Configure tenant settings

This topic provides a quick reference for available settings to customize your tenant's branding and behavior.

Configure these settings on the Settings page of the Identity Administration portal. Review these settings before deploying CyberArk Identity. Some of them might be necessary to support certain mobile devices (for example, the Apple Push Notification Service certificate for iOS devices).

Modifying a setting requires specific administrative rights. To learn more about the roles and rights required to make these changes see Admin Portal administrative rights.

Setting Description Required role or administrative right

Account Customization

Customize the user portal and the Identity Administration portal login prompts and email messages to incorporate your organizations brand and logos. See Customize portal and login windows.

System Administrator role

ActiveSync Device Quarantining

Configure CyberArk Identity to block email access for devices that are not enrolled .

See How to quarantine email.

Device Management rights or System Administrator role

Android Management

Android Management specific settings, such as domain mapping. See Set up Android Management.

Device Management rights

APNS Certificate

Get or renew an Apple Push Notification Service (APNS) certificate so users can enroll iOS- and OS X-based devices. See How to generate an APNS certificate.


  • You must upload an APNS certificate to the Identity Administration portal before users can enroll these devices.
  • If the certificate expires, users cannot enroll devices and enrolled iOS devices have service restrictions.

Device Management rights or System Administrator role

Apple Configurator

Install a base security policy on iOS devices to pre-configure the mobile device manager and simplify device enrollment.

See Using Apple Configurator to mass deploy iOS devices.

Device Management rights or System Administrator role

Apple DEP Configuration

Add your CyberArk Identity account as an MDM server in the Apple Device Enrollment Program, upload token, and set the initial enrollment profile.

See Linking to the Apple Device Enrollment Program.

System Administrator role

Authentication Profiles

Define the required authentication mechanisms such as password, email confirmation code, mobile authenticator, etc. You use the authentication profile when you create your authentication rule.

See Create authentication profiles.

System Administrator role

Identity Administration portal

Display the list of CyberArk Identity Connectors, configure Integrated Windows Authentication settings, and add or delete a CyberArk Identity Connector.

See Install the CyberArk Identity Connector.

System Administrator role to modify all settings

Register Connectors permission to add a connector

Secure Zones

Specify the public IP addresses you want to include within the corporate intranet. CyberArk Identity uses these addresses for Integrated Windows Authentication and application multifactor authentication.

See Define Secure Zones.

System Administrator role

Corporate-owned Devices

Import serial numbers of enrolled devices to convert the ownership attribute from Personal Owned to Corporate Owned.

See How to tag devices as corporate-owned.

System Administrator role

Endpoint Management Settings

Select either Active Directory group policy or the CyberArk Cloud Directory policy service as the source for mobile device policies.

If you use the CyberArk Cloud Directory policy service you also use this tab to select the default Active Directory certificate service or CyberArk Identity CA to generate user certificates.

See How to select the policy service for device management.

System Administrator role

Directory Services

Add LDAP or Google as your directory service and view existing configured directory services.

See Add users from an external directory service.

System Administrator role

External Users

Allow your customers to use their social media credentials for single sign-on access to applications.

See Manage social login users.

System Administrator role

Idle User Session Timeout

Enable a timeout and set the time period to log out inactive users from the Identity Administration portal and CyberArk Identity user portal.

See Configure idle session timeout .

System Administrator role

Login suffix

Create a list of the login suffixes (the name that follows @ in the full user name) that users enter to log in to the Identity Administration portal and CyberArk Identity user portal and enroll devices. Users that do not have a login suffix in this list cannot log in to the portals or enroll a device.

See Manage login suffixes.

System Administrator role

OATH Tokens

You can authenticate CyberArk Identity using your existing third-party OATH tokens (for example, those generated by a YubiKey) by bulk uploading those tokens. CyberArk Identity uses those tokens to generate one-time passcodes (OTP) that users with enrolled devices can immediately use to log in to the Identity User Portal.

See Enable OATH OTP.

System Administrator role

External Identity Providers

Allows you to add business partners so that you can share your CyberArk Identity with your partners. Partner federation is achieved through SAML, where your tenant serves as the host (the Service Provider in SAML terms), and your business partners access the tenant and its associated resources by passing a SAML token obtained from their Identity Provider (IDP).

See Set up external identity providers.

System Administrator role


Run application user provisioning synchronization, configure the provisioning report options, and specify daily synchronizations.

See Outbound provisioning for more details.

System Administrator role

RADIUS Connections

Allows you to configure your RADIUS clients/servers. You can use the CyberArk Identity Connector as a RADIUS server for clients that support RADIUS authentication, such as VPNs. Additionally, you can configure RADIUS server settings to allow third-party RADIUS authentication.

See Configure CyberArk Identity for RADIUS.

System Administrator role

Security Settings

Define security related settings such as securely capture users' passwords at login or enabling forgotten username self-service.

See Authentication security options for more information.


System Configuration

To configure a custom SMTP server to for outgoing mail service such as MFA challenges and self-service features. You can also choose to connect to the custom SMTP server using the CyberArk Identity Connector.


Tenant URLs

Create a URL or custom domain that is specific to your company so your users can easily remember CyberArk Identity URL. Newly created URLs may take a few minutes to propagate.

If you have users using FIDO2 authenticator(s), those users will need to log in with the new URL and re-activate their keys. See FIDO2 authenticators and new tenant URLs for more information.

URL requirements:

  • Always begin with an alphabet
  • Maximum of 63 characters
  • Can only contain alphabets, numbers, and dashes (-)

For information on creating a custom domain to access CyberArk Identity and set it as the preferred tenant URL, see Customize tenant URLs.

System Administrator role

In this section: