General Provider Responsibilities

Recommended Secure Configuration (SCG-CSO-RSC)

SCG-CSO-RSC-01: Multi-Factor Authentication (MFA / 2FA / 2SV)

Admins can enforce multi-factor authentication for admins and agents (and optionally end users) to add an additional verification step at sign-in to reduce credential compromise risk. It applies to Zendesk email/password credentials, while single sign-on users must rely on MFA enforced by the identity provider. Admins can also runs a 2FA status report to confirm adoption.

Setup Instructions:

  • Setup 2FA
  • Manage 2FA
  • About 2SV

SCG-CSO-RSC-02: Single Sign-On (SSO)

Zendesk supports enterprise SSO access to accounts via Secure Assertion Markup Language (SAML), JSON Web Token (JWT), and OpenID Connect (IODC). Customers should use enterprise SSO for staff (administrators and agents) whenever possible. SSO allows the organization to centralize identity proofing, MFA, conditional access, and de-provisioning in the organization identity provider (IDP).

Setup Instructions:

  • SSO Options
  • Manage SSO Configurations
  • Enable SSO (SAML)
  • Enable SSO (JWT)
  • Enable SSO (OIDC)
  • Enable Social and Business SSO

SCG-CSO-RSC-03: Password Security Level

Admins can set password security levels separately for agents, admins, and end users. Zendesk recommends the Recommended level to enforce strong passwords and block breached passwords. Raising the security level can require users to update passwords, so admins should plan and document the change as part of their secure configuration management.

Setup Instructions:

  • Setting the Password Security Level

SCG-CSO-RSC-04: Zendesk Account Assumption

Admins can grant Zendesk Support agents temporary "account assumption" access to troubleshoot complex issues, which allows them to assume into an agent role in the account. This setting is OFF by default. For FedRAMP alignment, enable only when required, for the shortest duration possible, and document/track when it is enabled/disabled.

Setup Instructions:

  • Enable Zendesk Account Assumption

SCG-CSO-RSC-05: Audit Log

Admins can use the Zendesk Audit Log (Enterprise & Enterprise+ Plans) to track configuration and account changes performed by admins and agents. This support general security monitoring and investigations, and also allows for filtering and CSV export capabilities.

Setup Instructions:

  • Using the Audit Log

SCG-CSO-RSC-06: Email Authentication (SPF/DKIM/DMARC/ARC)

Admins can enable inbound email authentication to reduce spoofed email and unauthorized ticket creation. Emails that fail authentication are suspended for review, and can be monitored using the "Suspended Ticket" view. Zendesk recommends enabling first for native email traffic, then validating forwarded mail flows.

Setup Instructions:

  • Enable Email Authentication

SCG-CSO-RSC-07: Private Attachments / Secure Downloads

Admins can control ticket attachments across channels and optionally require authenticated access via secure downloads / private attachments, reducing exposure from forward or misdirected links. Also supports attachment expiration and file-type restrictions.

Setup Instructions:

  • Enable Private Attachments

SCG-CSO-RSC-08: Security Contact

By default, Zendesk sends security-related notification to the designated account owner. However, most organizations have a person, group, or department dedicated to security. Admins can designate an additional security contact email to ensure that notifications are sent to the appropriate parties.

Setup Instructions:

  • Designate a Security Contact

Use Instructions (SCG-CSO-AUP)

This Secure Configuration Guide is implemented by using the linked Zendesk Help Center configuration articles throughout. For configuration needs beyond these articles, or to validate a FedRAMP-aligned posture for your specific environment, contact us at fedramp@zendesk.com.

Public Guidance (SCG-CSO-PUB)

This Guide is a public-facing document and references articles on the Zendesk Help Center.

Secure Defaults (SCG-CSO-SDF)

SCG-CSO-SDF-01: Session Timeout

Admins can configure inactivity-based session timeouts to reduce the risk of unauthorized access from unattended sessions. By default, Zendesk signs out agents after 60 minutes of inactivity and end users after 8 hours; admins can set different values for each user type. Zendesk recommends using the shortest session timeout value that support operational needs and documenting the chosen values.

Setup Instructions:

  • Adding a Session Timeout

Enhanced Capabilities

Comparison Capability (SCG-ENH-CMP)

Zendesk provides a Security Posture Dashboard within the Admin Center that allows admins to view a side-by-side comparison of current privileged account security settings against Zendesk-recommended ones. 

Setup Instructions:

  • Using the Security Posture Dashboard

Export Capability (SCG-ENH-EXP)

Zendesk does not currently have a capability to export security settings.

API Capability (SCG-ENH-API)

Zendesk provides a Security Settings API endpoint that supports programmatic retrieval (and for some settings, administrative update) of select account-level security configuration values. This API can be used to support repeatable evidence collection, baseline validation, and configuration drift detection as part of ongoing continuous monitoring.

Setup Instructions:

  • Security Settings

Machine-Readable Guidance (SCG-ENH-MRG)

This Secure Configuration Guide is published as web-based documentation (HTML) in the Zendesk Help Center. This page can be exported by savings the web page content (i.e. HTML or PDF) for offline access, controlled distribution, and records retention.

Versioning and Release History (SCG-ENH-VRH)

Version Date Summary of Changes
1.0 2026-03-11 Initial release of SCG and control references
Powered by Zendesk