# Deploy Surface This guide explains how to deploy the **Surface Scanner** across your organization's endpoints. The Surface Scanner is a lightweight endpoint agent that runs in the background to detect AI assets, collect device posture metadata, and securely transmit results to the **Surface Console**. Deployment typically involves the following stages: 1. Preparing your environment 2. Installing the Scanner on endpoints 3. Verifying device connectivity and reporting 4. Maintaining the agent lifecycle *** ## Before you install Before deploying the Surface Scanner, ensure your environment meets the system requirements and determine the appropriate deployment method for your organization. ### System requirements The Surface Scanner supports common enterprise operating systems and runs as a background service with minimal resource usage. **Windows** Supported versions: * Windows 10 (64-bit) * Windows 11 (64-bit) Installation requires administrator privileges. **macOS** Supported versions: * macOS 12 (Monterey) or later * Compatible with both Intel and Apple Silicon **Linux** Supported distributions: * Ubuntu 20.04 or later * Red Hat Enterprise Linux (RHEL) 8+ * Debian 11+ Supported package formats: `.deb`, `.rpm` ### Network Requirements Surface Scanner communicates securely with the Surface Console using outbound HTTPS. | Requirement | Value | | ------------- | ------------- | | Protocol | HTTPS | | Port | 443 | | Direction | Outbound only | | Inbound Ports | Not required | If your environment uses a firewall or proxy, ensure that traffic to the below domain is not blocked. Your network must allow outbound access to: ``` *.superalign.ai ``` *** ## Choosing your deployment method Surface supports both automated enterprise deployment and manual installation. ### MDM Deployment (Recommended) For most organizations, deployment is performed using an endpoint management platform such as Microsoft Intune, Jamf Pro, Kandji, Mosyle, or other MDM platforms capable of deploying signed packages or scripts. Benefits of MDM deployment include: * Centralized rollout across devices * Silent installation * Automated lifecycle management * Controlled rollout to pilot device groups ### Manual Deployment Manual installation may be used for: * Small pilot environments * Testing or proof-of-concept deployments * Organizations without an MDM platform This approach requires running the installer directly on each device. *** ## MDM-based Enterprise Deployment (Recommended) Login to the Surface Console as an Admin and go to the Downloads section. Deploy via your MDM platform using a signed script for macOS, Linux, or Windows. * **macOS & Linux** — Upload `install.sh` to your MDM platform and configure it to run with root privileges on target devices. * **Windows** — Upload `install.ps1` to your MDM and run it silently via Group Policy or your MDM's script deployment feature. Installation steps: 1. Download the script and upload it to your MDM platform's script library. 2. In your MDM console, create a new deployment policy and assign the script to the target device group. 3. The script installs Surface, registers it with your MDM, and starts the service. *** ## Install Script Run the command for your platform directly in a terminal. The script downloads, verifies the checksum, and starts Surface automatically. **macOS, Linux, WSL** ```bash curl -fsSL https://console.superalign.ai/surface/releases/install.sh | sudo bash ``` **Windows PowerShell (Run as Administrator)** ```powershell irm https://console.superalign.ai/surface/releases/install.ps1 | iex ``` This command: * Verifies checksum integrity before install * Registers Surface as a system service * Connects to your SuperAlign workspace automatically *** ## Manual Install Login to the Surface Console as Admin and go to the Downloads page. Download the package for your platform and architecture, then follow the installation steps. | Platform | Architecture | Package | | -------- | ---------------------- | -------------------------------------------- | | macOS | Apple Silicon | `SuperAlign-surface-0.1.8-darwin-arm64.pkg` | | macOS | Intel | `SuperAlign-surface-0.1.8-darwin-amd64.pkg` | | Linux | ARM64 | `SuperAlign-surface-0.1.8-linux-arm64.deb` | | Linux | AMD64 | `SuperAlign-surface-0.1.8-linux-amd64.deb` | | Windows | AMD64 (x64, Win 10/11) | `SuperAlign-surface-0.1.8-windows-amd64.msi` | *** ## After installation * **Appears in Endpoints** — Your endpoint shows up in the Endpoints page within minutes of install. * **Appears in Inventory** — Surface discovers AI assets and they appear in Inventory automatically. * **Insights generated** — Risk assessments are produced once the first asset scan completes. ### Verify agent is active and reporting After installation, confirm that the Scanner is reporting to the Surface Console. **Verification Steps** 1. Log in to the **Surface Console**. 2. Navigate to the **Device Inventory** page. 3. Locate the newly installed endpoint. A successfully deployed device will display: * Device hostname * Operating system * Last scan timestamp * Agent status New devices typically appear in the Console shortly after installation once the first scan completes. If the device does not appear in the Console, refer to the troubleshooting section below. *** ## Maintenance After deployment, administrators may need to manage updates, uninstall the Scanner, or troubleshoot connectivity issues. ### Update the agent The Surface Scanner may receive periodic updates that include: * Security improvements * Performance enhancements * Expanded detection capabilities Updates can be silently deployed through: * Your existing MDM deployment policy * Updated installer packages For managed environments, updating the deployment package within your MDM policy will automatically distribute updates to targeted devices. ### Uninstall the agent The Surface Scanner can be removed at any time. **Uninstall via MDM** Administrators can remove the Scanner by: 1. Creating an uninstall policy in the MDM platform 2. Targeting devices where the agent should be removed This is the recommended method for large environments. **Manual Uninstallation** On individual devices: 1. Open the system's application or package management interface. 2. Locate **Surface Scanner**. 3. Run the uninstall process. After removal, the device will stop reporting scan data to the Surface Console. *** ## Troubleshooting If an endpoint is not reporting scan data, the following steps may help identify the issue. ### Agent Not Reporting Possible causes include: * Installation failure * Scanner service not running * Device not registered with the Console tenant Recommended actions: * Verify the Scanner service is active * Confirm installation completed successfully * Ensure the device appears in the Console inventory ### Connectivity Failure Connectivity issues are typically caused by network restrictions. Verify that: * Outbound HTTPS traffic (port 443) is allowed * The required domain is allowlisted: ``` *.superalign.ai ``` If a proxy or firewall is present, confirm that outbound connections to the Surface Console are permitted. ### Permission Issues Installation requires administrative privileges. If installation fails: * Confirm the installer was executed with elevated privileges * Verify that endpoint protection tools did not block installation * Check system security policies that may prevent background services from running ### Log Collection Logs can help diagnose installation or connectivity issues. To collect logs: 1. Locate the Surface Scanner log directory on the device. 2. Export the log files. 3. Share the logs with your SuperAlign support contact. Logs typically include information about: * Installation status * Agent startup events * Network connectivity * Communication with the Surface Console