Tenant Settings
The Settings hub (Dashboard > Settings) is the central place to configure Surface Security for your organization: how the browser extension behaves, which threats are detected, how data is protected and retained, how alerts are delivered, and how the platform itself is licensed and updated. Every page described here applies tenant-wide — changes affect all enrolled endpoints, not a single device or user.
Most settings changes are privileged operations. When you save, Surface Security asks you to re-enter your password in a confirmation dialog before the change is applied, and the change is recorded in the Audit Log.
[SCREENSHOT PLACEHOLDER: The Settings index page showing the Current Configuration panel, the featured General Settings card, and the grouped cards under Account, Threats, Data Protection, Alerts, and Platform]
How the Settings hub is organized
The Settings index opens with a Current Configuration panel — a read-only snapshot of your most important tenant-wide values: Extension Mode, HIBP Check, Email Alerts, Webhook Alerts, Allowed Domains, and Denied Domains. Use it to confirm at a glance what is currently in force before drilling into any page.
Below the snapshot, a featured General Settings card leads to the core extension configuration, followed by cards grouped into five areas:
| Group | Pages |
|---|---|
| Account | Account Settings, Admin Users, Single Sign-On (SSO), Directory Sync |
| Threats | Phishing Signatures, ClickFix Signatures, OAuth Threat Detection, Phishing Domain Whitelist, Threat Intelligence, Active Countermeasures |
| Data Protection | Data Loss Prevention, GenAI Protection, Browser Privacy, Device Identity Tag |
| Alerts | Alert Severity, Alert Notifications, Recommended Actions |
| Platform | Log Forwarding & SIEM, Updates, License, API Documentation |
The index also includes a Platform Tour card that lets you replay any section of the guided product tour.
This guide covers the core tenant-wide pages. Pages with their own dedicated guides are summarized briefly with a link to the full documentation.
General Settings
Settings > General Settings controls extension behavior, learning mode, and domain policies. It is the page you will visit most often during rollout.
Deployment Identifiers
A read-only panel showing your Tenant ID, API Endpoint, and SSO Enrollment Redirect URI, each with a copy button. You need these values when pushing managed configuration to browsers through your management tooling (Intune, Group Policy, Jamf) and when registering the extension enrollment callback with your identity provider.
Extension Mode
Controls how the extension handles credential submissions across every enrolled endpoint:
- Learning Mode — collect data and learn user behavior patterns without blocking any actions.
- Monitoring Mode — alert on suspicious activity but allow all actions to proceed.
- Enforcement Mode — block suspicious credential submissions and enforce policies.
In Learning Mode, an additional Learning Threshold field appears: the number of times a credential must be used on a site before it is considered a normal login for that site.
[SCREENSHOT PLACEHOLDER: The General Settings page showing the Extension Mode radio options (Learning, Monitoring, Enforcement) and the Security Features checklist below]
Security Features
A set of tenant-wide toggles:
- Have I Been Pwned Check — check password fingerprints against the HIBP breach database. Unavailable (and shown disabled) on air-gapped deployments.
- ClickFix/FileFix/ConsentFix Detection — detect and block clipboard-based attacks such as pastejacking.
- Search Ad Blocking — hide sponsored results on Google and Bing search pages to protect against malvertising.
- Portal Alert Forwarding — automatically forward critical and high severity alerts to the Surface Security portal for centralized monitoring.
- Phishing Screenshot Capture — capture screenshots of suspected phishing pages for analyst review. Turn this off to prevent any screenshot data from being collected.
- AI Alert Analysis — automatically generate AI-powered summaries on security alerts. Turn off to disable all AI analysis features.
- Disable Stale Device Alerts — suppress alerts for devices that have not checked in for 7 or more days. Devices are still tracked; only the inactivity alerts stop.
SSO Extension Enrollment
By default, any user who successfully authenticates through your identity provider can self-enroll the extension. Enable Restrict enrollment to specific email domains and add domains (for example, example.com) to limit auto-provisioning to users from those domains. Existing users are never blocked. The Save button stays disabled while the restriction is switched on but the domain list is empty, so you cannot accidentally save an unrestricted state.
Threat Intelligence
Two related toggles:
- Threat Clustering — locally group phishing alerts by visual similarity to surface campaigns targeting your tenant.
- Contribute to Portal Threat Intel Pool — share anonymized page-structure fingerprints of confirmed phishing pages with the cross-organization pool. Requires Threat Clustering. No URLs, screenshots, or personal data leave your deployment.
These toggles save immediately (no Save button needed) and govern the cross-organization features described in Campaign Intelligence. On trial deployments both are locked on.
E2E Certificate Configuration
Upload the CA certificate and private key used to sign client certificates during extension enrollment, and toggle Require End-to-End Encryption so extensions must present a valid client certificate. The private key is encrypted before storage and never exposed again. The panel shows the current certificate's subject, issuer, expiry, and fingerprint, with a Remove Certificate action. A warning appears if E2E is required but no CA is configured — extensions cannot enroll in that state.
Super admins also see an Envoy TLS certificate panel for replacing the gateway's serving certificate (subject, expiry, and self-signed status are shown; the new certificate takes effect after a brief gateway restart).
Data Retention
Two independent windows, each requiring password re-entry to change:
- Event Retention Period — how long telemetry events are kept in the analytics database (7–730 days).
- Stream Buffer Retention — how long events sit in the transient streaming buffer (1–30 days).
An expandable Retention Matrix lists exactly which data stores each window governs — useful for compliance audits and data-residency reviews — and a Current Data Usage panel shows per-table row counts and disk usage. For deployment-level guidance see Data Retention.
Note that the Audit Log is not governed by these windows — see Audit Log.
Domain Policies
Three newline-separated domain lists:
- Allowed Domains — only monitor credentials submitted to these domains (leave empty to monitor all).
- Denied Domains — never monitor credentials submitted to these domains (for example, personal sites).
- Trusted Domains (AITM Bypass) — domains that skip adversary-in-the-middle detection. Pre-populated with common defaults; add your internal domains. Subdomains are automatically included.
Click Save Changes to apply everything on the page; you will be prompted to re-enter your password.
Account Settings
Settings > Account Settings manages your own admin account, not the tenant:
- Profile — edit your Display Name; your Email, Role, and Account Created date are shown read-only.
- Multi-Factor Authentication (MFA) — click Enable MFA, scan the QR code with an authenticator app (or enter the manual key), verify a 6-digit code, then save the one-time backup codes (download or copy — they are shown only once). Disable MFA requires your password. If you sign in through SSO, the card shows your SSO provider instead and MFA is handled by your identity provider.
For managing other administrators, roles, and the tenant-wide MFA requirement, see Admin Users & Roles.
Browser Privacy
Settings > Browser Privacy (page title: Browser Privacy Enforcement) enforces browser privacy settings across all endpoints running Chrome or Edge. A master Enable Privacy Enforcement toggle activates the individual controls, which sync to endpoints during hourly policy updates:
- Disable browser password saving — recommended when using an enterprise password manager.
- Disable credit card autofill.
- WebRTC IP handling policy — Default, Public interface only, or Disable non-proxied UDP, to prevent local IP leak attacks.
- Enable Do Not Track.
- Disable hyperlink auditing — blocks the link "ping" tracking attribute.
Saving requires password re-entry.
[SCREENSHOT PLACEHOLDER: The Browser Privacy Enforcement page with the master toggle enabled and the five individual privacy controls beneath it]
License
Settings > License shows your Tier, Status (Valid, Grace Period, or Expired), Expires date, Client Name, Max Users, Max Devices, Entitlements, and the opt-in flags for Metrics Collection, Support Access, and Remote Access. Super admins can paste a new key under Update License. Full details: Licensing.
Log Forwarding & SIEM
Settings > Log Forwarding & SIEM configures destinations that receive security events from your deployment: Splunk HEC, Webhook, Syslog, Elasticsearch, S3/MinIO, Slack, and Microsoft Teams. Each destination can be scoped to specific event types (alerts, credential attempts, phishing detections, and so on), enabled or disabled, tested, and monitored via a per-destination health status. Full setup guide: SIEM Integration.
Updates
Settings > Updates (page title: System Updates) shows your current Platform Version, Extension Version, and License Status, with actions to Check for Updates, apply an available update (zero-downtime rolling deployment), Upload Update Bundle for air-gapped environments, and Rollback to Previous. An Update History table records every attempt with version, status, mode, and operator. Full guide: Update System.
Directory Sync
Settings > Directory Sync connects Entra ID, Okta, Active Directory, or Google Workspace to automatically sync users and groups into Surface Security. See the full guide: Directory Sync. When a SCIM-based source (Entra ID or Okta) is configured, an additional SCIM access token TTL control appears on the General Settings page (300–86400 seconds, default 3600).
Device Identity Tag
Settings > Device Identity Tag tags the browser User-Agent on managed devices so firewalls and SaaS applications can restrict access to devices with Surface installed (a BYOD gating control). See Device Identity Tag.
On-Call & Push Rules
Two settings pages support alert delivery to the Surface Security iOS app:
- On-call schedules — define who is currently the primary responder and optional escalation, used by push rules to page the right person. See On-Call Setup.
- Push notification rules — route alerts to iOS devices; rules are evaluated in priority order and the first match wins. See Push Rules.
For alert severity defaults, email/webhook notification delivery, and response playbooks, see the Alerts group on the Settings index and the Alerts and Credential & Alert Controls guides.
Worked example: rolling out from Learning to Enforcement
A typical staged rollout looks like this:
- Deploy the extension with the tenant in Learning Mode (the default). Open Settings > General Settings and confirm Extension Mode is set to Learning Mode with the default Learning Threshold.
- After two to four weeks, switch to Monitoring Mode. Alerts now fire for suspicious credential activity, but nothing is blocked. Use this period to tune Trusted Domains (AITM Bypass) — add internal portals that trigger false adversary-in-the-middle signals — and add personal-use sites your policy excludes to Denied Domains.
- Review the alert volume on the dashboard. When false positives are under control, return to General Settings, select Enforcement Mode, and click Save Changes. Re-enter your password in the confirmation dialog.
- Verify the change on the Settings index: the Current Configuration panel should now show Extension Mode as "enforcement". The change is also recorded in the Audit Log with your account, timestamp, and IP address.
[VIDEO PLACEHOLDER: A short walkthrough changing Extension Mode from Monitoring to Enforcement, completing the password re-authentication dialog, and confirming the new mode in the Current Configuration panel]
Troubleshooting
My save button is disabled on General Settings. If you enabled "Restrict enrollment to specific email domains" but added no domains, saving is blocked because an empty list would leave enrollment unrestricted. Add at least one domain or turn the restriction off.
The HIBP toggle is grayed out. Your license includes the air-gapped entitlement; breach checks require external connectivity and are not available.
The Threat Intelligence toggles are locked on. Trial deployments always contribute to the shared pool. On a full license both toggles are editable, and sharing requires clustering to be enabled first.
Privacy settings are not taking effect on endpoints. Privacy controls sync during hourly policy updates — allow up to an hour after saving, and confirm the master Enable Privacy Enforcement toggle is on. They apply to Chrome and Edge.
I changed a setting but a colleague says they did not. Check the Audit Log: every settings change records who made it, from which IP address, and when.