Manage organization settings
In Arculix, the Organization Settings section contains all the administration details for your tenant.
![]() |
Arculix, by default is a multi-tenant cloud web application. Each virtual tenant is called an Organization. Organizations do not share anything with each other and a user can belong to more than one organization.
The most important piece of data that distinguishes organizations is the email domain. Each organization is assigned one or more email domains. There is no limitation to the number of domains, but they cannot be public (like gmail.com) or shared with other organizations.
During enrollment, it automatically assigns users to the corresponding organization based on their email domain.
For example, if the ACME organization is assigned acme1.com and a user with an email address of name@acme1.com enrolls with Arculix, that user account is automatically assigned to the ACME organization.
General tab
The General tab contains information about your tenant, domains, and administrators. Add or remove administrators for your tenant.
![]() |
View or set the following configurations.
Organization Name | Name of your organization for this tenant. |
Domains | Domains associated with your organization in this tenant. Users who enroll with an associated email domain will be automatically assigned to your organization. |
Administrators | Administrators for your organization in this tenant. User accounts must have the appropriate permissions to manage the organization settings for this tenant. |
Configuration | Typically, the server sends a push notification to the user's mobile device when an MFA request is automatically approved due to a policy. To prevent the server from sending that push notification, select the Skip notification for auto-approved transactions check box. |
Workstation tab
In the Workstation tab, manage authentication methods for workstations that have Arculix Device Trust installed.
![]() |
View or set the following configurations.
Enable/Disable information system logging in addition to warnings and errors | To help with troubleshooting, you can select this check box to enable the logs for Event Viewer (Windows) or Syslog (macOS) for a local or remote machine. |
Default timeout for workstation Email MFA (in+seconds) | For email MFA to Arculix Device Trust, set how long the passcode sent to the end user's email is valid before it expires (in seconds). For example, |
Automatic notification type to send when logging into workstation | Define how to send workstation login notifications to end users in your organization. Selection options:
|
Enable/Disable the remote (RDP) use of the password as a factor | Select this check box to require password login for for remote (RDP) logins to the workstation. |
When enabled, the authorization DB will be monitored | Select this check box to allow Device Trust to listen for any authorization database changes. If any changes occur, then it will reapply the MFA plugin. |
The number of minutes before publishing the heartbeat. 0 means disabled | Select this check box to publish data about devices to Arculix. |
Enable/Disable the use of smart card authentication for workstation logins | Select this check box to allow the use of a smart card for workstation logins. When enabled, it displays as "Register Badge" on the Arculix Device Trust screen. To learn more, see RFID badge in the Arculix Device Trust end user guide. |
Enable/Disable use of face authentication | Select this check box to allow end users to authenticate to their workstation using facial recognition. To learn more, see Biometric - Windows Hello. |
When enabled, login will use certificate authentication | Selecting this check box indicates the following:
|
Enable/Disable use of fingerprint key authentication | Select this check box to allow end users to authenticate to their workstation using a fingerprint reader. To learn more, see Biometric - Windows Hello. |
macOS Only - When enabled, MFA will be required on the lock screen. (Default means if you have touch ID it will be Touch ID, else will be MFA) | Set the login method for end users on the lock screen of macOS workstations. Selection options:
|
Timeout in seconds before locking after loss of internet | Set the time in seconds after losing an internet connection before it locks the workstation. This forces users to log in with an offline method or after they reestablish their internet connection. |
When enabled, offline events will be captured and sent | Select this check box to capture and send offline events to the logs. |
Enable/Disable system logging | Select this check box to send logs to Event Viewer (Windows) or Syslog (macOS). |
Allow user to login into workstation with password. | Select this check box to allow end users to log in to their workstation with a password. To learn more, see Password. |
Enable/Disable file logging | Select this check box to send logs to the log files under /Library/Logs/Arculix. |
macOS only- When enabled, MFA will be required after FileVault boot | Select this check box to require login authentication on a macOS workstation with FileVault encryption at boot up. |
Show enable passwordless option for workstation login to user | Select this check box to show the Go Passwordless option to end users for passwordless logins to their workstation. To learn more, see Enabling passwordless. |
Allow login to workstation with non-Arculix login providers | Select the check box to allow end users to authenticate their workstation logins through an external third-party credential provider. |
Allow passwordless login to workstation | Select this check box to automatically allow end users passwordless logins to their workstation. Use case: End users can use passwordless logins, depending on policy settings like push to mobile or offline codes (TOTP). |
When enabled, QR login will be used instead of push | Select this check box to show a QR code on the Arculix Device Trust screen to end users for workstation logins. To learn more, see QR code over Bluetooth. |
Enable/Disable the use of external TOTP authenticators | Select this check box to allow end users to authenticate their workstation logins with a TOTP code from an external third-party authenticator. |
Enable/Disable the use of TOTP as a factor | Select this check box to allow users the ability to use offline codes (TOTP) for workstation logins. To learn more, see TOTP. |
When enabled, QR, biometric and password are required to login | Select this check box to require end users to scan a QR code, enter a password, and provide a biometric factor for workstation logins. In addition to this check box, you must also select check box for When enabled, QR login will be used instead of push. Use case: End users use Arculix Mobile to scan the QR code on the workstation screen, enters their password, and provides a biometric factor (like Windows Hello face or fingerprint). |
The number of days after no login activity before requiring step up authentication. 0 to disable | Select this check box to require end users to provide some form of authentication after no login activity on their workstation for x number of days. Use case: Regardless of continuous authentication or acceptable LOA scores for automatic logins, end users must reauthenticate their workstation login after a set period of time. |
The number of minutes before updating settings. Range 1-5 | Set the number of minutes after saving your changes to push out these configuration updates to your organization. |
Arculix Mobile Application tab
In the Arculix Mobile Application tab, manage certain features of the Arculix Mobile app for your organization.
![]() |
View or set the following configurations.
Show App Lock (Passcode) Menu on Settings | Select this check box to show the App Lock feature in the Arculix Mobile app under Settings. Use case: Display the App Lock setting in the Arculix Mobile app. With this setting, end users can set up an app passcode or biometric MFA for login requests. |
User should use Passcode or Biometric to approve the MFA request | Select this check box if your end users must provide a passcode or biometric MFA in the Arculix Mobile app to approve the login request. Use case: This setting requires end users to go to the Settings in the Arculix Mobile app and turn on the App Lock feature to set up a passcode. Prerequisite: You must have this setting enabled: |
Force the user to authenticate with Biometric/Passcode before showing the TOTP codes on the mobile app | Select this check box to require end users to use a passcode or biometric MFA to unlock and view offline codes (TOTP) in the Arculix Mobile app. Use case: Provides an added layer of security for accessing offline codes in the Arculix Mobile app. Prerequisite: You must have this setting enabled: |
Force the user to setup 8-digit Passcode, instead of 4-digit | Requires Arculix Mobile app version 5.0.5 or later Select this check box if your end users must set up an 8-digit PIN in the Arculix Mobile app. Use case: This setting requires end users to go to the Settings in the Arculix Mobile app and turn on the App Lock feature. Users must then set up an 8-digit passcode. Prerequisite: You must have this setting enabled: |
Enable Workstation pairing on Arculix Mobile app | Select this check box to allow end users to pair their workstation with Arculix Mobile app. Use case: Setting works in conjunction with Arculix Device Trust for MFA on workstation logins. |
Automatically open on the workstation screen | Select this check box to automatically open the Workstations page in the Arculix Mobile app instead of the Dashboard view. Use case: The Arculix Mobile app automatically opens on the Workstations page. |
Requires mobile devices to have a hardware security module to pair and use Arculix Mobile | Select this check box to perform a hardware security module (HSM) check and prevent pairing of rooted and jailbroken devices. Use case: Prevents pairing of rooted or jailbroken devices with Arculix Mobile. |
Show/Hide FIDO Tab on Arculix Mobile App | Select this check box to show the FIDO tab in the Arculix Mobile app under Settings. Use case: Display the FIDO tab in the Arculix Mobile app. With this setting end users can use FIDO MFA. |
Let's the app know that Dashboard should be refreshed every X seconds | This setting relates to refreshing data for pending transactions on the Dashboard in the Arculix Mobile app. This setting is for organizations who do not want to use push notifications. The default setting of Otherwise, set the number of seconds to refresh the Dashboard in the Arculix Mobile app for pending transactions. Use case: If you do not use push notifications, this refreshes the Dashboard in the Arculix Mobile app for pending MFA transactions. |
User Profile tab
In the User Profile tab, manage the user onboarding experience for your organization.
![]() |
View or set the following configurations.
Require knowledge based question and answer setup during user onboarding | This relates to the display of the security question field in the user profile in the Arculix Mobile app. Selection options:
Use case: Show, hide, or require use of the security question field (KBQ/KBA) in the Arculix Mobile app. |
Require secondary email setup during user onboarding | This relates to the ability of adding another email address in the user profile in the Arculix Mobile app. Selection options are:
Use case: Show, hide, or require end users to add another email in the Arculix Mobile app. |
Require mobile phone number during user onboarding | This relates to the display of the phone number field in the user profile in the Arculix Mobile app. Selection options:
Use case: Show, hide, or require use of the phone number field in the Arculix Mobile app. |
SSO tab
In the SSO tab, manage the SSO experience for end users in your organization.
![]() |
View or set the following configurations.
Automatic notification type to send during SSO authentication | Define how to send SSO login notifications to end users in your organization. Selection options:
Use case: Define how your end users will receive notifications to authenticate their SSO logins to applications. |
User verification requirement for WebAuthn | Define how your end users will use FIDO2 WebAuthn-compliant authenticators like security keys or built-in biometrics on devices. This relates to registered devices in the WebAuthn Credentials section in Arculix Core for any user account. Selection options:
Use case: If allowed or required, end users must register a FIDO2 WebAuthn authenticator like a security key or a device with built-in biometrics. |
Show the WebAuthn button on the waiting for push screen on Cloud Idp | Select this check box to display a WebAuthn button in a push notification for authentication to SSO logins. |