Skip to main content

Manage organization settings

In Arculix, the Organization Settings section contains all the administration details for your tenant.

arculix_org_settings_001.png

Arculix, by default is a multi-tenant cloud web application. Each virtual tenant is called an Organization. Organizations do not share anything with each other and a user can belong to more than one organization.

The most important piece of data that distinguishes organizations is the email domain. Each organization is assigned one or more email domains. There is no limitation to the number of domains, but they cannot be public (like gmail.com) or shared with other organizations.

During enrollment, it automatically assigns users to the corresponding organization based on their email domain.

For example, if the ACME organization is assigned acme1.com and a user with an email address of name@acme1.com enrolls with Arculix, that user account is automatically assigned to the ACME organization.

General tab

The General tab contains information about your tenant, domains, and administrators. Add or remove administrators for your tenant.

arculix_org_settings_002.png

View or set the following configurations.

Organization Name

Name of your organization for this tenant.

Domains

Domains associated with your organization in this tenant.

Users who enroll with an associated email domain will be automatically assigned to your organization.

Administrators

Administrators for your organization in this tenant.

User accounts must have the appropriate permissions to manage the organization settings for this tenant.

Configuration

Typically, the server sends a push notification to the user's mobile device when an MFA request is automatically approved due to a policy.

To prevent the server from sending that push notification, select the Skip notification for auto-approved transactions check box.

Workstation tab

In the Workstation tab, manage authentication methods for workstations that have Arculix Device Trust installed.

arculix_org_settings_003.png

View or set the following configurations.

Enable/Disable information system logging in addition to warnings and errors

To help with troubleshooting, you can select this check box to enable the logs for Event Viewer (Windows) or Syslog (macOS) for a local or remote machine.

Default timeout for workstation Email MFA (in+seconds)

For email MFA to Arculix Device Trust, set how long the passcode sent to the end user's email is valid before it expires (in seconds).

For example, 180 means the user has 3 minutes to enter the code from their email on the Device Trust screen before it expires.

Automatic notification type to send when logging into workstation

Define how to send workstation login notifications to end users in your organization.

Selection options:

  • none – End user must click the Push to Mobile button on the Device Trust screen to send a push notification to the Arculix Mobile app. End user then approves the login request in the mobile app. See Push notification.

  • push – Automatically send a push notification in the Arculix Mobile app. End user then approves the login request in the mobile app. See Push notification.

  • symbol_push – Automatically send a symbol-to-accept notification on the Device Trust screen. End user must tap the matching symbol in the Arculix Mobile app. See Symbol-to-Accept.

Enable/Disable the remote (RDP) use of the password as a factor

Select this check box to require password login for for remote (RDP) logins to the workstation.

When enabled, the authorization DB will be monitored

Select this check box to allow Device Trust to listen for any authorization database changes. If any changes occur, then it will reapply the MFA plugin.

The number of minutes before publishing the heartbeat. 0 means disabled

Select this check box to publish data about devices to Arculix.

Enable/Disable the use of smart card authentication for workstation logins

Select this check box to allow the use of a smart card for workstation logins.

When enabled, it displays as "Register Badge" on the Arculix Device Trust screen.

To learn more, see RFID badge in the Arculix Device Trust end user guide.

Enable/Disable use of face authentication

Select this check box to allow end users to authenticate to their workstation using facial recognition.

To learn more, see Biometric - Windows Hello.

When enabled, login will use certificate authentication

Selecting this check box indicates the following:

  • Enables true passwordless authentication in a domain environment using certificates.

  • Device Trust no longer relies on passwords to login end users after they complete MFA.

  • Does not affect users with expired passwords.

Enable/Disable use of fingerprint key authentication

Select this check box to allow end users to authenticate to their workstation using a fingerprint reader.

To learn more, see Biometric - Windows Hello.

macOS Only - When enabled, MFA will be required on the lock screen. (Default means if you have touch ID it will be Touch ID, else will be MFA)

Set the login method for end users on the lock screen of macOS workstations.

Selection options:

  • default – If Touch ID is set up on the macOS workstation, end user must login with Touch ID. Otherwise, it defaults to another form of MFA through Arculix.

  • true – Require a form of MFA through Arculix for the macOS workstation login.

  • false – Do not require a form of MFA through Arculix for the macOS workstation login.

Timeout in seconds before locking after loss of internet

Set the time in seconds after losing an internet connection before it locks the workstation. This forces users to log in with an offline method or after they reestablish their internet connection.

When enabled, offline events will be captured and sent

Select this check box to capture and send offline events to the logs.

Enable/Disable system logging

Select this check box to send logs to Event Viewer (Windows) or Syslog (macOS).

Allow user to login into workstation with password.

Select this check box to allow end users to log in to their workstation with a password.

To learn more, see Password.

Enable/Disable file logging

Select this check box to send logs to the log files under /Library/Logs/Arculix.

macOS only- When enabled, MFA will be required after FileVault boot

Select this check box to require login authentication on a macOS workstation with FileVault encryption at boot up.

Show enable passwordless option for workstation login to user

Select this check box to show the Go Passwordless option to end users for passwordless logins to their workstation.

To learn more, see Enabling passwordless.

Allow login to workstation with non-Arculix login providers

Select the check box to allow end users to authenticate their workstation logins through an external third-party credential provider.

Allow passwordless login to workstation

Select this check box to automatically allow end users passwordless logins to their workstation.

Use case: End users can use passwordless logins, depending on policy settings like push to mobile or offline codes (TOTP).

When enabled, QR login will be used instead of push

Select this check box to show a QR code on the Arculix Device Trust screen to end users for workstation logins.

To learn more, see QR code over Bluetooth.

Enable/Disable the use of external TOTP authenticators

Select this check box to allow end users to authenticate their workstation logins with a TOTP code from an external third-party authenticator.

Enable/Disable the use of TOTP as a factor

Select this check box to allow users the ability to use offline codes (TOTP) for workstation logins.

To learn more, see TOTP.

When enabled, QR, biometric and password are required to login

Select this check box to require end users to scan a QR code, enter a password, and provide a biometric factor for workstation logins.

In addition to this check box, you must also select check box for When enabled, QR login will be used instead of push.

Use case: End users use Arculix Mobile to scan the QR code on the workstation screen, enters their password, and provides a biometric factor (like Windows Hello face or fingerprint).

The number of days after no login activity before requiring step up authentication. 0 to disable

Select this check box to require end users to provide some form of authentication after no login activity on their workstation for x number of days.

Use case: Regardless of continuous authentication or acceptable LOA scores for automatic logins, end users must reauthenticate their workstation login after a set period of time.

The number of minutes before updating settings. Range 1-5

Set the number of minutes after saving your changes to push out these configuration updates to your organization.

Arculix Mobile Application tab

In the Arculix Mobile Application tab, manage certain features of the Arculix Mobile app for your organization.

arculix_org_settings_004.png

View or set the following configurations.

Show App Lock (Passcode) Menu on Settings

Select this check box to show the App Lock feature in the Arculix Mobile app under Settings.

Use case: Display the App Lock setting in the Arculix Mobile app. With this setting, end users can set up an app passcode or biometric MFA for login requests.

User should use Passcode or Biometric to approve the MFA request

Select this check box if your end users must provide a passcode or biometric MFA in the Arculix Mobile app to approve the login request.

Use case: This setting requires end users to go to the Settings in the Arculix Mobile app and turn on the App Lock feature to set up a passcode.

Prerequisite: You must have this setting enabled: Show App Lock (Passcode) Menu on Settings.

Force the user to authenticate with Biometric/Passcode before showing the TOTP codes on the mobile app

Select this check box to require end users to use a passcode or biometric MFA to unlock and view offline codes (TOTP) in the Arculix Mobile app.

Use case: Provides an added layer of security for accessing offline codes in the Arculix Mobile app.

Prerequisite: You must have this setting enabled: Show App Lock (Passcode) Menu on Settings.

Force the user to setup 8-digit Passcode, instead of 4-digit

Requires Arculix Mobile app version 5.0.5 or later

Select this check box if your end users must set up an 8-digit PIN in the Arculix Mobile app.

Use case: This setting requires end users to go to the Settings in the Arculix Mobile app and turn on the App Lock feature. Users must then set up an 8-digit passcode.

Prerequisite: You must have this setting enabled: Show App Lock (Passcode) Menu on Settings.

Enable Workstation pairing on Arculix Mobile app

Select this check box to allow end users to pair their workstation with Arculix Mobile app.

Use case: Setting works in conjunction with Arculix Device Trust for MFA on workstation logins.

Automatically open on the workstation screen

Select this check box to automatically open the Workstations page in the Arculix Mobile app instead of the Dashboard view.

Use case: The Arculix Mobile app automatically opens on the Workstations page.

Requires mobile devices to have a hardware security module to pair and use Arculix Mobile

Select this check box to perform a hardware security module (HSM) check and prevent pairing of rooted and jailbroken devices.

Use case: Prevents pairing of rooted or jailbroken devices with Arculix Mobile.

Show/Hide FIDO Tab on Arculix Mobile App

Select this check box to show the FIDO tab in the Arculix Mobile app under Settings.

Use case: Display the FIDO tab in the Arculix Mobile app. With this setting end users can use FIDO MFA.

Let's the app know that Dashboard should be refreshed every X seconds

This setting relates to refreshing data for pending transactions on the Dashboard in the Arculix Mobile app. This setting is for organizations who do not want to use push notifications.

The default setting of -1 indicates no polling.

Otherwise, set the number of seconds to refresh the Dashboard in the Arculix Mobile app for pending transactions.

Use case: If you do not use push notifications, this refreshes the Dashboard in the Arculix Mobile app for pending MFA transactions.

User Profile tab

In the User Profile tab, manage the user onboarding experience for your organization.

arculix_org_settings_005.png

View or set the following configurations.

Require knowledge based question and answer setup during user onboarding

This relates to the display of the security question field in the user profile in the Arculix Mobile app.

Selection options:

  • mandatory – Require your end users to add a security question and answer during onboarding.

  • optional – End users can optionally add a security question and answer during onboarding. Or, they can add this at any time in their user profile.

  • hidden – Do not display the Security Question field in the user profile in the Arculix Mobile app.

Use case: Show, hide, or require use of the security question field (KBQ/KBA) in the Arculix Mobile app.

Require secondary email setup during user onboarding

This relates to the ability of adding another email address in the user profile in the Arculix Mobile app.

Selection options are:

  • mandatory – Require your end users to add another email address to their user profile during onboarding.

  • optional – End users can optionally add another email address to their user profile during onboarding. Or, they can add another email at any time in their user profile.

  • hidden – Do not display the option to add another email address to the user profile in the Arculix Mobile app.

Use case: Show, hide, or require end users to add another email in the Arculix Mobile app.

Require mobile phone number during user onboarding

This relates to the display of the phone number field in the user profile in the Arculix Mobile app.

Selection options:

  • mandatory – Require your end users to enter a mobile phone number during onboarding.

  • optional – End users can optionally add a mobile phone number during onboarding. Or, they can add a phone number at any time in their user profile.

  • hidden – Do not display the Phone number field in the user profile in the Arculix Mobile app.

Use case: Show, hide, or require use of the phone number field in the Arculix Mobile app.

SSO tab

In the SSO tab, manage the SSO experience for end users in your organization.

arculix_org_settings_006.png

View or set the following configurations.

Automatic notification type to send during SSO authentication

Define how to send SSO login notifications to end users in your organization.

Selection options:

  • none – Do not send a notification to the Arculix Mobile app. Instead, it will show a list of MFA methods to the end user on a Select your Authenticator page.

  • push – Automatically send a push notification to the end user in the Arculix Mobile app. See Push notification.

  • symbol_push – Automatically send a symbol-to-accept notification to the end user. User must tap the matching symbol in the Arculix Mobile app that matches what they see on the application page. See Symbol-to-Accept.

  • sms – Automatically send a passcode by SMS to the end user's mobile device.

  • email – Automatically send a passcode to the end user's email.

Use case: Define how your end users will receive notifications to authenticate their SSO logins to applications.

User verification requirement for WebAuthn

Define how your end users will use FIDO2 WebAuthn-compliant authenticators like security keys or built-in biometrics on devices.

This relates to registered devices in the WebAuthn Credentials section in Arculix Core for any user account.

Selection options:

  • discouraged – Discourage FIDO2 WebAuthn-compliant security keys and devices as authenticators. If users have a registered WebAuthn Credential, other authenticators will take priority for SSO logins.

  • preferred – Allow and encourage the use of registered WebAuthn credentials for authentication in SSO logins.

  • required – Require the use of WebAuthn-compliant security keys or built-in biometrics on devices for authentication in SSO logins.

Use case: If allowed or required, end users must register a FIDO2 WebAuthn authenticator like a security key or a device with built-in biometrics.

Show the WebAuthn button on the waiting for push screen on Cloud Idp

Select this check box to display a WebAuthn button in a push notification for authentication to SSO logins.

In this section: