Skip to content

Glossary

This page defines every domain term used throughout ntkDeploy and this documentation. Terms appear in alphabetical order. When a term links elsewhere it points to longer explanations in the relevant guide page.

Prerequisites

No prior knowledge required — this is the starting point.

.ntkprofile

An encrypted binary file containing a Mobile Profile for import on ntkMobile. .ntkprofile files are produced by ntkDeploy's mobile build pipeline when administrator selects a Mobile or Both target platform and enters an encryption password. The file uses an AES-256-GCM envelope with PBKDF2 key derivation and cannot be opened without the password. See Mobile Profiles.

A

ABAC (Attribute-Based Access Control)

The access-control model used by the Policy Manager V2. Access decisions are based on attributes attached to subjects (people) and resources (devices) rather than on fixed role assignments. ntkDeploy enforces ABAC rules through Policies evaluated during the preflight phase. See Managing Policies.

ABAC Factor

A typed ABAC selection surface in ntkDeploy that resolves one stored ABAC ID to either an internal attribute, an imported TPA grant, an unresolved ID, or a conflict. Profiles still persist ABAC policy as string-only IDs; imported TPA factors contribute canonical lowercase 32-hex tpaId values.

Artifact

The final deployment-ready configuration produced by the Config Build Service for a specific deployment target. The underlying desktop artifact body is still JSON, but desktop deployment encrypts that body into appconfig.ntkd before writing it to disk. Mobile deployment writes an encrypted .ntkprofile. Deployed desktop output strips the top-level policy key entirely; when ABAC data is present, deviceId remains the sole client-side identity reference.

Assignment

The record that links a specific Profile Version to a Device Group for deployment. An assignment moves through the states pending → in_progress → succeeded | failed | partial. Each assignment can spawn multiple Rollout Events, one per device target. See Deploying Configurations.

Audit Log

The append-only, searchable history of every administrative action taken in ntkDeploy — profile changes, assignment creation, rollout events, policy operations, and settings updates. Each entry records the actor, action, affected entity, and timestamp. See the Audit Log reference.

B

Bucket

A named storage container within a Provider Instance (for example, an Azure Blob container or an S3 bucket). Buckets are referenced in profile source configuration to tell ntkDrive where to retrieve remote assets.

C

Conductor Address Injection

The process of embedding a conductor address into a Mobile Profile at build time. ntkDeploy first uses mobileSettings.conductorAddress from the profile's Mobile Vaults tab. If the profile does not define one, ntkDeploy can fall back to the global Settings conductor address. The embedded value becomes the Profile-tier fallback in ntkMobile's conductor address resolution order (Manual Override > Profile > Default). See Settings and Mobile Profiles.

Config Build Service

The internal service that assembles a deployable Artifact from a validated Profile Version. It merges profile settings JSON, inlines resolved Provider credentials, embeds the Snapshot reference, and writes the result to a temporary staging path before the Deployment Service copies it to the target path.

Connectivity Gate

A mandatory pre-deployment check that verifies the Policy Manager V2 API is reachable and has the required capabilities enabled (/capabilities and /readyz must both succeed). If the connectivity gate fails, the deployment wizard is blocked and no artifacts can be written. The gate status is always visible in the app header badge. See Deployment Preflight.

D

Deployment

The process of writing a built Artifact to one or more Windows device targets via SMB or a local path. A deployment is initiated through the Deployment Wizard after all Preflight checks pass. See Deploying Configurations.

Deployment Path Type

The classification of a device group target path as unc (a Windows network share path in the form \\server\share\path) or local (a local absolute Windows path such as C:\folder or D:\usb\configs). Detection is automatic based on path format. ntkDeploy routes each path through the appropriate validation logic. See Managing Device Groups.

Deployment Service

The internal service responsible for copying built Artifacts to target paths (UNC or local) via the filesystem. It backs up any existing configuration before overwriting and records a Rollout Event for each device path.

Deployment Wizard

The multi-step guided flow in ntkDeploy that walks you through validating prerequisites, reviewing the deployment plan, and executing a Deployment. The wizard blocks progression at each step until all required checks pass. For mobile profiles the wizard includes additional steps for preview, password entry, and delivery method selection. See Deploying Configurations.

Desktop Source

A desktop source entry in the Desktop Sources tab of a Profile. Desktop sources define the Windows appconfig JSON body, including provider assignments, file processing, and sync settings. That body is what you see in previews; managed desktop deployment encrypts it into appconfig.ntkd. Desktop sources are independent from mobile vaults. ABAC attributes for desktop sources are configured on the Policy tab.

Destination Rule

A path-level configuration entry on a Device Group that specifies exactly where and how an Artifact is written to a deployment target. Rules can restrict which profiles can be deployed to a given path or apply additional transformation logic.

Device Group

A named collection of Windows deployment targets, each represented by a target path (UNC network share or local absolute path). Device groups are the unit of deployment — a profile is assigned to a device group rather than to individual machines. See Managing Device Groups.

Device Key

A unique string identifier for a device within the Policy Manager system. Device keys must be mapped to an Ownership Mapping (a person Peer ID) before the Connectivity Gate will allow deployment to that device. See Device Enrollment.

Drift

The database access library ntkDeploy uses to read and write its local SQLite database. All profile, assignment, audit, and provider data are stored through Drift.

E

Environment

A free-form label (for example, Development, Staging, Production, Corporate-IT) that you assign to Profiles to group them by lifecycle stage, department, or purpose. Environments are not fixed system values — you define them when you create profiles and manage them via the Environment Sidebar. See Environments.

Environment Sidebar

The collapsible panel on the left side of the Profiles screen that lists every unique environment label currently in use. Clicking an environment filters the profile list to show only profiles in that context. All Environments clears the filter. See Environments.

M

Mobile Profile

A Profile targeting ntkMobile devices. When a profile's Target Platform is set to Mobile or Both, ntkDeploy builds an encrypted .ntkprofile artifact from the profile's saved mobileSettings data, including its independent mobile vault definitions. Mobile profiles carry a stable profileId UUID that ntkMobile uses to resolve re-imports as updates rather than new profiles. See Mobile Profiles.

Mobile Settings

The mobile-specific profile data stored on a profile under mobileSettings. This structure contains the mobile conductor address and the list of independent mobile vault definitions used to build the encrypted .ntkprofile artifact.

Mobile Vault

An individual vault definition inside mobileSettings.vaults. A mobile vault contains a name, provider type, provider instance assignments (resolved to full configuration at build time), optional settings, and a boolean encryption toggle. ABAC attributes for mobile vaults are configured on the Policy tab rather than in the vault definition itself.

N

ntkDeploy

This desktop application. ntkDeploy is the administration tool that allows Windows fleet administrators to create and manage Profiles, assign them to Device Groups, run Preflight checks, and deploy Artifacts to target paths (UNC/SMB or local).

ntkDrive

The client-side software installed on managed Windows devices that reads configuration artifacts and applies them. ntkDeploy creates and delivers the configuration files that ntkDrive consumes. ntkDrive itself is not part of this application.

O

Ownership Mapping

A record that associates a Device Key with a specific person's Peer ID. Ownership mappings are required by the Connectivity Gate: every deployment target must have an owner assigned before preflight will pass. You can assign owners one at a time inline in the Device Groups screen or in bulk using CSV import. See Device Enrollment.

P

People

The list of person records managed in the Policy Manager and surfaced in ntkDeploy when assigning device ownership. Each person record links a display name to a Peer ID and optional certificate fingerprints. People are referenced when creating Ownership Mappings for deployment targets. See Device Enrollment.

Peer ID

The policy-system identity string linked to a person record in the Policy Manager. Each person can have multiple certificate fingerprints associated with their Peer ID to support multi-device or credential-rotation scenarios.

Policy

An ABAC rule set managed by the Policy Manager V2 API. Policies determine which devices and people are permitted to participate in a deployment. ntkDeploy evaluates policies during the Preflight phase and embeds a policy Snapshot reference in every deployment artifact.

Preflight

The automated verification sequence that runs before every deployment. Preflight confirms that the Connectivity Gate is open, all Ownership Mappings are present, the Policy Manager returns a clean plan (no missing-plan actions), and a deterministic Snapshot can be retrieved. Deployment is blocked until all preflight checks pass. See Deployment Preflight.

Profile

The core entity in ntkDeploy. A profile is a named, versioned configuration definition that describes the ntkDrive settings for a class of devices. Each profile belongs to an Environment, has an optional department tag, and holds a priority that controls its display order. See Creating a Profile.

Profile Password

The transient password an administrator enters when generating an encrypted deployment artifact. The password is used to derive the AES-256-GCM encryption key (via PBKDF2WithHmacSHA256), must be at least 8 characters long, and is never stored by ntkDeploy. Both target deployments reuse the same password for desktop appconfig.ntkd and mobile .ntkprofile. If the password is lost, the artifact cannot be decrypted and a new profile must be built with a new password.

Profile Version

An immutable revision of a Profile's settings JSON. Every save that changes the settings creates a new version. Versions carry a validation status (draft, valid, or invalid). Only a valid version can be selected for Assignment.

Provider

A reusable cloud-provider configuration (for example, an Azure Blob Storage account or an AWS S3 configuration) managed in the Providers section of ntkDeploy. Providers are referenced by name in profile sources; the Config Build Service inlines the resolved credentials into deployment Artifacts. See Using Providers.

Provider Compatibility

Whether a desktop cloud provider type has a corresponding ntkMobile vault type. AmazonS3, S3Compatible, MinIO, Wasabi, iDriveE2, OneDrive, DropBox, and GoogleDrive are all mobile-compatible. NetworkShare has no mobile equivalent and is excluded from Mobile Profile builds. See Mobile Provider Compatibility Matrix.

Provider Instance

A specific configured record of a Provider type. For example, you might have two Azure Blob provider instances representing two different storage accounts. Profile sources reference a provider instance by its name.

Provider Instance Linking

The workflow that assigns a Provider Instance to a mobile vault or desktop source. For mobile vaults, assignments are stored as references and the Config Build Service resolves the full provider configuration (credentials, endpoint, bucket, or OAuth extras) from the referenced provider instance at build time.

R

Rollout Event

A per-device record within an Assignment that captures the outcome (succeeded or failed), an optional message, and the timestamp for a single deployment target. The collection of rollout events for an assignment gives the full success/failure breakdown.

S

Schema

A registered definition that specifies the fields, types, validation rules, and display layout for a Profile Version's settings. The Schema Registry maps schema identifiers to their definitions; when you create or edit a profile, the form UI is generated from the active schema.

Schema Registry

The internal lookup table that maps profile type identifiers to their Schema definitions. It is set up automatically when the app starts. Each supported profile type has a registered schema that drives its form and validation rules.

Service Locator

The internal component that initialises and connects all of ntkDeploy's data, service, and controller layers when the application starts. It runs automatically before the main window appears and requires no configuration from the administrator.

SMB Share

A Windows file share exposed via the Server Message Block (SMB) protocol. ntkDeploy writes deployment Artifacts directly to SMB shares using UNC Paths. No internet connectivity is required — all deployments are intranet-only.

Snapshot

A point-in-time capture of the Policy Manager state requested during Preflight. The snapshot reference and payload are embedded in the deployment Artifact to ensure deterministic, auditable behaviour. Snapshots require the snapshotResolve and snapshotGet capabilities to be enabled on the Policy Manager endpoint.

SQLite

The embedded relational database used by ntkDeploy for all local data storage. There are no external database servers or cloud storage dependencies; the SQLite database file lives on the administrator's workstation. ntkDeploy accesses it through the Drift ORM.

T

Target Platform

Indicates whether a Profile is intended for desktop deployment, mobile deployment, or both. The three values are Desktop (default), Mobile, and Both. Desktop-targeted profiles now deploy encrypted appconfig.ntkd artifacts. Profiles with a Mobile or Both target display a provider compatibility panel and can also produce encrypted .ntkprofile files. See Mobile Profiles.

TPA Grant

A Trading Partner Attribute grant. This is a signed, time-bounded, cross-org only attribute delegation from one organization to another. ntkDeploy consumes imported TPA grants as ABAC factors for inspection, profile selection, verified preflight, and runtime delivery. Internal attributes remain the within-org primitive.

TPA Import

The recipient-local record that onboards an inbound TPA grant for local use. Disabling a TPA import stops local consumption of that cross-org grant without revoking the issuer's grant.

TPA Trust

The local organization's trust record for a remote issuer organization. A TPA trust pins issuer signing keys and constrains which scope types and permissions the local org will accept from imported TPA grants.

U

UNC Path

A Universal Naming Convention path in the form \\server\share\path that identifies a location on a Windows network share. UNC paths are supported as deployment targets in Device Groups. ntkDeploy validates UNC format and can perform connectivity checks before deployment. Local absolute paths (C:\folder, D:\usb\configs) are also accepted — see Deployment Path Type.

Next Steps