Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Enable endpoint monitoring and file metadata collection


This tutorial explains how to enable endpoint monitoring and file metadata collection to capture user file activity so you can start using Incydr to detect and respond to insider risks.

  • Endpoint monitoring captures file activity anywhere on a user's device, not just within the user's backup file selection, including activity on removable media, in cloud sync folders, and uploads via web browsers and other applications.
  • File metadata collection captures all file activity on a device, which enables you to search file metadata to gain a clearer understanding of file activity throughout the organization.

This article does not apply to the Incydr Professional, Enterprise, Horizon, and Gov F2 product plans. For these plans, see the Endpoint data collection reference guide.


To enable endpoint monitoring and file metadata collection:


Step 1: Lock archive encryption key settings

Endpoint monitoring and file metadata collection require standard archive encryption. Before enabling these settings, lock the Archive Encryption Key setting to prevent users or administrators from changing it later.

Disabled inheritance
If you disable inheritance for an organization, that organization is not affected by changes to its parent organization.
  1. Sign in to the Code42 console.
  2. Go to Administration > Environment > Organizations.
  3. Select an organization.
  4. From the action menu, select Device Backup Defaults.
  5. In the General section, deselect Use device defaults from parent.
  6. Select the Security tab.
  7. In the Archive Encryption Key section:
    1. Deselect Use default archive encryption key setting.
    2. Verify that Standard is selected.
    3. Click the Lock icon to prevent users from changing this setting.
    4. Review the confirmation message and click OK.
  8. Click Save.

Step 2: Enable endpoint monitoring and file metadata collection

Start with a test organization
Enable these settings in a small, test organization first. This helps ensure that user devices and activity monitoring and reporting are performing as expected. Once you see the desired results with a small number of users, then enable endpoint monitoring and file metadata collection for additional organizations.

If your Code42 environment contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy.
  1. Sign in to the Code42 console as a user with either the Cross Org Admin or Org Admin role.
  2. Select Administration > Environment > Organizations.
  3. Select an organization.
  4. From the action menu, select Edit.
  5. Select Endpoint Monitoring.
  6. Deselect Inherit settings from parent, if necessary.
  7. Select Enable endpoint monitoring.
  8. Select all detection types. For more details, see Endpoint Monitoring settings reference.
    • Removable media: Monitors file activity on removable media, such as USB drives or SD cards.
    • Cloud Sync Applications: Monitors file activity in folders on the device used for syncing with cloud services.
    • Browser and other Application Activity: Identifies files opened in apps commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl.
      Code42 requires macOS permissions to detect file upload destinations 
      If you enable Browser and other Application Activity detection, you must take action to grant Code42 permission on Mac devices to detect the window title and URL active at the time a file is uploaded. For details, follow the steps in macOS permissions for the insider risk agent.
    • Printers: Identifies files sent to printers. Mac and Linux only.
    • File Metadata Collection: Provides visibility into all file activity by collecting detailed metadata for all files on user devices, and in supported cloud services and email providers.
  9. Click Save to immediately apply your changes to all devices in this organization and all of its inheriting child organizations.
Incydr displays data for users in all organizations
Visibility of activity captured by Incydr is not limited by your Code42 organization hierarchy.

Code42 organizations only control endpoint settings related to file preservation (backup), agent deployment, and identity management. Users with roles that allow access to Incydr features (such as the Risk Exposure dashboard, Alerts, and Forensic Search) can view insider risk data for users in all organizations.

Organization Settings Endpoint Monitoring

Next steps

Review file activity

Code42 Incydr provides a variety of tools to review file activity, including dashboards, user profiles, alerts, detection lists, and advanced ad-hoc search capabilities. For more details about these tools, see our guides for capturing and reviewing suspicious activity.

Add cloud and email data connections (optional)

If your product plan includes additional cloud or email data sources (for example, Google Drive, Microsoft OneDrive, Gmail, or Microsoft Office 365 email), you must authorize Code42 to access this data. For instructions, see Introduction to adding data connections.

Advanced configuration steps

Advanced settings
The steps below are required to capture file active on removable drives. If you want to configure any of these items to override the Code42 defaults, click the + icon next to each step for detailed instructions.

Enable automatic file scan for removable media

Exclude paths from monitoring

Enable automatic file scanning of all cloud folder contents

Related topics

  • Was this article helpful?