Deploy Surface
Step-by-step guide for deploying the Surface Scanner across your organization's endpoints.
This guide explains how to deploy the Surface Scanner across your organization's endpoints.
The Surface Scanner is a lightweight endpoint agent that runs in the background to detect AI assets, collect device posture metadata, and securely transmit results to the Surface Console.
Deployment typically involves the following stages:
- Preparing your environment
- Installing the Scanner on endpoints
- Verifying device connectivity and reporting
- Maintaining the agent lifecycle
Before you install
Before deploying the Surface Scanner, ensure your environment meets the system requirements and determine the appropriate deployment method for your organization.
System requirements
The Surface Scanner supports common enterprise operating systems and runs as a background service with minimal resource usage.
Windows
Supported versions:
- Windows 10 (64-bit)
- Windows 11 (64-bit)
Installation requires administrator privileges.
macOS
Supported versions:
- macOS 12 (Monterey) or later
- Compatible with both Intel and Apple Silicon
Linux
Supported distributions:
- Ubuntu 20.04 or later
- Red Hat Enterprise Linux (RHEL) 8+
- Debian 11+
Supported package formats: .deb, .rpm
Network Requirements
Surface Scanner communicates securely with the Surface Console using outbound HTTPS.
| Requirement | Value |
|---|---|
| Protocol | HTTPS |
| Port | 443 |
| Direction | Outbound only |
| Inbound Ports | Not required |
If your environment uses a firewall or proxy, ensure that traffic to the below domain is not blocked. Your network must allow outbound access to:
*.superalign.aiChoosing your deployment method
Surface supports both automated enterprise deployment and manual installation.
MDM Deployment (Recommended)
For most organizations, deployment is performed using an endpoint management platform such as Microsoft Intune, Jamf Pro, Kandji, Mosyle, or other MDM platforms capable of deploying signed packages or scripts.
Benefits of MDM deployment include:
- Centralized rollout across devices
- Silent installation
- Automated lifecycle management
- Controlled rollout to pilot device groups
Manual Deployment
Manual installation may be used for:
- Small pilot environments
- Testing or proof-of-concept deployments
- Organizations without an MDM platform
This approach requires running the installer directly on each device.
MDM-based Enterprise Deployment (Recommended)
Login to the Surface Console as an Admin and go to the Downloads section.
Deploy via your MDM platform using a signed script for macOS, Linux, or Windows.
- macOS & Linux — Upload
install.shto your MDM platform and configure it to run with root privileges on target devices. - Windows — Upload
install.ps1to your MDM and run it silently via Group Policy or your MDM's script deployment feature.
Installation steps:
- Download the script and upload it to your MDM platform's script library.
- In your MDM console, create a new deployment policy and assign the script to the target device group.
- The script installs Surface, registers it with your MDM, and starts the service.
Install Script
Run the command for your platform directly in a terminal. The script downloads, verifies the checksum, and starts Surface automatically.
macOS, Linux, WSL
curl -fsSL https://console.superalign.ai/surface/releases/install.sh | sudo bashWindows PowerShell (Run as Administrator)
irm https://console.superalign.ai/surface/releases/install.ps1 | iexThis command:
- Verifies checksum integrity before install
- Registers Surface as a system service
- Connects to your SuperAlign workspace automatically
Manual Install
Login to the Surface Console as Admin and go to the Downloads page. Download the package for your platform and architecture, then follow the installation steps.
| Platform | Architecture | Package |
|---|---|---|
| macOS | Apple Silicon | SuperAlign-surface-0.1.8-darwin-arm64.pkg |
| macOS | Intel | SuperAlign-surface-0.1.8-darwin-amd64.pkg |
| Linux | ARM64 | SuperAlign-surface-0.1.8-linux-arm64.deb |
| Linux | AMD64 | SuperAlign-surface-0.1.8-linux-amd64.deb |
| Windows | AMD64 (x64, Win 10/11) | SuperAlign-surface-0.1.8-windows-amd64.msi |
After installation
- Appears in Endpoints — Your endpoint shows up in the Endpoints page within minutes of install.
- Appears in Inventory — Surface discovers AI assets and they appear in Inventory automatically.
- Insights generated — Risk assessments are produced once the first asset scan completes.
Verify agent is active and reporting
After installation, confirm that the Scanner is reporting to the Surface Console.
Verification Steps
- Log in to the Surface Console.
- Navigate to the Device Inventory page.
- Locate the newly installed endpoint.
A successfully deployed device will display:
- Device hostname
- Operating system
- Last scan timestamp
- Agent status
New devices typically appear in the Console shortly after installation once the first scan completes.
If the device does not appear in the Console, refer to the troubleshooting section below.
Maintenance
After deployment, administrators may need to manage updates, uninstall the Scanner, or troubleshoot connectivity issues.
Update the agent
The Surface Scanner may receive periodic updates that include:
- Security improvements
- Performance enhancements
- Expanded detection capabilities
Updates can be silently deployed through:
- Your existing MDM deployment policy
- Updated installer packages
For managed environments, updating the deployment package within your MDM policy will automatically distribute updates to targeted devices.
Uninstall the agent
The Surface Scanner can be removed at any time.
Uninstall via MDM
Administrators can remove the Scanner by:
- Creating an uninstall policy in the MDM platform
- Targeting devices where the agent should be removed
This is the recommended method for large environments.
Manual Uninstallation
On individual devices:
- Open the system's application or package management interface.
- Locate Surface Scanner.
- Run the uninstall process.
After removal, the device will stop reporting scan data to the Surface Console.
Troubleshooting
If an endpoint is not reporting scan data, the following steps may help identify the issue.
Agent Not Reporting
Possible causes include:
- Installation failure
- Scanner service not running
- Device not registered with the Console tenant
Recommended actions:
- Verify the Scanner service is active
- Confirm installation completed successfully
- Ensure the device appears in the Console inventory
Connectivity Failure
Connectivity issues are typically caused by network restrictions.
Verify that:
- Outbound HTTPS traffic (port 443) is allowed
- The required domain is allowlisted:
*.superalign.aiIf a proxy or firewall is present, confirm that outbound connections to the Surface Console are permitted.
Permission Issues
Installation requires administrative privileges.
If installation fails:
- Confirm the installer was executed with elevated privileges
- Verify that endpoint protection tools did not block installation
- Check system security policies that may prevent background services from running
Log Collection
Logs can help diagnose installation or connectivity issues.
To collect logs:
- Locate the Surface Scanner log directory on the device.
- Export the log files.
- Share the logs with your SuperAlign support contact.
Logs typically include information about:
- Installation status
- Agent startup events
- Network connectivity
- Communication with the Surface Console