Skip to Content
DeploymentOverview

Deployment

This section is the operational guide for connecting your fleet to Arrakis. The right setup depends on three independent choices — how telemetry reaches Arrakis, how Arrakis reads your group structure, and which AI tools you need to govern. Pick the answers, then follow the linked pages.

Decision tree

1. Where does telemetry land first — Arrakis, or your SIEM?

  • Arrakis first (Mode A). One OTLP endpoint configured on every endpoint; Arrakis fans out a copy to your SIEM. Simplest, fastest correlation. Choose if you don’t already run a perimeter OTel collector. → Multi-sending OTel — Mode A
  • Your SIEM first (Mode B). Your existing OTel collector receives from endpoints and forwards a copy to Arrakis. Customer-controlled data plane; reuses existing infra. Choose if your security team requires the data to land in your SIEM before any third party. → Multi-sending OTel — Mode B

2. How does Arrakis know who is in which group?

  • SCIM 2.0 from your IdP (recommended). Your IdP pushes user + group membership; Arrakis maps groups to per-group policies (Skills, MCPs, plugins). Required for group-based policy. → IdP Integration
  • Flat policy (no group separation). All users get the same policy. Simplest day-1 onboarding; lose per-group differentiation. Skip the IdP integration; configure a single default policy in Settings → Policies.

3. Which AI tools do you need to govern?

  • Claude Code (Anthropic Enterprise or over Bedrock) — managed via MDM-pushed Claude Code config. → Claude Code
  • Claude Cowork (Anthropic Enterprise) — admin-console + Admin API; managed-config where the desktop footprint applies. → Claude Cowork
  • OpenAI Codex — admin console + MDM-deployed wrapper for OTel-aware env injection. → OpenAI Codex
  • Cursor — MDM-deployed Arrakis hook + egress verification. → Cursor

Pick the tools you use; you can add more later.

Setup checklist

  1. Sign in to the Arrakis platform. Generate the per-tenant integration credentials under Settings → Integrations: OTel ingest token, MDM policy-push API credential, vendor admin API keys (Anthropic / OpenAI / Cursor).
  2. Connect your IdP (recommended). Configure SCIM 2.0 against the Arrakis SCIM endpoint so groups appear in Settings → Identity → Groups. Bind groups to policies. → IdP Integration
  3. Connect your MDM. Issue a least-privilege API token in your MDM (Jamf, Intune, Iru, or other) and paste it into Arrakis. Choose live policy push behavior (default) and optionally enable force-sync for instant enforcement. → MDM Sync — Live policy push
  4. Configure the OTel collector for the AI tools you govern. Either Arrakis-primary (Mode A — set the OTLP endpoint via MDM-managed config) or your-collector-primary (Mode B — paste the Arrakis exporter snippet into your collector config). → Multi-sending OTel and the per-tool deployment pages.
  5. Verify end-to-end. Confirm endpoints are sending OTel events, Arrakis sees the right groups, and policy changes propagate to MDM correctly.
  6. Document the offboarding plan before going to production. Confirm the customer-side cleanup script and the MDM withdrawal path. → Offboarding

Sections in this guide

  • OTel Collector & Arrakis Endpoint — endpoint shape, auth, mTLS, egress allowlist, connectivity probes, and the Arrakis namespace convention.
  • Multi-sending OTel — Mode A vs Mode B with sample collector configs for Splunk, Datadog, Sentinel, and Elastic.
  • IdP Integration — SCIM 2.0 ingestion of users and groups so policy can be applied per group.
  • Claude Code — Anthropic Console (Enterprise) walkthrough, Bedrock variant, MDM payloads.
  • Claude Cowork — Anthropic Console (Enterprise) for Cowork; Admin API issuance and rotation.
  • OpenAI Codex — OpenAI Admin Console; Compliance API; MDM-deployed wrapper.
  • Cursor — MDM-deployed Arrakis hook; egress verification.
  • MDM Sync & Change Management — per-MDM sync cadence, live policy push, and credential rotation.
  • Quarantine — vendor admin API actions to disable a user across Anthropic, Cursor, and OpenAI, plus the MDM block.
  • Offboarding — Arrakis-initiated profile withdrawal, per-tool cleanup, and OTel egress shutoff verification.

Where to get tenant-specific values

Sign in to the Arrakis platform → Settings → Integrations. The OTel endpoint URL, ingest bearer token, MDM payload templates, vendor admin keys, and SCIM endpoint URL all live there. Docs use placeholders so they stay generic.

Last updated on
LangfuseOTel Collector & Arrakis Endpoint