Skip to content

Glossary

This page defines every domain term used throughout ntkDeploy and this documentation. Terms appear in alphabetical order. When a term links elsewhere it points to longer explanations in the relevant guide page.

Prerequisites

No prior knowledge required — this is the starting point.

A

ABAC (Attribute-Based Access Control)

The access-control model used by the Policy Manager V2. Access decisions are based on attributes attached to subjects (people) and resources (devices) rather than on fixed role assignments. ntkDeploy enforces ABAC rules through Policies evaluated during the preflight phase. See Managing Policies.

Artifact

The final deployment-ready JSON file produced by the Config Build Service for a specific deployment target. An artifact combines the active Profile Version settings with any resolved Provider credentials and a Snapshot reference. Artifacts are written to UNC Paths during deployment.

Assignment

The record that links a specific Profile Version to a Device Group for deployment. An assignment moves through the states pending → in_progress → succeeded | failed | partial. Each assignment can spawn multiple Rollout Events, one per device target. See Deploying Configurations.

Audit Log

The append-only, searchable history of every administrative action taken in ntkDeploy — profile changes, assignment creation, rollout events, policy operations, and settings updates. Each entry records the actor, action, affected entity, and timestamp. See the Audit Log reference.

B

Bucket

A named storage container within a Provider Instance (for example, an Azure Blob container or an S3 bucket). Buckets are referenced in profile source configuration to tell ntkDrive where to retrieve remote assets.

C

Config Build Service

The internal service that assembles a deployable Artifact from a validated Profile Version. It merges profile settings JSON, inlines resolved Provider credentials, embeds the Snapshot reference, and writes the result to a temporary staging path before the Deployment Service copies it to the target UNC Path.

Connectivity Gate

A mandatory pre-deployment check that verifies the Policy Manager V2 API is reachable and has the required capabilities enabled (/capabilities and /readyz must both succeed). If the connectivity gate fails, the deployment wizard is blocked and no artifacts can be written. The gate status is always visible in the app header badge. See Deployment Preflight.

D

Deployment

The process of writing a built Artifact to one or more Windows device targets via SMB. A deployment is initiated through the Deployment Wizard after all Preflight checks pass. See Deploying Configurations.

Deployment Service

The internal service responsible for copying built Artifacts to UNC Paths via SMB. It backs up any existing configuration before overwriting and records a Rollout Event for each device path.

Deployment Wizard

The multi-step guided flow in ntkDeploy that walks you through validating prerequisites, reviewing the deployment plan, and executing a Deployment. The wizard blocks progression at each step until all required checks pass. See Deploying Configurations.

Destination Rule

A path-level configuration entry on a Device Group that specifies exactly where and how an Artifact is written to a deployment target. Rules can restrict which profiles can be deployed to a given path or apply additional transformation logic.

Device Group

A named collection of Windows deployment targets, each represented by a UNC Path. Device groups are the unit of deployment — a profile is assigned to a device group rather than to individual machines. See Managing Device Groups.

Device Key

A unique string identifier for a device within the Policy Manager system. Device keys must be mapped to an Ownership Mapping (a person Peer ID) before the Connectivity Gate will allow deployment to that device. See Device Enrollment.

Drift

The database access library ntkDeploy uses to read and write its local SQLite database. All profile, assignment, audit, and provider data are stored through Drift.

E

Environment

A free-form label (for example, Development, Staging, Production, Corporate-IT) that you assign to Profiles to group them by lifecycle stage, department, or purpose. Environments are not fixed system values — you define them when you create profiles and manage them via the Environment Sidebar. See Environments.

Environment Sidebar

The collapsible panel on the left side of the Profiles screen that lists every unique environment label currently in use. Clicking an environment filters the profile list to show only profiles in that context. All Environments clears the filter. See Environments.

N

ntkDeploy

This desktop application. ntkDeploy is the administration tool that allows Windows fleet administrators to create and manage Profiles, assign them to Device Groups, run Preflight checks, and deploy Artifacts via UNC/SMB.

ntkDrive

The client-side software installed on managed Windows devices that reads configuration artifacts and applies them. ntkDeploy creates and delivers the configuration files that ntkDrive consumes. ntkDrive itself is not part of this application.

O

Ownership Mapping

A record that associates a Device Key with a specific person's Peer ID. Ownership mappings are required by the Connectivity Gate: every deployment target must have an owner assigned before preflight will pass. You can assign owners one at a time inline in the Device Groups screen or in bulk using CSV import. See Device Enrollment.

P

People

The list of person records managed in the Policy Manager and surfaced in ntkDeploy when assigning device ownership. Each person record links a display name to a Peer ID and optional certificate fingerprints. People are referenced when creating Ownership Mappings for deployment targets. See Device Enrollment.

Peer ID

The policy-system identity string linked to a person record in the Policy Manager. Each person can have multiple certificate fingerprints associated with their Peer ID to support multi-device or credential-rotation scenarios.

Policy

An ABAC rule set managed by the Policy Manager V2 API. Policies determine which devices and people are permitted to participate in a deployment. ntkDeploy evaluates policies during the Preflight phase and embeds a policy Snapshot reference in every deployment artifact.

Preflight

The automated verification sequence that runs before every deployment. Preflight confirms that the Connectivity Gate is open, all Ownership Mappings are present, the Policy Manager returns a clean plan (no missing-plan actions), and a deterministic Snapshot can be retrieved. Deployment is blocked until all preflight checks pass. See Deployment Preflight.

Profile

The core entity in ntkDeploy. A profile is a named, versioned configuration definition that describes the ntkDrive settings for a class of devices. Each profile belongs to an Environment, has an optional department tag, and holds a priority that controls its display order. See Creating a Profile.

Profile Version

An immutable revision of a Profile's settings JSON. Every save that changes the settings creates a new version. Versions carry a validation status (draft, valid, or invalid). Only a valid version can be selected for Assignment.

Provider

A reusable cloud-provider configuration (for example, an Azure Blob Storage account or an AWS S3 configuration) managed in the Providers section of ntkDeploy. Providers are referenced by name in profile sources; the Config Build Service inlines the resolved credentials into deployment Artifacts. See Using Providers.

Provider Instance

A specific configured record of a Provider type. For example, you might have two Azure Blob provider instances representing two different storage accounts. Profile sources reference a provider instance by its name.

R

Rollout Event

A per-device record within an Assignment that captures the outcome (succeeded or failed), an optional message, and the timestamp for a single deployment target. The collection of rollout events for an assignment gives the full success/failure breakdown.

S

Schema

A registered definition that specifies the fields, types, validation rules, and display layout for a Profile Version's settings. The Schema Registry maps schema identifiers to their definitions; when you create or edit a profile, the form UI is generated from the active schema.

Schema Registry

The internal lookup table that maps profile type identifiers to their Schema definitions. It is set up automatically when the app starts. Each supported profile type has a registered schema that drives its form and validation rules.

Service Locator

The internal component that initialises and connects all of ntkDeploy's data, service, and controller layers when the application starts. It runs automatically before the main window appears and requires no configuration from the administrator.

SMB Share

A Windows file share exposed via the Server Message Block (SMB) protocol. ntkDeploy writes deployment Artifacts directly to SMB shares using UNC Paths. No internet connectivity is required — all deployments are intranet-only.

Snapshot

A point-in-time capture of the Policy Manager state requested during Preflight. The snapshot reference and payload are embedded in the deployment Artifact to ensure deterministic, auditable behaviour. Snapshots require the snapshotResolve and snapshotGet capabilities to be enabled on the Policy Manager endpoint.

SQLite

The embedded relational database used by ntkDeploy for all local data storage. There are no external database servers or cloud storage dependencies; the SQLite database file lives on the administrator's workstation. ntkDeploy accesses it through the Drift ORM.

U

UNC Path

A Universal Naming Convention path in the form \\server\share\path that identifies a location on a Windows network share. UNC paths are used as deployment targets in Device Groups. ntkDeploy validates UNC format and can perform connectivity checks before deployment.

Next Steps