisites
+
+{% note %}
+
+**Note**: Before you begin initialization, store the initial username and password for {% data variables.product.prodname_ghe_managed %} securely in a password manager. {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}
+
+{% endnote %}
+
+1. To initialize {% data variables.product.product_location %}, you must have a SAML identity provider (IdP). {% data reusables.saml.ae-uses-saml-sso %} To connect your IdP to your enterprise during initialization, you should have your IdP's Entity ID (SSO) URL, Issuer ID URL, and public signing certificate (Base64-encoded). For more information, see "[About identity and access management for your enterprise](/admin/authentication/about-identity-and-access-management-for-your-enterprise)."
+
+    {% note %}
+
+    **Note**: {% data reusables.saml.create-a-machine-user %}
+
+    {% endnote %}
+
+2. {% data reusables.saml.assert-the-administrator-attribute %}
+
+### Signing in and naming your enterprise
+
+1. Follow the instructions in your welcome email to reach your enterprise.
+2. Type your credentials under "Change password", then click **Change password**.
+3. Under "What would you like your enterprise account to be named?", type the enterprise's name, then click **Save and continue**.
+  !["Save and continue" button for naming an enterprise](/assets/images/enterprise/configuration/ae-enterprise-configuration.png)
+
+### Connecting your IdP to your enterprise
+
+To configure authentication for {% data variables.product.product_name %}, you must provide {% data variables.product.product_name %} with the details for your SAML IdP. {% data variables.product.company_short %} recommends using Azure AD as your IdP. For more information, see "[Configuring authentication and provisioning with your identity provider](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider)."
+
+1. To the right of "Set up your identity provider", click **Configure**.
+  !["Configure" button for IdP configuration](/assets/images/enterprise/configuration/ae-idp-configure.png)
+1. Under "Sign on URL", copy and paste the URL for your SAML IdP.
+  ![Text field for SAML IdP's sign-on URL](/assets/images/enterprise/configuration/ae-idp-sign-on-url.png)
+1. Under "Issuer", copy and paste the issuer URL for your SAML IdP.
+  ![Text field for SAML IdP's issuer URL](/assets/images/enterprise/configuration/ae-idp-issuer-url.png)
+1. Under "Public certificate", copy and paste the public certificate for your SAML IdP.
+  ![Text field for SAML IdP's public certificate](/assets/images/enterprise/configuration/ae-idp-public-certificate.png)
+1. Click **Test SAML configuration** to ensure that the information you've entered is correct.
+  !["Test SAML configuration" button](/assets/images/enterprise/configuration/ae-test-saml-configuration.png)
+1. Click **Save**.
+  !["Save" button for IdP configuration](/assets/images/enterprise/configuration/ae-save.png)
+
+### Setting your enterprise policies
+
+Configuring policies will set limitations for repository and organization management for your enterprise. These can be reconfigured after the initialization process.
+
+1. To the right of "Set your enterprise policies", click **Configure**.
+  !["Configure" button for policies configuration](/assets/images/enterprise/configuration/ae-policies-configure.png)
+2. Under "Default Repository Permissions", use the drop-down menu and click a default permissions level for repositories in your enterprise. If a person has multiple avenues of access to an organization, either individually, through a team, or as an organization member, the highest permission level overrides any lower permission levels. Optionally, to allow organizations within your enterprise to set their default repository permissions, click **No policy**
+  ![Drop-down menu for default repository permissions options](/assets/images/enterprise/configuration/ae-repository-permissions-menu.png)
+3. Under "Repository creation", choose whether you want to allow members to create repositories. Optionally, to allow organizations within your enterprise to set permissions, click **No policy**.
+  !["Members can create repositories" button for enterprise policies configuration](/assets/images/enterprise/configuration/ae-repository-creation-permissions.png)
+4. Under "Repository forking", choose whether to allow forking of private and internal repositories. Optionally, to allow organizations within your enterprise to set permissions, click **No policy**
+  ![Drop-down menu for repository forking permissions options](/assets/images/enterprise/configuration/ae-repository-forking-menu.png)
+5. Under "Repository invitations", choose whether members or organization owners can invite collaborators to repositories. Optionally, to allow organizations within your enterprise to set permissions, click **No policy**
+  ![Drop-down menu for repository invitation permissions options](/assets/images/enterprise/configuration/ae-repository-invitations-menu.png)
+6. Under "Default repository visibility", use the drop-down menu and click the default visibility setting for new repositories.
+  ![Drop-down menu for default repository visibility options](/assets/images/enterprise/configuration/ae-repository-visibility-menu.png)
+7. Under "Users can create organizations", use the drop-down menu to enable or disable organization creation access for members of the enterprise.
+  ![Drop-down menu for organization creation permissions options](/assets/images/enterprise/configuration/ae-organization-creation-permissions-menu.png)
+8. Under "Force pushes", use the drop-down menu and choose whether to allow or block force pushes.
+  ![Drop-down menu for force pushes configuration options](/assets/images/enterprise/configuration/ae-force-pushes-configuration-menu.png)
+9. Under "Git SSH access", use the drop-down menu and choose whether to enable Git SSH access for all repositories in the enterprise.
+  ![Drop-down menu for Git SSH access options](/assets/images/enterprise/configuration/ae-git-ssh-access-menu.png)
+10. Click **Save**
+  !["Save" button for enterprise policies configuration](/assets/images/enterprise/configuration/ae-save.png)
+11. Optionally, to reset all selections, click "Reset to default policies".
+  ![Link to reset all default policies](/assets/images/enterprise/configuration/ae-reset-default-options.png)
+
+### Setting your internal support contact
+
+You can configure the method your users will use to contact your internal support team. This can be reconfigured after the initialization process.
+
+1. To the right of "Internal support contact", click **Configure**.
+  !["Configure" button for internal support contact configuration](/assets/images/enterprise/configuration/ae-support-configure.png)
+2. Under "Internal support contact", select the method for users of your enterprise to contact support, through a URL or an e-mail address. Then, type the support contact information.
+  ![Text field for internal support contact URL](/assets/images/enterprise/configuration/ae-support-link-url.png)
+3. Click **Save**.
+  !["Save" button for enterprise support contact configuration](/assets/images/enterprise/configuration/ae-save.png)
+
+### Setting your email settings
+
+Once this is initialized, you can reconfigure any settings after the initialization process. For more information, see "[Configuring email for notifications](/admin/configuration/configuring-email-for-notifications)."
+
+1. To the right of "Configure email settings", click **Configure**.
+  !["Configure" button for email settings configuration](/assets/images/enterprise/configuration/ae-email-configure.png)
+2. Select **Enable email**. This will enable both outbound and inbound email, however, for inbound email to work you will also need to configure your DNS settings. For more information, see "[Configuring DNS and firewall
+ settings to allow incoming emails](/admin/configuration/configuring-email-for-notifications#configuring-dns-and-firewall-settings-to-allow-incoming-emails)."
+  !["Enable" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-enable-email-configure.png)
+3. Complete your email server settings:
+    - In the **Server address** field, type the address of your SMTP server.
+    - In the **Port** field, type the port that your SMTP server uses to send email.
+    - In the **Domain** field, type the domain name that your SMTP server will send with a HELO response, if any.
+    - In the **Authentication** dropdown, choose the type of encryption used by your SMTP server.
+    - In the **No-reply email address** field, type the email address to use in the From and To fields for all notification emails.
+
+4. If you want to discard all incoming emails that are addressed to the no-reply email address, select **Discard email addressed to the no-reply email address**.
+  !["Discard" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-discard-email.png)
+5. Click **Test email settings**.
+  !["Test email settings" button for email settings configuration](/assets/images/enterprise/configuration/ae-test-email.png)
+6. Under "Send test email to," type the email address where you want to send a test email, then click **Send test email**.
+  !["Send test email" button for email settings configuration](/assets/images/enterprise/configuration/ae-send-test-email.png)
+7. Click **Save**.
+  !["Save" button for enterprise support contact configuration](/assets/images/enterprise/configuration/ae-save.png)

content/admin/configuration/configuring-your-enterprise/managing-github-for-mobile-for-your-enterprise.md

@@ -0,0 +1,33 @@
+---
+title: Managing GitHub for mobile for your enterprise
+intro: 'You can decide whether authenticated users can connect to {% data variables.product.product_location %} with {% data variables.product.prodname_mobile %}.'
+permissions: 'Enterprise owners can manage {% data variables.product.prodname_mobile %} for an enterprise on {% data variables.product.product_name %}.'
+versions:
+  enterprise-server: '>=3.0'
+type: how_to
+topics:
+  - Enterprise
+  - Mobile
+redirect_from:
+  - /admin/configuration/managing-github-for-mobile-for-your-enterprise
+---
+{% if enterpriseServerVersions contains currentVersion %}
+{% data reusables.mobile.ghes-release-phase %}
+{% endif %}
+
+### About {% data variables.product.prodname_mobile %}
+
+{% data reusables.mobile.about-mobile %} For more information, see "[GitHub for mobile](/github/getting-started-with-github/github-for-mobile)."
+
+Members of your enterprise can use {% data variables.product.prodname_mobile %} to triage, collaborate, and manage work on {% data variables.product.product_location %} from a mobile device. By default, {% data variables.product.prodname_mobile %} is enabled for {% data variables.product.product_location %}. You can allow or disallow enterprise members from using {% data variables.product.prodname_mobile %} to authenticate to {% data variables.product.product_location %} and access your enterprise's data.
+
+### Enabling or disabling {% data variables.product.prodname_mobile %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.type-management-console-password %}
+1. In the left sidebar, click **Mobile**.
+  !["Mobile" in the left sidebar for the {% data variables.product.prodname_ghe_server %} management console](/assets/images/enterprise/management-console/click-mobile.png)
+1. Under "GitHub for mobile", select or deselect **Enable GitHub Mobile Apps**.
+  ![Checkbox for "Enable GitHub Mobile Apps" in the {% data variables.product.prodname_ghe_server %} management console](/assets/images/enterprise/management-console/select-enable-github-mobile-apps.png)
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise.md

@@ -0,0 +1,68 @@
+---
+title: Restricting network traffic to your enterprise
+shortTitle: Restricting network traffic
+intro: You can use an IP allow list to restrict access to your enterprise to connections from specified IP addresses.
+versions:
+  github-ae: '*'
+type: how_to
+topics:
+  - Access management
+  - Enterprise
+  - Fundamentals
+  - Networking
+  - Security
+redirect_from:
+  - /admin/configuration/restricting-network-traffic-to-your-enterprise
+---
+### About IP allow lists
+By default, authorized users can access your enterprise from any IP address. Enterprise owners can restrict access to assets owned by organizations in an enterprise account by configuring an allow list for specific IP addresses. {% data reusables.identity-and-permissions.ip-allow-lists-example-and-restrictions %}
+
+{% data reusables.identity-and-permissions.ip-allow-lists-cidr-notation %}
+
+{% data reusables.identity-and-permissions.ip-allow-lists-enable %}
+
+You can also configure allowed IP addresses for an individual organization. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization)."
+
+By default, Azure network security group (NSG) rules leave all inbound traffic open on ports 22, 80, 443, and 25. Enterprise owners can contact {% data variables.contact.github_support %} to configure access restrictions for your instance.
+
+For instance-level restrictions using Azure NSGs, contact {% data variables.contact.github_support %} with the IP addresses that should be allowed to access your enterprise instance. Specify address ranges using the standard CIDR (Classless Inter-Domain Routing) format. {% data variables.contact.github_support %} will configure the appropriate firewall rules for your enterprise to restrict network access over HTTP, SSH, HTTPS, and SMTP. For more information, see "[Receiving help from {% data variables.contact.github_support %}](/admin/enterprise-support/receiving-help-from-github-support)."
+
+### Adding an allowed IP address
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+{% data reusables.identity-and-permissions.ip-allow-lists-add-ip %}
+{% data reusables.identity-and-permissions.ip-allow-lists-add-description %}
+{% data reusables.identity-and-permissions.ip-allow-lists-add-entry %}
+
+### Enabling allowed IP addresses
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "IP allow list", select **Enable IP allow list**.
+  ![Checkbox to allow IP addresses](/assets/images/help/security/enable-ip-allowlist-enterprise-checkbox.png)
+4. Click **Save**.
+
+### Editing an allowed IP address
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+{% data reusables.identity-and-permissions.ip-allow-lists-edit-entry %}
+{% data reusables.identity-and-permissions.ip-allow-lists-edit-ip %}
+{% data reusables.identity-and-permissions.ip-allow-lists-edit-description %}
+8. Click **Update**.
+
+### Deleting an allowed IP address
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+{% data reusables.identity-and-permissions.ip-allow-lists-delete-entry %}
+{% data reusables.identity-and-permissions.ip-allow-lists-confirm-deletion %}
+
+### Using {% data variables.product.prodname_actions %} with an IP allow list
+
+{% data reusables.github-actions.ip-allow-list-hosted-runners %}

content/admin/configuration/configuring-your-enterprise/site-admin-dashboard.md

@@ -0,0 +1,209 @@
+---
+title: Site admin dashboard
+intro: '{% data reusables.enterprise_site_admin_settings.about-the-site-admin-dashboard %}'
+redirect_from:
+  - /enterprise/admin/articles/site-admin-dashboard/
+  - /enterprise/admin/installation/site-admin-dashboard
+  - /enterprise/admin/configuration/site-admin-dashboard
+  - /admin/configuration/site-admin-dashboard
+versions:
+  enterprise-server: '*'
+type: reference
+topics:
+  - Enterprise
+  - Fundamentals
+---
+To access the dashboard, in the upper-right corner of any page, click {% octicon "rocket" aria-label="The rocket ship" %}.
+![Rocket ship icon for accessing site admin settings](/assets/images/enterprise/site-admin-settings/access-new-settings.png)
+
+{% if currentVersion ver_gt "enterprise-server@2.21" %}
+
+### Search
+
+Refer to this section of the site admin dashboard to search for users and repositories, and to query the [audit log](#audit-log).
+
+{% else %}
+
+### License info & search
+
+Refer to this section of the site admin dashboard to check your current {% data variables.product.prodname_enterprise %} license; to search for users and repositories; and to query the [audit log](#audit-log).
+
+{% endif %}
+
+### {% data variables.enterprise.management_console %}
+
+Here you can launch the {% data variables.enterprise.management_console %} to manage virtual appliance settings such as the domain, authentication, and SSL.
+
+### Explore
+
+Data for GitHub's [trending page][] is calculated into daily, weekly, and monthly time spans for both repositories and developers. You can see when this data was last cached and queue up new trending calculation jobs from the **Explore** section.
+
+  [trending page]: https://github.com/blog/1585-explore-what-is-trending-on-github
+
+### Audit log
+
+{% data variables.product.prodname_enterprise %} keeps a running log of audited actions that you can query.
+
+By default, the audit log shows you a list of all audited actions in reverse chronological order. You can filter this list by entering key-value pairs in the **Query** text box and then clicking **Search**, as explained in "[Searching the audit log](/enterprise/{{ currentVersion }}/admin/guides/installation/searching-the-audit-log)."
+
+For more information on audit logging in general, see "[Audit logging](/enterprise/{{ currentVersion }}/admin/guides/installation/audit-logging)." For a full list of audited actions, see "[Audited actions](/enterprise/{{ currentVersion }}/admin/guides/installation/audited-actions)."
+
+### Reports
+
+If you need to get information on the users, organizations, and repositories in {% data variables.product.product_location %}, you would ordinarily fetch JSON data through the [GitHub API](/rest). Unfortunately, the API may not provide all of the data that you want and it requires a bit of technical expertise to use. The site admin dashboard offers a **Reports** section as an alternative, making it easy for you to download CSV reports with most of the information that you are likely to need for users, organizations, and repositories.
+
+Specifically, you can download CSV reports that list
+
+- all users
+- all users who have been active within the last month
+- all users who have been inactive for one month or more
+- all users who have been suspended
+- all organizations
+- all repositories
+
+You can also access these reports programmatically via standard HTTP authentication with a site admin account. You must use a personal access token with the `site_admin` scope. For more information, see "[Creating a personal access token](/github/authenticating-to-github/creating-a-personal-access-token)."
+
+For example, here is how you would download the "all users" report using cURL:
+
+```shell
+curl -L -u <em>username</em>:<em>token</em> http(s)://<em>hostname</em>/stafftools/reports/all_users.csv
+```
+
+To access the other reports programmatically, replace `all_users` with `active_users`, `dormant_users`, `suspended_users`, `all_organizations`, or `all_repositories`.
+
+{% note %}
+
+**Note:** The initial `curl` request will return a 202 HTTP response if there are no cached reports available; a report will be generated in the background. You can send a second request to download the report. You can use a password or an OAuth token with the `site_admin` scope in place of a password.
+
+{% endnote %}
+
+#### User reports
+
+Key               | Description
+-----------------:| ------------------------------------------------------------
+`created_at`      | When the user account was created (as an ISO 8601 timestamp)
+`id`              | Account ID for the user or organization
+`login`           | Account's login name
+`email`           | Account's primary email address
+`role`            | Whether the account is an admin or an ordinary user
+`suspended?`      | Whether the account has been suspended
+`last_logged_ip`  | Most recent IP address to log into the account
+`repos`           | Number of repositories owned by the account
+`ssh_keys`        | Number of SSH keys registered to the account
+`org_memberships` | Number of organizations to which the account belongs
+`dormant?`        | Whether the account is dormant
+`last_active`     | When the account was last active (as an ISO 8601 timestamp)
+`raw_login`       | Raw login information (in JSON format)
+`2fa_enabled?`    | Whether the user has enabled two-factor authentication
+
+#### Organization reports
+
+Key            | Description
+--------------:| ------------------------------------
+`id`           | Organization ID
+`created_at`   | When the organization was created
+`login`        | Organization's login name
+`email`        | Organization's primary email address
+`owners`       | Number of organization owners
+`members`      | Number of organization members
+`teams`        | Number of organization teams
+`repos`        | Number of organization repositories
+`2fa_required?`| Whether the organization requires two-factor authentication
+
+#### Repository reports
+
+Key             | Description
+---------------:| ------------------------------------------------------------
+`created_at`    | When the repository was created
+`owner_id`      | ID of the repository's owner
+`owner_type`    | Whether the repository is owned by a user or an organization
+`owner_name`    | Name of the repository's owner
+`id`            | Repository ID
+`name`          | Repository name
+`visibility`    | Whether the repository is public or private
+`readable_size` | Repository's size in a human-readable format
+`raw_size`      | Repository's size as a number
+`collaborators` | Number of repository collaborators
+`fork?`         | Whether the repository is a fork
+`deleted?`      | Whether the repository has been deleted
+
+### Indexing
+
+GitHub's [code search][] features are powered by [ElasticSearch][]. This section of the site admin dashboard shows you the current status of your ElasticSearch cluster and provides you with several tools to control the behavior of searching and indexing. These tools are split into the following three categories.
+
+  [Code Search]: https://github.com/blog/1381-a-whole-new-code-search
+  [ElasticSearch]: http://www.elasticsearch.org/
+
+#### Code search
+
+This allows you to enable or disable both search and index operations on source code.
+
+#### Code search index repair
+
+This controls how the code search index is repaired. You can
+
+- enable or disable index repair jobs
+- start a new index repair job
+- reset all index repair state
+
+{% data variables.product.prodname_enterprise %} uses repair jobs to reconcile the state of the search index with data stored in a database (issues, pull requests, repositories, and users) and data stored in Git repositories (source code). This happens when
+
+- a new search index is created;
+- missing data needs to be backfilled; or
+- old search data needs to be updated.
+
+In other words, repair jobs are started as needed and run in the background—they are not scheduled by site admins in any way.
+
+Furthermore, repair jobs use a "repair offset" for parallelization. This is an offset into the database table for the record being reconciled. Multiple background jobs can synchronize work based on this offset.
+
+A progress bar shows the current status of a repair job across all of its background workers. It is the percentage difference of the repair offset with the highest record ID in the database. Don't worry about the value shown in the progress bar after a repair job has completed: because it shows the difference between the repair offset and the highest record ID in the database, it will decrease as more repositories are added to {% data variables.product.product_location %} even though those repositories are actually indexed.
+
+You can start a new code-search index repair job at any time. It will use a single CPU as it reconciles the search index with database and Git repository data. To minimize the effects this will have on I/O performance and reduce the chances of operations timing out, try to run a repair job during off-peak hours first. Monitor your system's load averages and CPU usage with a utility like `top`; if you don't notice any significant changes, it should be safe to run an index repair job during peak hours, as well.
+
+#### Issues index repair
+
+This controls how the [Issues][] index is repaired. You can
+
+  [Issues]: https://github.com/blog/831-issues-2-0-the-next-generation
+
+- enable or disable index repair jobs
+- start a new index repair job
+- reset all index repair state
+
+{% if currentVersion ver_gt "enterprise-server@2.21" %}
+
+### Enterprise overview
+
+Refer to this section of the site admin dashboard to manage organizations, people, policies, and settings.
+
+{% endif %}
+
+### Repositories
+
+This is a list of the repositories on {% data variables.product.product_location %}. You can click on a repository name and access functions for administering the repository.
+
+- [Blocking force pushes to a repository](/enterprise/{{ currentVersion }}/admin/guides/developer-workflow/blocking-force-pushes-to-a-repository/)
+- [Configuring {% data variables.large_files.product_name_long %}](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-git-large-file-storage/#configuring-git-large-file-storage-for-an-individual-repository)
+- [Archiving and unarchiving repositories](/enterprise/{{ currentVersion }}/admin/guides/user-management/archiving-and-unarchiving-repositories/)
+
+### All users
+
+Here you can see all of the users on {% data variables.product.product_location %}—, and [initiate an SSH key audit](/enterprise/{{ currentVersion }}/admin/guides/user-management/auditing-ssh-keys).
+
+### Site admins
+
+Here you can see all of the administrators on {% data variables.product.product_location %}, and [initiate an SSH key audit](/enterprise/{{ currentVersion }}/admin/guides/user-management/auditing-ssh-keys).
+
+### Dormant users
+
+Here you can see and [suspend](/enterprise/{{ currentVersion }}/admin/guides/user-management/suspending-and-unsuspending-users) all of the inactive users on {% data variables.product.product_location %}. A user account is considered to be inactive ("dormant") when it:
+
+- Has existed for longer than the dormancy threshold that's set for {% data variables.product.product_location %}.
+- Has not generated any activity within that time period.
+- Is not a site administrator.
+
+{% data reusables.enterprise_site_admin_settings.dormancy-threshold %} For more information, see "[Managing dormant users](/enterprise/{{ currentVersion }}/admin/guides/user-management/managing-dormant-users/#configuring-the-dormancy-threshold)."
+
+### Suspended users
+
+Here you can see all of the users who have been suspended on {% data variables.product.product_location %}, and [initiate an SSH key audit](/enterprise/{{ currentVersion }}/admin/guides/user-management/auditing-ssh-keys).

content/admin/configuration/configuring-your-enterprise/troubleshooting-ssl-errors.md

@@ -0,0 +1,80 @@
+---
+title: Troubleshooting SSL errors
+intro: 'If you run into SSL issues with your appliance, you can take actions to resolve them.'
+redirect_from:
+  - /enterprise/admin/articles/troubleshooting-ssl-errors/
+  - /enterprise/admin/categories/dns-ssl-and-subdomain-configuration/
+  - /enterprise/admin/installation/troubleshooting-ssl-errors
+  - /enterprise/admin/configuration/troubleshooting-ssl-errors
+  - /admin/configuration/troubleshooting-ssl-errors
+versions:
+  enterprise-server: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Errors
+  - Infrastructure
+  - Networking
+  - Security
+  - Troubleshooting
+---
+### Removing the passphrase from your key file
+
+If you have a Linux machine with OpenSSL installed, you can remove your passphrase.
+
+1. Rename your original key file.
+  ```shell
+  $ mv yourdomain.key yourdomain.key.orig
+  ```
+2. Generate a new key without a passphrase.
+  ```shell
+  $ openssl rsa -in yourdomain.key.orig -out yourdomain.key
+  ```
+
+You'll be prompted for the key's passphrase when you run this command.
+
+For more information about OpenSSL, see [OpenSSL's documentation](https://www.openssl.org/docs/).
+
+### Converting your SSL certificate or key into PEM format
+
+If you have OpenSSL installed, you can convert your key into PEM format by using the `openssl` command. For example, you can convert a key from DER format into PEM format.
+
+```shell
+$ openssl rsa -in yourdomain.der -inform DER -out yourdomain.key -outform PEM
+```
+
+Otherwise, you can use the SSL Converter tool to convert your certificate into the PEM format. For more information, see the [SSL Converter tool's documentation](https://www.sslshopper.com/ssl-converter.html).
+
+### Unresponsive installation after uploading a key
+
+If {% data variables.product.product_location %} is unresponsive after uploading an SSL key, please [contact {% data variables.product.prodname_enterprise %} Support](https://enterprise.github.com/support) with specific details, including a copy of your SSL certificate.
+
+### Certificate validity errors
+
+Clients such as web browsers and command-line Git will display an error message if they cannot verify the validity of an SSL certificate. This often occurs with self-signed certificates as well as "chained root" certificates issued from an intermediate root certificate that is not recognized by the client.
+
+If you are using a certificate signed by a certificate authority (CA), the certificate file that you upload to {% data variables.product.prodname_ghe_server %} must include a certificate chain with that CA's root certificate. To create such a file, concatenate your entire certificate chain (or "certificate bundle") onto the end of your certificate, ensuring that the principal certificate with your hostname comes first. On most systems you can do this with a command similar to:
+
+```shell
+$ cat yourdomain.com.crt bundle-certificates.crt > yourdomain.combined.crt
+```
+
+You should be able to download a certificate bundle (for example, `bundle-certificates.crt`) from your certificate authority or SSL vendor.
+
+### Installing self-signed or untrusted certificate authority (CA) root certificates
+
+If your {% data variables.product.prodname_ghe_server %} appliance interacts with other machines on your network that use a self-signed or untrusted certificate, you will need to import the signing CA's root certificate into the system-wide certificate store in order to access those systems over HTTPS.
+
+1. Obtain the CA's root certificate from your local certificate authority and ensure it is in PEM format.
+2. Copy the file to your {% data variables.product.prodname_ghe_server %} appliance over SSH as the "admin" user on port 122.
+  ```shell
+  $ scp -P 122 rootCA.crt admin@HOSTNAME:/home/admin
+  ```
+3. Connect to the {% data variables.product.prodname_ghe_server %} administrative shell over SSH as the "admin" user on port 122.
+  ```shell
+  $ ssh -p 122 admin@HOSTNAME
+  ```
+4. Import the certificate into the system-wide certificate store.
+  ```shell
+  $ ghe-ssl-ca-certificate-install -c rootCA.crt
+  ```

content/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise.md

@@ -0,0 +1,35 @@
+---
+title: Verifying or approving a domain for your enterprise
+intro: 'You can verify your ownership of domains with {% data variables.product.company_short %} to confirm the identity of organizations owned by your enterprise account. You can also approve domains where organization members can receive email notifications.'
+product: '{% data reusables.gated-features.enterprise-accounts %}'
+versions:
+  enterprise-server: '>=3.2'
+permissions: Enterprise owners can verify or approve a domain for an enterprise account.
+type: how_to
+topics:
+  - Enterprise
+  - Notifications
+  - Organizations
+  - Policy
+redirect_from:
+  - /admin/configuration/verifying-or-approving-a-domain-for-your-enterprise
+---
+### About verification of domains
+
+{% data reusables.enterprise-accounts.domains-about-verification %}
+
+### About approval of domains
+
+{% data reusables.enterprise-accounts.domains-about-approval %}
+
+### Verifying a domain for your enterprise account
+
+{% data reusables.enterprise-accounts.domains-verifying %}
+
+### Approving a domain for your enterprise account
+
+{% data reusables.enterprise-accounts.domains-approving %}
+
+### Removing an approved or verified domain
+
+{% data reusables.enterprise-accounts.domains-removing %}

content/admin/configuration/connecting-github-enterprise-server-to-github-enterprise-cloud.md

@@ -1,69 +0,0 @@
----
-title: Connecting GitHub Enterprise Server to GitHub Enterprise Cloud
-intro: 'After you enable {% data variables.product.prodname_github_connect %}, you can share specific features and workflows between {% data variables.product.product_location_enterprise %} and {% data variables.product.prodname_ghe_cloud %}.'
-redirect_from:
-  - /enterprise/admin/guides/developer-workflow/connecting-github-enterprise-to-github-com/
-  - /enterprise/admin/guides/developer-workflow/connecting-github-enterprise-server-to-github-com
-  - /enterprise/admin/developer-workflow/connecting-github-enterprise-server-to-githubcom/
-  - /enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud
-  - /enterprise/admin/configuration/connecting-github-enterprise-server-to-github-enterprise-cloud
-permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of a {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable {% data variables.product.prodname_github_connect %}.'
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - GitHub Connect
-  - Infrastructure
-  - Networking
----
-
-### About {% data variables.product.prodname_github_connect %}
-
-To enable {% data variables.product.prodname_github_connect %}, you must configure the connection in both {% data variables.product.product_location_enterprise %} and in your {% data variables.product.prodname_ghe_cloud %} organization or enterprise account.
-
-To configure a connection, your proxy configuration must allow connectivity to `github.com` and `api.github.com`. For more information, see "[Configuring an outbound web proxy server](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-an-outbound-web-proxy-server)."
-
-After enabling {% data variables.product.prodname_github_connect %}, you will be able to enable features such as unified search and unified contributions. For more information about all of the features available, see "[Managing connections between {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_ghe_cloud %}](/enterprise/{{ currentVersion }}/admin/installation/managing-connections-between-github-enterprise-server-and-github-enterprise-cloud)."
-
-When you connect {% data variables.product.product_location_enterprise %} to {% data variables.product.prodname_ghe_cloud %}, a record on {% data variables.product.prodname_dotcom_the_website %} stores information about the connection:
-- The public key portion of your {% data variables.product.prodname_ghe_server %} license
-- A hash of your {% data variables.product.prodname_ghe_server %} license
-- The customer name on your {% data variables.product.prodname_ghe_server %} license
-- The hostname of {% data variables.product.product_location_enterprise %}
-- The version of {% data variables.product.product_location_enterprise %}
-- The organization or enterprise account on {% data variables.product.prodname_dotcom_the_website %} that's connected to {% data variables.product.product_location_enterprise %}
-- The authentication token that's used by {% data variables.product.product_location_enterprise %} to make requests to {% data variables.product.prodname_dotcom_the_website %}
-
-Enabling {% data variables.product.prodname_github_connect %} also creates a {% data variables.product.prodname_github_app %} owned by your {% data variables.product.prodname_ghe_cloud %} organization or enterprise account. {% data variables.product.prodname_ghe_server %} uses the {% data variables.product.prodname_github_app %}'s credentials to make requests to {% data variables.product.prodname_dotcom_the_website %}.
-
-{% data variables.product.prodname_ghe_server %} stores credentials from the {% data variables.product.prodname_github_app %}. These credentials will be replicated to any high availability or clustering environments, and stored in any backups, including snapshots created by {% data variables.product.prodname_enterprise_backup_utilities %}.
-- An authentication token, which is valid for one hour
-- A private key, which is used to generate a new authentication token
-
-Enabling {% data variables.product.prodname_github_connect %} will not allow {% data variables.product.prodname_dotcom_the_website %} users to make changes to {% data variables.product.prodname_ghe_server %}.
-
-For more information about managing enterprise accounts using the GraphQL API, see "[Enterprise accounts](/graphql/guides/managing-enterprise-accounts)."
-### Enabling {% data variables.product.prodname_github_connect %}
-
-1. Sign in to {% data variables.product.product_location_enterprise %} and {% data variables.product.prodname_dotcom_the_website %}.
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.github-connect-tab %}
-5. Under "{% data variables.product.prodname_dotcom_the_website %} is not enabled yet", click **Enable {% data variables.product.prodname_github_connect %}**. By clicking **Enable {% data variables.product.prodname_github_connect %}**, you agree to the  <a href="/articles/github-connect-addendum-to-the-github-enterprise-license-agreement/" class="dotcom-only">{% data variables.product.prodname_github_connect %} Addendum to the {% data variables.product.prodname_enterprise %} License Agreement</a>.
-  ![Enable GitHub Connect button](/assets/images/enterprise/business-accounts/enable-github-connect-button.png)
-6. Next to the enterprise account or organization you'd like to connect, click **Connect**.
-  ![Connect button next to an enterprise account or business](/assets/images/enterprise/business-accounts/choose-enterprise-or-org-connect.png)
-
-### Disconnecting a {% data variables.product.prodname_ghe_cloud %} organization or enterprise account from {% data variables.product.product_location_enterprise %}
-
-When you disconnect from {% data variables.product.prodname_ghe_cloud %}, the {% data variables.product.prodname_github_connect %} {% data variables.product.prodname_github_app %} is deleted from your enterprise account or organization and credentials stored on {% data variables.product.product_location_enterprise %} are deleted.
-
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.github-connect-tab %}
-5. Next to the enterprise account or organization you'd like to disconnect, click **Disable {% data variables.product.prodname_github_connect %}**.
-  ![Disable GitHub Connect button next to an enterprise account or organization name](/assets/images/enterprise/business-accounts/disable-github-connect-button.png)
-6. Read the information about disconnecting and click **Disable {% data variables.product.prodname_github_connect %}**.
-  ![Modal with warning information about disconnecting and confirmation button](/assets/images/enterprise/business-accounts/confirm-disable-github-connect.png)
-

content/admin/configuration/enabling-and-scheduling-maintenance-mode.md

@@ -1,72 +0,0 @@
----
-title: Enabling and scheduling maintenance mode
-intro: 'Some standard maintenance procedures, such as upgrading {% data variables.product.product_location %} or restoring backups, require the instance to be taken offline for normal use.'
-redirect_from:
-  - /enterprise/admin/maintenance-mode/
-  - /enterprise/admin/categories/maintenance-mode/
-  - /enterprise/admin/articles/maintenance-mode/
-  - /enterprise/admin/articles/enabling-maintenance-mode/
-  - /enterprise/admin/articles/disabling-maintenance-mode/
-  - /enterprise/admin/guides/installation/maintenance-mode/
-  - /enterprise/admin/installation/enabling-and-scheduling-maintenance-mode
-  - /enterprise/admin/configuration/enabling-and-scheduling-maintenance-mode
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Maintenance
-  - Upgrades
----
-
-### About maintenance mode
-
-Some types of operations require that you take {% data variables.product.product_location %} offline and put it into maintenance mode:
-- Upgrading to a new version of {% data variables.product.prodname_ghe_server %}
-- Increasing CPU, memory, or storage resources allocated to the virtual machine
-- Migrating data from one virtual machine to another
-- Restoring data from a {% data variables.product.prodname_enterprise_backup_utilities %} snapshot
-- Troubleshooting certain types of critical application issues
-
-We recommend that you schedule a maintenance window for at least 30 minutes in the future to give users time to prepare. When a maintenance window is scheduled, all users will see a banner when accessing the site.
-
-![End user banner about scheduled maintenance](/assets/images/enterprise/maintenance/maintenance-scheduled.png)
-
-When the instance is in maintenance mode, all normal HTTP and Git access is refused. Git fetch, clone, and push operations are also rejected with an error message indicating that the site is temporarily unavailable. Visiting the site in a browser results in a maintenance page.
-
-![The maintenance mode splash screen](/assets/images/enterprise/maintenance/maintenance-mode-maintenance-page.png)
-
-### Enabling maintenance mode immediately or scheduling a maintenance window for a later time
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-2. At the top of the {% data variables.enterprise.management_console %}, click **Maintenance**.
-  ![Maintenance tab](/assets/images/enterprise/management-console/maintenance-tab.png)
-3. Under "Enable and schedule", decide whether to enable maintenance mode immediately or to schedule a maintenance window for a future time.
-    - To enable maintenance mode immediately, use the drop-down menu and click **now**.
-    ![Drop-down menu with the option to enable maintenance mode now selected](/assets/images/enterprise/maintenance/enable-maintenance-mode-now.png)
-    - To schedule a maintenance window for a future time, use the drop-down menu and click a start time.
-    ![Drop-down menu with the option to schedule a maintenance window in two hours selected](/assets/images/enterprise/maintenance/schedule-maintenance-mode-two-hours.png)
-4. Select **Enable maintenance mode**.
-  ![Checkbox for enabling or scheduling maintenance mode](/assets/images/enterprise/maintenance/enable-maintenance-mode-checkbox.png)
-{% data reusables.enterprise_management_console.save-settings %}
-
-### Scheduling maintenance mode with {% data variables.product.prodname_enterprise_api %}
-
-You can schedule maintenance for different times or dates with {% data variables.product.prodname_enterprise_api %}. For more information, see "[Management Console](/enterprise/{{ currentVersion }}/user/rest/reference/enterprise-admin#enable-or-disable-maintenance-mode)."
-
-### Enabling or disabling maintenance mode for all nodes in a cluster
-
-With the `ghe-cluster-maintenance` utility, you can set or unset maintenance mode for every node in a cluster.
-
-```shell
-$ ghe-cluster-maintenance -h
-# Shows options
-$ ghe-cluster-maintenance -q
-# Queries the current mode
-$ ghe-cluster-maintenance -s
-# Sets maintenance mode
-$ ghe-cluster-maintenance -u
-# Unsets maintenance mode
-```

content/admin/configuration/enabling-automatic-user-license-sync-between-github-enterprise-server-and-github-enterprise-cloud.md

@@ -1,31 +0,0 @@
----
-title: Enabling automatic user license sync between GitHub Enterprise Server and GitHub Enterprise Cloud
-intro: 'You can connect {% data variables.product.product_location_enterprise %} to {% data variables.product.prodname_ghe_cloud %} and allow {% data variables.product.prodname_ghe_server %} to upload user license information to your enterprise account on {% data variables.product.prodname_dotcom_the_website %}.'
-redirect_from:
-  - /enterprise/admin/installation/enabling-automatic-user-license-sync-between-github-enterprise-server-and-github-enterprise-cloud
-  - /enterprise/admin/configuration/enabling-automatic-user-license-sync-between-github-enterprise-server-and-github-enterprise-cloud
-permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable automatic user license synchronization.'
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - GitHub Connect
-  - Licensing
----
-
-### About license synchronization
-
-After you enable license synchronization, you'll be able to view license usage for your entire enterprise account, across {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_ghe_cloud %}. {% data variables.product.prodname_github_connect %} syncs license between {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_ghe_cloud %} weekly. For more information, see "[Managing your {% data variables.product.prodname_enterprise %} license](/enterprise/{{currentVersion}}/admin/installation/managing-your-github-enterprise-license)."
-
-You can also manually upload {% data variables.product.prodname_ghe_server %} user license information to {% data variables.product.prodname_ghe_cloud %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %}](/enterprise/{{ currentVersion }}/admin/guides/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
-
-### Enabling license synchronization
-
-Before enabling license synchronization on {% data variables.product.product_location_enterprise %}, you must connect {% data variables.product.product_location_enterprise %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %}](/enterprise/{{ currentVersion }}/admin/guides/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
-
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.github-connect-tab %}
-5. Under "Server can sync user license count and usage", use the drop-down menu and select **Enabled**.
-  ![Drop-down menu to enable automatic user license sync](/assets/images/enterprise/site-admin-settings/enable-user-license-drop-down.png)

content/admin/configuration/enabling-private-mode.md

@@ -1,35 +0,0 @@
----
-title: Enabling private mode
-intro: 'In private mode, {% data variables.product.prodname_ghe_server %} requires every user to sign in to access the installation.'
-redirect_from:
-  - /enterprise/admin/articles/private-mode/
-  - /enterprise/admin/guides/installation/security/
-  - /enterprise/admin/guides/installation/securing-your-instance/
-  - /enterprise/admin/installation/enabling-private-mode
-  - /enterprise/admin/configuration/enabling-private-mode
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Access management
-  - Authentication
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
-  - Networking
-  - Privacy
-  - Security
----
-
-You must enable private mode if {% data variables.product.product_location %} is publicly accessible over the Internet. In private mode, users cannot anonymously clone repositories over `git://`. If built-in authentication is also enabled, an administrator must invite new users to create an account on the instance. For more information, see "[Using built-in authentication](/enterprise/{{ currentVersion }}/admin/guides/user-management/using-built-in-authentication)."
-
-{% data reusables.enterprise_installation.image-urls-viewable-warning %}
-
-With private mode enabled, you can allow unauthenticated Git operations (and anyone with network access to {% data variables.product.product_location %}) to read a public repository's code on your instance with anonymous Git read access enabled. For more information, see "[Allowing admins to enable anonymous Git read access to public repositories](/enterprise/{{ currentVersion }}/admin/guides/user-management/allowing-admins-to-enable-anonymous-git-read-access-to-public-repositories)."
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.privacy %}
-4. Select **Private mode**.
-  ![Checkbox for enabling private mode](/assets/images/enterprise/management-console/private-mode-checkbox.png)
-{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/enabling-subdomain-isolation.md

@@ -1,72 +0,0 @@
----
-title: Enabling subdomain isolation
-intro: 'You can set up subdomain isolation to securely separate user-supplied content from other portions of your {% data variables.product.prodname_ghe_server %} appliance.'
-redirect_from:
-  - /enterprise/admin/guides/installation/about-subdomain-isolation/
-  - /enterprise/admin/installation/enabling-subdomain-isolation
-  - /enterprise/admin/configuration/enabling-subdomain-isolation
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - Fundamentals
-  - Infrastructure
-  - Networking
-  - Security
----
-
-### About subdomain isolation
-
-Subdomain isolation mitigates cross-site scripting and other related vulnerabilities. For more information, see "[Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting)" on Wikipedia. We highly recommend that you enable subdomain isolation on {% data variables.product.product_location %}.
-
-When subdomain isolation is enabled, {% data variables.product.prodname_ghe_server %} replaces several paths with subdomains.
-
-{% if currentVersion == "enterprise-server@2.22" %}
-To use Docker with {% data variables.product.prodname_registry %}, you must also enable subdomain isolation. For more information, see "[Working with the Docker registry](/enterprise/{{ currentVersion }}/user/packages/working-with-a-github-packages-registry/working-with-the-docker-registry)."
-
-{% data reusables.package_registry.packages-ghes-release-stage %}
-
-{% endif %}
-
-| Path without subdomain isolation  | Path with subdomain isolation   |
-| --- | --- |
-| `http(s)://HOSTNAME/assets/`      | `http(s)://assets.HOSTNAME/`      |
-| `http(s)://HOSTNAME/avatars/`     | `http(s)://avatars.HOSTNAME/`     |
-| `http(s)://HOSTNAME/codeload/`    | `http(s)://codeload.HOSTNAME/`    |
-| `http(s)://HOSTNAME/gist/`        | `http(s)://gist.HOSTNAME/`        |
-| `http(s)://HOSTNAME/media/`       | `http(s)://media.HOSTNAME/`       |
-| `http(s)://HOSTNAME/pages/`       | `http(s)://pages.HOSTNAME/`       |
-| `http(s)://HOSTNAME/raw/`         | `http(s)://raw.HOSTNAME/`         |
-| `http(s)://HOSTNAME/render/`      | `http(s)://render.HOSTNAME/`      |
-| `http(s)://HOSTNAME/reply/`       | `http(s)://reply.HOSTNAME/`       |
-| `http(s)://HOSTNAME/uploads/`     | `http(s)://uploads.HOSTNAME/`     |{% if currentVersion == "enterprise-server@2.22" %}
-|  N/A, Docker with {% data variables.product.prodname_registry %} will not work with subdomain isolation disabled for the {% data variables.product.prodname_registry %} 2.22 beta. | `http(s)://docker.HOSTNAME/` |{% endif %} {% if currentVersion ver_gt "enterprise-server@2.22" %}
-| `https://HOSTNAME/_registry/docker/` | `http(s)://docker.HOSTNAME/`{% endif %}{% if currentVersion ver_gt "enterprise-server@2.22" %}
-| `https://HOSTNAME/_registry/npm/` | `https://npm.HOSTNAME/`
-| `https://HOSTNAME/_registry/rubygems/` | `https://rubygems.HOSTNAME/`
-| `https://HOSTNAME/_registry/maven/` | `https://maven.HOSTNAME/`
-| `https://HOSTNAME/_registry/nuget/` | `https://nuget.HOSTNAME/`{% endif %}
-
-### Prerequisites
-
-{% data reusables.enterprise_installation.disable-github-pages-warning %}
-
-Before you enable subdomain isolation, you must configure your network settings for your new domain.
-
-- Specify a valid domain name as your hostname, instead of an IP address. For more information, see "[Configuring a hostname](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-a-hostname)."
-
-{% data reusables.enterprise_installation.changing-hostname-not-supported %}
-
-- Set up a wildcard Domain Name System (DNS) record or individual DNS records for the subdomains listed above. We recommend creating an A record for `*.HOSTNAME` that points to your server's IP address so you don't have to create multiple records for each subdomain.
-- Get a wildcard Transport Layer Security (TLS) certificate for `*.HOSTNAME` with a Subject Alternative Name (SAN) for both `HOSTNAME` and the wildcard domain `*.HOSTNAME`. For example, if your hostname is `github.octoinc.com`, get a certificate with the Common Name value set to `*.github.octoinc.com` and a SAN value set to both `github.octoinc.com` and `*.github.octoinc.com`.
-- Enable TLS on your appliance. For more information, see "[Configuring TLS](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-tls/)."
-
-### Enabling subdomain isolation
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.hostname-menu-item %}
-4. Select **Subdomain isolation (recommended)**.
-  ![Checkbox to enable subdomain isolation](/assets/images/enterprise/management-console/subdomain-isolation.png)
-{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/enabling-unified-contributions-between-github-enterprise-server-and-githubcom.md

@@ -1,37 +0,0 @@
----
-title: Enabling unified contributions between GitHub Enterprise Server and GitHub.com
-intro: 'After enabling {% data variables.product.prodname_github_connect %}, you can allow {% data variables.product.prodname_ghe_cloud %} members to highlight their work on {% data variables.product.prodname_ghe_server %} by sending the contribution counts to their {% data variables.product.prodname_dotcom_the_website %} profiles.'
-redirect_from:
-  - /enterprise/admin/guides/developer-workflow/enabling-unified-contributions-between-github-enterprise-and-github-com/
-  - /enterprise/admin/guides/developer-workflow/enabling-unified-contributions-between-github-enterprise-server-and-github-com/
-  - /enterprise/admin/developer-workflow/enabling-unified-contributions-between-github-enterprise-server-and-githubcom/
-  - /enterprise/admin/installation/enabling-unified-contributions-between-github-enterprise-server-and-githubcom
-  - /enterprise/admin/configuration/enabling-unified-contributions-between-github-enterprise-server-and-githubcom
-permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable unified contributions between {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_dotcom_the_website %}.'
-versions:
-  enterprise-server: '*'
-type: how_to
-topics:
-  - Enterprise
-  - GitHub Connect
----
-
-As a site administrator, you can allow end users to send anonymized contribution counts for their work from {% data variables.product.prodname_ghe_server %} to their {% data variables.product.prodname_dotcom_the_website %} contribution graph.
-
-After you enable {% data variables.product.prodname_github_connect %} and enable {% data variables.product.prodname_unified_contributions %} in both environments, end users on your instance can connect to their {% data variables.product.prodname_dotcom_the_website %} accounts and send contribution counts from {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.github-connect.sync-frequency %} For more information, see "[Sending your {% data variables.product.prodname_ghe_server %} contributions to your {% data variables.product.prodname_dotcom_the_website %} profile](/articles/sending-your-github-enterprise-server-contributions-to-your-github-com-profile/)."
-
-If the site administrator disables the functionality or developers opt out of the connection, the {% data variables.product.prodname_ghe_server %} contribution counts will be deleted on {% data variables.product.prodname_dotcom_the_website %}. If the developer reconnects their profiles after disabling them, the contribution counts for the past 90 days are restored.
-
-{% data variables.product.prodname_ghe_server %} **only** sends the contribution count and source ({% data variables.product.prodname_ghe_server %}) for connected users. It does not send any information about the contribution or how it was made.
-
-Before enabling {% data variables.product.prodname_unified_contributions %} on {% data variables.product.product_location_enterprise %}, you must connect {% data variables.product.product_location_enterprise %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}](/enterprise/{{ currentVersion }}/admin/guides/developer-workflow/connecting-github-enterprise-server-to-github-com)."
-
-{% data reusables.github-connect.access-dotcom-and-enterprise %}
-{% data reusables.enterprise_site_admin_settings.access-settings %}{% data reusables.enterprise_site_admin_settings.business %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.github-connect-tab %}
-4. Under "Users can share contribution counts to {% data variables.product.prodname_dotcom_the_website %}", click **Request access**.
-  ![Request access to unified contributions option](/assets/images/enterprise/site-admin-settings/dotcom-ghe-connection-request-access.png)
-5. [Sign in](https://enterprise.github.com/login) to the {% data variables.product.prodname_ghe_server %} site to receive further instructions.
-
-When you request access, we'll redirect you to the {% data variables.product.prodname_ghe_server %} site to check your current terms of service. If {% data variables.product.product_location_enterprise %} uses the standard terms of service, the request will automatically redirect you to instructions on enabling {% data variables.product.prodname_unified_contributions %}. If you're using a custom terms of service, we'll log your request and contact you to set up access.