Enable endpoint data collection for the legacy agent
Overview
This tutorial explains how to confirm endpoint data collection is enabled to capture user file activity so you can use Incydr to detect and respond to insider risks.
Considerations for the legacy agent
To enable endpoint data collection:
- The Code42 agent must be installed for all users. Per-user installations are not supported.
- Organizations must use Standard archive encryption for backup data. Archive key password and Custom key encryption are not supported.
- Organizations using Compliance Settings cannot enable endpoint data collection.
Steps
Step 1: Lock archive encryption key settings
Endpoint data collection requires standard archive encryption. Before enabling these settings, lock the Archive Encryption Key setting to prevent users or administrators from changing it later.
- Sign in to the Code42 console.
- Go to Administration > Environment > Organizations.
- Select an organization.
- Select Actions > Device backup defaults.
- In the General section, deselect Use device defaults from parent.
- Select the Security tab.
- In the Archive Encryption Key section:
- Deselect Use default archive encryption key setting.
- Verify that Standard is selected.
- Click the Lock icon to prevent users from changing this setting.
- Review the confirmation message and click OK.
- Click Save.
Step 2: Enable endpoint data collection
Enable these settings in a small, test organization first. This helps ensure that user devices and activity monitoring and reporting are performing as expected. Once you see the desired results with a small number of users, then enable endpoint data collection for additional organizations.
If your Code42 environment contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy.
- Sign in to the Code42 console as a user with either the Cross Org Admin or Org Admin role.
- Select Administration > Environment > Organizations.
- Select an organization.
- Select the Insider Risk tab.
- Click the Edit
icon.
- Disable Inherit settings from parent, if necessary.
- Select all detection types. For more details, see Organizations - Endpoint Data Collection reference.
- Removable media: Monitors file activity on removable media, such as USB drives or SD cards.
- Cloud Sync Applications: Monitors file activity in folders on the device used for syncing with cloud services.
- Browser and other application activity: Identifies files opened in apps commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl.
- Printers: Identifies files sent to printers. Mac and Linux only.
- All file activity: Provides visibility into all file activity by collecting detailed metadata for all files on user devices, and in supported cloud services and email providers.
- Click Save to immediately apply your changes to all devices in this organization and all of its inheriting child organizations.
Next steps
Review file activity
Code42 Incydr provides a variety of tools to review file activity, including dashboards, user profiles, alerts, detection lists, and advanced ad-hoc search capabilities. For more details about these tools, see our guides for capturing and reviewing suspicious activity.
Add cloud and email data connections (optional)
If your product plan includes additional cloud or email data sources (for example, Google Drive, Microsoft OneDrive, Gmail, or Microsoft Office 365 email), you must authorize Code42 to access this data. For instructions, see Introduction to adding data connections.
Advanced configuration steps
The steps below are required to capture file active on removable drives. If you want to configure any of these items to override the Code42 defaults, click the + icon next to each step for detailed instructions.