Configure tenant settings

This topic provides a quick reference for available settings to customize your tenant's branding and behavior.

Configure these settings on the Settings page of the Identity Administration portal. Review these settings before deploying CyberArk Identity. Some of them might be necessary to support certain mobile devices (for example, the Apple Push Notification Service certificate for iOS devices).

Modifying a setting requires specific administrative rights. To learn more about the roles and rights required to make these changes see Admin Portal administrative rights.

Setting	Description	Required role or administrative right
Account Customization	Customize the user portal and the Identity Administration portal login prompts and email messages to incorporate your organizations brand and logos. See Customize portal and login windows.	System Administrator role
ActiveSync Device Quarantining	Configure CyberArk Identity to block email access for devices that are not enrolled . See How to quarantine email.	Device Management rights or System Administrator role
Android Management	Android Management specific settings, such as domain mapping. See Set up Android Management.	Device Management rights
APNS Certificate	Get or renew an Apple Push Notification Service (APNS) certificate so users can enroll iOS- and OS X-based devices. See How to generate an APNS certificate. Notes: You must upload an APNS certificate to the Identity Administration portal before users can enroll these devices. If the certificate expires, users cannot enroll devices and enrolled iOS devices have service restrictions.	Device Management rights or System Administrator role
Apple Configurator	Install a base security policy on iOS devices to pre-configure the mobile device manager and simplify device enrollment. See Using Apple Configurator to mass deploy iOS devices.	Device Management rights or System Administrator role
Apple DEP Configuration	Add your CyberArk Identity account as an MDM server in the Apple Device Enrollment Program, upload token, and set the initial enrollment profile. See Linking to the Apple Device Enrollment Program.	System Administrator role
Authentication Profiles	Define the required authentication mechanisms such as password, email confirmation code, mobile authenticator, etc. You use the authentication profile when you create your authentication rule. See Create authentication profiles.	System Administrator role
Identity Administration portal	Display the list of CyberArk Identity Connectors, configure Integrated Windows Authentication settings, and add or delete a CyberArk Identity Connector. See Install the CyberArk Identity Connector.	System Administrator role to modify all settings Register Connectors permission to add a connector
Secure Zones	Specify the public IP addresses you want to include within the corporate intranet. CyberArk Identity uses these addresses for Integrated Windows Authentication and application multifactor authentication. See Define Secure Zones.	System Administrator role
Corporate-owned Devices	Import serial numbers of enrolled devices to convert the ownership attribute from Personal Owned to Corporate Owned. See How to tag devices as corporate-owned.	System Administrator role
Endpoint Management Settings	Select either Active Directory group policy or the CyberArk Cloud Directory policy service as the source for mobile device policies. If you use the CyberArk Cloud Directory policy service you also use this tab to select the default Active Directory certificate service or CyberArk Identity CA to generate user certificates. See How to select the policy service for device management.	System Administrator role
Directory Services	Add LDAP or Google as your directory service and view existing configured directory services. See Add users from an external directory service.	System Administrator role
External Users	Allow your customers to use their social media credentials for single sign-on access to applications. See Manage social login users.	System Administrator role
Idle User Session Timeout	Enable a timeout and set the time period to log out inactive users from the Identity Administration portal and CyberArk Identity user portal. See Configure idle session timeout .	System Administrator role
Login suffix	Create a list of the login suffixes (the name that follows @ in the full user name) that users enter to log in to the Identity Administration portal and CyberArk Identity user portal and enroll devices. Users that do not have a login suffix in this list cannot log in to the portals or enroll a device. See Manage login suffixes.	System Administrator role
OATH Tokens	You can authenticate CyberArk Identity using your existing third-party OATH tokens (for example, those generated by a YubiKey) by bulk uploading those tokens. CyberArk Identity uses those tokens to generate one-time passcodes (OTP) that users with enrolled devices can immediately use to log in to the Identity User Portal. See Enable OATH OTP.	System Administrator role
External Identity Providers	Allows you to add business partners so that you can share your CyberArk Identity with your partners. Partner federation is achieved through SAML, where your tenant serves as the host (the Service Provider in SAML terms), and your business partners access the tenant and its associated resources by passing a SAML token obtained from their Identity Provider (IDP). See Set up external identity providers.	System Administrator role
Provisioning	Run application user provisioning synchronization, configure the provisioning report options, and specify daily synchronizations. See Outbound provisioning for more details.	System Administrator role
RADIUS Connections	Allows you to configure your RADIUS clients/servers. You can use the CyberArk Identity Connector as a RADIUS server for clients that support RADIUS authentication, such as VPNs. Additionally, you can configure RADIUS server settings to allow third-party RADIUS authentication. See Configure CyberArk Identity for RADIUS.	System Administrator role
Security Settings	Define security related settings such as securely capture users' passwords at login or enabling forgotten username self-service. See Authentication security options for more information.	Sysadminrole
System Configuration	To configure a custom SMTP server to for outgoing mail service such as MFA challenges and self-service features. You can also choose to connect to the custom SMTP server using the CyberArk Identity Connector.
Tenant URLs	Create a URL or custom domain that is specific to your company so your users can easily remember CyberArk Identity URL. Newly created URLs may take a few minutes to propagate. If you have users using FIDO2 authenticator(s), those users will need to log in with the new URL and re-activate their keys. See FIDO2 authenticators and new tenant URLs for more information. URL requirements: Always begin with an alphabet Maximum of 63 characters Can only contain alphabets, numbers, and dashes (-) For information on creating a custom domain to access CyberArk Identity and set it as the preferred tenant URL, see Customize tenant URLs.	System Administrator role

In this section: