New ia

README.md

@@ -1,57 +1,11 @@
-# Overview
-
-**Security Suite for Engineering Endpoint Devices(SEED)** is the Singapore Government's implementation of Identity and Access Management (IAM) and zero trust framework to protect against unauthorised access to the Government's engineering resources, such as Government on Commercial Cloud (GCC) and the Singapore Tech Stack(SGTS).
-
-Zero Trust replaces traditional Virtual Private Network (VPN) connections and network-based security policies with a standardised central identity provider. It offers enforcement of access policies allowing only authorised users to use devices compliant with device postures.
-
-## Why do we need SEED?
-
-![why-do-we-need-seed](images/why-do-we-need-seed.png)
-
-- Detects and provides remediation steps for known malware.
-- Detects if the endpoint meets the required security hardening baseline according to the corresponding Center of Internet Security (CIS) benchmark for the installed endpoint operating system.
-- Detects if the endpoint’s operating system version and security patches are up-to-date.
-- Prevents accessing the resources of GCC and the SGTS services if the above requirements are not satisfied.
-
-## How does SEED work?
-
-![how-does-seed-work](images/how-does-seed-work.png)
-
-SEED comprises of three components:
-
-- TechPass
-- Cloudflare
-- SEED Dashboard
-
-<!-- tabs:start -->
-
-### **TechPass**
-
-This is the Identity Access Management(IAM) and Single Sign-On(SSO) solution for accessing SGTS and GCC services.
-
-### **Cloudflare**
-
-The security platform that enforces Zero Trust network access allowing faster and safer connections to the Internet and applications. This comprises of the following:<br>- **Cloudflare WARP**: Replaces the traditional VPN clients.<br>- **Cloudflare Gateway**: Blocks and protects from malicious content.<br>- **Cloudflare Access**: Evaluates every request for user identity and device context.
-
-### **SEED Dashboard**
-
-Device management layer of SEED. It establishes a robust security baseline automatically​ and prevents insecure or compromised devices from accessing engineering resources.​ DEEP manages the following:<br>- **Microsoft Intune**: Provides device and application management including remote application deployment and selective device wipe.<br>- **Microsoft Defender Advanced Threat Prevention**: Enterprise class vulnerability management, threat detection and response security solution.<br>- **Tanium**: Works with Cloudflare to ensure posture-based conditional access to the endpoint assets.
-
-<!-- tabs:end -->
-
-## What can SEED do on my device?
-
-
-|SEED can do the following on your device|SEED cannot do the following on your device|
-|---|---|
-|- View the model number, serial number and operating system of the device.<br>- View the names of the applications you have installed.<br>- Identify your device by name.<br>- Reset lost or stolen device to factory setting upon required consent and approval from device owner and manager-in-charge, respectively.|- View the browsing history.<br>-Access your emails, contacts and calendar.<br>- Access your documents.|
-
-
-
-
-
-
-
+# Home
 
+Welcome to the SEED documentation! 
 
+## Popular topics
+|  |  | 
+| --- | --- |
+| [What's new](release-notes)</br></br> Latest features and updates in SEED. | [Onboard to SEED](/onboard-device/seed-prerequisites.md) </br></br> Guide for setting up SEED on your devices. |
+| [Monitor using SEED Dashboard](/seed-dashboard/seed-dashboard-overview.md) </br></br> Learn how to monitor devices using SEED Dashboard. | [View SEED service status](/support/seed-status.md)</br></br> Check current status of SEED services for operational insights.  |
+|  [Raise a service request](/support/raise-service-request.md) </br></br> Instructions for requesting support and managing subscriptions. | 
 

_sidebar.md

@@ -1,24 +1,37 @@
-- **Overview**
-  - [Overview](overview)
-- **What's new**
+- Introduction
+  - [Home](README.md)
+  - [SEED overview](overview)
+- What's new
   - [Release notes](release-notes)
   - [Announcements](announcements)
-- **Getting started**  
-  - [Step 0: Prerequisites](prerequisites-for-onboarding)
-  - [Step 1: Identify persona](identify-seed-onboarding-persona)
-  - [Step 2: Onboard device](onboard-device/onboard-device-to-seed)
-- **After onboarding**    
-  - [Post onboarding instructions](post-onboarding-instructions/post-onboarding-steps-and-verification)
-  - [Device clean-up policy](device-clean-up-policy)
-- **Offboard device**
-  - [Offboard device from SEED](offboard-device/offboard-device-from-seed)
-- **Troubleshoot**
-  - [Known issues and FAQs](faqs/seed-faqs)
-- **Additional resources**  
-  - [SEED additional resources](additional-resources/additional-resources)
-  - [Split tunnel allowlist](additional-resources/split-tunnel-allowlist)
-  - [SEED Dashboard](seed-dashboard/seed-overview.md)
-- **Support**
-  - [Create support request](raise-an-incident-support-request)
-  - [SEED service status](seed-status)
+- Onboard to SEED
+  - [Prerequisites](/onboard-device/seed-prerequisites.md)
+  - [Identify onboarding persona](/onboard-device/identify-onboarding-persona.md)
+  - [Onboard as a public officer](/onboard-device/public-officer)
+  - [Onboard as a vendor](onboard-device/vendor)
+- Post onboarding steps  
+  - [macOS 14 and 13 post onboarding guide](/post-onboarding-instructions/macos-latest.md)
+  - [macOS 12 post onboarding guide](/post-onboarding-instructions/macos.md)
+  - [Windows post onboarding guide](/post-onboarding-instructions/windows.md)
+- Monitor using SEED Dashboard
+  - [SEED Dashboard overview](/seed-dashboard/seed-dashboard-overview.md)
+  - [SEED Dashboard tour](/seed-dashboard/seed-dashboard-tour.md)
+- Offboard from SEED
+  - [macOS offboarding guide](/offboard-device/macos-offboarding-guide.md)
+  - [Windows offboarding guide](/offboard-device/windows-offboarding-guide.md)
+- FAQ
+  - [General FAQ](/faqs/general-faq.md)
+  - [Onboarding FAQ](/faqs/onboarding-faq.md)
+  - [Offboarding FAQ](/faqs/offboarding-faq.md)
+  - [GCC 1.0 connectivity FAQ](/faqs/gcc1-connectivity-faq.md)
+- Support
+  - [Raise a service request](/support/raise-service-request.md)
+  - [Troubleshooting issues](/support/troubleshooting-issues.md)
+  - [Generate diagnostic files](/support/generate-diagnostic-files)
+  - [View SEED service status](/support/seed-status.md)
+- Additional resources 
+  - [Best practices](/additional-resources/best-practices.md)
+  - [Split tunnel allowlisting](additional-resources/split-tunnel-allowlist)
+  - [Terms and policies](additional-resources/terms-and-policies.md)
+  - [Glossary](additional-resources/glossary)
 

additional-resources/best-practices.md

@@ -1,28 +1,27 @@
 # Best practices
-This page summarises and provides a quick reference for most of the general recommendations, best practices and tips covered elsewhere in this document. These come in handy to solve many common problems.
+This section provides a concise summary and quick reference to the general recommendations, best practices, and tips outlined throughout this document. These guidelines are essential for addressing common issues effectively.
 
-### Apple ID and recovery keys
-Make sure that you have linked your Apple ID and have your recovery keys ready before onboarding your macOS device. Based on your device settings, while onboarding, you may be prompted to restart your device a couple of times and reset device password.
+## Apple ID and recovery keys
+Before onboarding your macOS device, ensure that you have associated your Apple ID and have your recovery keys readily available. Depending on your device settings, during onboarding, you may encounter several restarts and may need to reset your device password.
 
-For a smooth onboarding journey, it is important to link your Apple ID to your device. Please have your recovery keys ready in the event of you facing issues with resetting your password or logging in to your device.
+For a seamless onboarding experience, it is crucial to link your Apple ID to your device. Please have your recovery keys at hand in case you encounter any difficulties with password reset or device login.
 
-### Update device OS to the latest version
-SEED uses DEEP monitoring agents to ensure your device is patched to the latest versions to prevent compromise from known operating system vulnerabilities when using our services.
+## Update device OS
+SEED relies on SEED monitoring agents to ensure that your device remains up to date with the latest operating system patches, guarding against known vulnerabilities when using our services.
 
->**Note**
+>**Note**:
 >
->- For more information on the supported OS versions, see [SEED Prerequisites](prerequisites-for-onboarding).
+>- For more information on the supported OS versions, see [SEED Prerequisites](/onboard-device/seed-prerequisites.md).
 >- To turn on software update notifications on your MacBook, see [Apple documentation](https://support.apple.com/en-sg/guide/mac-help/mchlpx1065/mac).
 
-### Keep device free from malware
-SEED uses DEEP monitoring agents to ensure your device is free from malware when using our services. Follow basic cybersecurity hygiene and avoid visiting low-reputation websites that can infect your device with malware. Ensure that Defender is always running and is patched to the latest version.
+### Maintain a malware-free device
+SEED ensures that your device remains free from malware while using our services. Practice fundamental cybersecurity principles, avoid visiting low-reputation websites that may infect your device with malware, and ensure that Defender is always operational and updated to the latest version.
 
 ### Supported browsers
-You can access SEED-protected websites such as CMP or SHIP using the following browsers:
+You can access SEED-protected websites, such as CMP or SHIP using the following browsers:
 
 - Google Chrome
 - Microsoft Edge
 - Mozilla Firefox. If you are using Mozilla Firefox, you need to [configure Firefox to trust the root certificate store of your system](https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox).
 
-> **Important**<br>
-> While you can use Safari to access other websites, you can't access SEED-protected websites using Safari.
+> **Note**: While you can use Safari to access other websites, please note that SEED-protected websites cannot be accessed using Safari.

additional-resources/glossary.md

@@ -1,81 +1,67 @@
 # Glossary
 
-<!--
-Guidelines for anybody adding a new entry to this page.
+This document serves as a glossary guide designed to assist you in navigating our documentation. We have compiled a list of common terms and their definitions, aiming to provide you with clear and concise explanations for the terminology frequently encountered within our documentation.
 
-To add a new word:
- 1. Place it in the alphabetical order.
- 2. Enclose it by
- <a id="word-in-lower-case">
-
- **word**
-
- </a>
-
- 3. Include a line space before and after the word.
- -->
-
-
-**GFE**
+### GFE
 
 Government Furnished Equipment.
 
-**GMD**
+### GMD
 
 Government Managed Device. An Internet Device or a GFE device when enrolled with SEED becomes a Government Managed Device.
 
-**GSIB**
+### GSIB
 
 Government Standard Image Build.
 
 
-**Internet Device**
+### Internet Device
 
 Device which is not a GSIB. This could be your personal device, or a device issued by your vendor or agency.
 
-You must enrol this device with SEED (GovTech's MDM solution) in order to access SGTS resources, products and services that requires SEED.
+You must enrol this device with SEED (GovTech's MDM solution) in order to access SGTS resources, products and services which requires SEED.
+
+### non-SE GSIB
 
-**non-SE GSIB**
+It is a non-Secured Email (SE) GSIB device. This non-SE GSIB device is assigned to public officers and vendors.
 
 If you are using a non-SE GSIB device, every time you log in to your device, you will be prompted to enter your BitLocker PIN. You can access the internet and intranet using this device.
 
-**Note**<br>
-> You can't onboard this device to SEED.
+> **Note**: You cannot onboard this device to SEED.
 
-**SE GSIB**
+### SE GSIB
 
 It is a Secured Email (SE) GSIB device. This GSIB device is assigned to public officers who handle sensitive and secret information.
 
-If you are using a SE GSIB device, you will be using your PS-Card to authenticate. You will not be able to access internet using this SE-GSIB device.
+If you are using a SE GSIB device, you will be using your PS-Card to authenticate. You will not be able to access internet using this SE-SIB device.
 
-**Note**<br>
->- You can't use this device to activate your TechPass account.
->- You can't onboard this device to SEED.
+> **Note**:<br>
+>- You cannot use this device to activate your TechPass account.
+>- You cannot onboard this device to SEED.
 
-**SEED**
+### SEED
 
 Security Suite for Engineering Endpoint Devices. This is the MDM solution offered by GovTech.
 
-**TechPass**
+### TechPass
 
-This is an Identity & Access Management (IAM) and  a single sign-on(SSO) solution to seamlessly access Singapore Government Technology Stack(SGTS) services.
+This is an Identity & Access Management (IAM) and  a single sign-on (SSO) solution to seamlessly access Singapore Government Technology Stack (SGTS) services.
 
 While public officers use their WOG credentials(official email address) to log in to their TechPass, vendors use their TechPass ID.
 
 If you are public officer and want to get a TechPass account, refer to [Create TechPass Account](https://docs.developer.tech.gov.sg/docs/techpass-documentation/#/onboard?id=public-officer)
 
 If you are a vendor, request the engaging agency or ministry to provide you with a TechPass account. For more information, refer to [Vendor onboarding to TechPass](https://docs.developer.tech.gov.sg/docs/techpass-documentation/#/onboard?id=vendor).
 
-**TechPass ID**
+### TechPass ID
 
 This is used to log in to your TechPass account.
 
 - For public officers, it is your WOG ID.
 - For vendors, it is *your_name<span>@</span>techpass.gov.sg*.
 
-**Whole of Government(WOG) ID or account**
+### Whole of Government (WOG) ID or account
 
 WOG ID is the email address belonging to the gov.sg domain. For example, *your_name<span>@</span>tech.gov.sg* or *your_name<span>@</span>mof.gov.sg*.
 
 Public officers who onboard to SEED must have a WOG ID or account. Note WOG ID and official email address are used interchangeably.
-

additional-resources/split-tunnel-allowlist.md

@@ -21,26 +21,21 @@ To evaluate a split tunnel allowlisting request, we need the following from the
 - Acknowledgement from the system’s ACISO or above, that their agency takes the responsibility of allowing concurrent access to the VPN IP and their data stored on GCC 2.0/SGTS applications.
 - Acknowledgement from the system’s ACISO or above that GovTech is not responsible for incidents to the requesting agency’s data or systems on GCC 2.0/SGTS applications that may occur as a result of allowing the split tunnel request.
 
-## Request for split tunnel allowlisting
+### Request for split tunnel allowlisting
 
-> **Important**: To reduce or prevent harmful security attacks, we strongly encourage agencies to avoid requesting for split tunnel allowlisting.
+To reduce or prevent harmful security attacks, we strongly encourage agencies to avoid requesting for split tunnel allowlisting.
 
 
-- [Create a support request to request](https://go.gov.sg/seed-techpass-support) to add the required VPN to the allowlist.
+- [Raise a service request](https://go.gov.sg/seed-techpass-support) to add the required VPN to the allowlist.
 
 - We will assess your split tunnel allowlisting requests on a case-by-case basis to ensure that the request does not compromise the security of GCC 2.0 or any SGTS applications.
 
 - As part of our security review process, we will periodically review the allowed split tunnel entries to check if they are still necessary.
 
-- To know more about, how the WARP client handles your DNS requests, see [Cloudflare Docs](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/#how-the-warp-client-handles-dns-requests).
+- To know more about how the WARP client handles your DNS requests, see [Cloudflare documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/#how-the-warp-client-handles-dns-requests).
 
-> **Note**:<br>
->- We will review the allowed split tunnel entries by **October 2023** to decide whether to retain the allowlisting or not.
->
-> **Pilot projects for tools and applications behind Cloudflare Zero Trust**
->
->- We welcome pilot projects to put their project system management tools and applications behind Cloudflare Zero Trust. For more information, contact *[email protected]*.
 
->
->
->- We strongly encourage GCC 2.0 tenants to use CSP native remote administrative tools to perform remote administration or access their databases instead of using their internet devices to connect directly to workloads or databases through Project VPNs.
+### Pilot projects for tools and applications behind Cloudflare Zero Trust
+We welcome pilot projects to put their project system management tools and applications behind Cloudflare Zero Trust. For more information, contact *[email protected]*.
+
+We strongly encourage GCC 2.0 tenants to use CSP native remote administrative tools to perform remote administration or access their databases instead of using their internet devices to connect directly to workloads or databases through Project VPNs.

additional-resources/terms-and-policies.md

@@ -1,5 +1,5 @@
 # Terms and policies
-Below are links to latest Terms of Use (TOU) and Privacy Policy for SEED users and Acceptable Use Policy(AUP) for mobile device management(MDM).
+Below are links to latest Terms of Use (TOU) and Privacy Policy for SEED users and Acceptable Use Policy(AUP) for mobile device management (MDM).
 
 [Download Terms of Use](additional-resources/terms-of-use.pdf ':target=_blank')