Octelium Logo
Documentation
ManagementCore API
Devices

A Device is a representation by the Cluster of a User's machine. A Device can be optionally registered/enrolled or re-registered by a logged-in User via the command octelium auth device register or simply octelium auth dev. However, it's up to access control to allow or deny a User based on their Device information (read more about Device-based access control here). A Device belongs to the one User that registered it. One or more User's Sessions can belong to the same Device.

State

A Session has one of 3 states at a time, namely ACTIVE, REJECTED and PENDING as follows:

  • ACTIVE indicates an active Device, whose Session can access any Service if authorized.
  • REJECTED means that the Device is simply deactivated and any Session created from that Device, cannot access any Service unless the Device is set to ACTIVE again.
  • PENDING indicates that the Device is still pending for a decision whether to be activated or deactivated or REJECTED.

The Cluster by default automatically sets the state for a newly created Device to ACTIVE. You can explicitly set a default Device state for a specific User (read more here) as follows:

1
kind: User

2
metadata:

3
  name: john

4
spec:

5
  type: HUMAN

6
  session:

7
    defaultState: ACTIVE

You can also set the default state at the Cluster level via ClusterConfig (read more here), separately for HUMAN and WORKLOAD Users, as follows:

1
kind: ClusterConfig

2
metadata:

3
  name: cluster-config

4
spec:

5
  device:

6
    human:

7
      defaultState: PENDING

8
    workload:

9
      defaultState: ACTIVE

Approving Devices

You can approve a Device to set its state to ACTIVE simply as follows:

octeliumctl update device --approve <DEVICE_NAME>

Rejecting Devices

You can reject a Device to set its state to REJECTED simply as follows:

octeliumctl update device --reject <DEVICE_NAME>

Per User Limit

You can also set an upper limit of maximum Devices allowed per User as follows:

1
kind: ClusterConfig

2
metadata:

3
  name: cluster-config

4
spec:

5
  device:

6
    human:

7
      maxPerUser: 20

8
    workload:

9
      maxPerUser: 100

And as always, you update the ClusterConfig via the command octeliumctl apply (read more here).

Listing Devices

You can list the Cluster's Devices_ (read more about listing resources here) as follows:

octeliumctl get device

# Or simply

octeliumctl get dev



# Or list by a certain User

octeliumctl get dev --user john



# Show a certain Device

octeliumctl get dev <NAME>

Access Control

You can control access to Services in your Policies based on the Device information. Here is an example where you only allow LINUX or MAC Devices:

1
kind: Policy

2
metadata:

3
  name: allowed-devices

4
spec:

5
  rules:

6
    - effect: ALLOW

7
      condition:

8
        match: ctx.device.status.osType in ["LINUX", "MAC"]
© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactSolutionsEnterprise
Privacy PolicyTerms