apoctl provides the following main commands:
  • api to interact with the Microsegmentation Console API
  • appcred to manage app credentials
  • auth to deal with authentication tokens
  • configure for quick set up
  • enforcer to obtain enforcer debugging information
  • oam to debug connectivity issues
  • profiles to manage multiple profiles
  • protect to deploy enforcers to hosts
  • reports to generate compliance reports
  • stats to retrieve statistical data
  • unprotect to uninstall enforcers from hosts
Here are the main global flags you can set:
  • --api or -A: defines the URL of the Microsegmentation Console API. You can get the URL of the microsegmentation console API by clicking on the key in the bottom bar of the console. This will open up a new window, and you can see the api URL at the bottom.
  • --namespace or -n: defines the namespace you want to target
  • --token or -t: defines the token to use to authenticate. The token is created based on the namespace you selected, and you can get the token from the microsegmentation console by clicking on the key in the bottom bar of the console, and in the pop up window at the bottom you can see the token.
  • --config: defines the path to a configuration profile to use
  • --log-level: defines the level of logging. The different log levels are info, debug, trace (default "info")
In general, every flag can be also set from an environment variable. You can easily guess the environment variable by
  • upper casing the flag name
  • replace all - by _
  • prefixing it by APOCTL
For instance, the variable used to set the above flags are:
The resolution order is as follows from low to high priority:
  1. built-in default value
  2. value set in a configuration profile
  3. value set the environment variables
  4. value set using the flags.


apoctl supports autocompletion on bash and zsh. It will autocomplete commands, API resources, attributes, and more.
To take advantages of this feature, you must add a command in your shell configuration.
For Bash:
echo "source <(apoctl completion bash)" >> ~/.bashrc
For ZSH:
echo "source <(apoctl completion zsh)" >> ~/.zshrc
On CentOS, you may need to install the bash-completion package which is not installed by default.
sudo yum install bash-completion -y
On macOS, you may need to install the bash-completion package which is not installed by default.
  • If running Bash 3.2 included with macOS:
    brew install bash-completion
  • If running Bash 4.1+:
    brew install bash-completion@2


apoctl supports multiple configuration profiles that can be placed in ~/.apoctl.
A profile is a simple YAML file setting default values for any flags of apoctl. The most useful one is to set up your default namespace as well as an app credential to use.
All values defined in the profile, can be overridden by an environment variable or by setting the flag when you call apoctl.
The default profile is ~/.apoctl/default.yaml. If it doesn’t exists, apoctl will use its built-in default values.
To select a profile, use the flag --config, set the environment variable $APOCTL_CONFIG_NAME, or use apoctl profiles command.
For instance, you can create ~/.apoctl/my-profile.yaml and tell apoctl to use it by running:
export APOCTL_CONFIG_NAME=my-profile
apoctl profile use my-profile
In any case, to verify which profile is used, you can run apoctl profiles.
Note that the value of the variable must omit the extension.
Profile example:
$ cat ~/.apoctl/default.yaml api: namespace: /acme creds: ~/.apoctl/default.creds output: yaml

Recommended For You