Skip to main content

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Identify and resolve device issues in the Code42 console


A healthy Code42 environment is one that actively collects file activity from active endpoints or data connectors and reports it in the Code42 console for review and investigation in Forensic Search, on dashboards, and in Alerts. There are several tools available to help you identify devices that may need attention. This article describes how you can use these tools to identify and resolve issues to maintain and improve your Code42 environment health.

For information on monitoring and resolving issues for Incydr Professional, Enterprise, Horizon, and Gov F2, see Monitor and improve Incydr environment health.

Environment health monitoring tools

Risk Exposure dashboard

After you log in to the Code42 console, Code42 immediately opens the Risk Exposure dashboard. The Risk Exposure dashboard shows you file activity that Code42 has detected occurring outside of your trusted domains, and gives you a "one-stop shop" to identify unusual activity that may need further investigation. From the Risk Exposure dashboard, you can drill down into more details about the users, devices, and destinations involved in this activity.

Users and Devices

Both the Users list and Devices list allow you to quickly view either active or deactivated users and devices: just click the appropriate tab. You can use this information to determine whether a user or device should be deactivated because that user is no longer with your organization or that device has been replaced.

Users and devices involved in legal holds cannot be deactivated
Users that are custodians of a legal hold (and their associated devices) cannot be deactivated in the Code42 console. These users and devices are included in active totals, even if those users are no longer with your organization.

Work with your Legal department to identify users that are involved in a legal hold, and remember to account for these users and their devices when reviewing the totals in active users and devices lists.

The User details screen lists all devices associated with a user. Click a device name to open the Device details screen for that device. The device details and user details Preservation tab display a progress bar that indicates the health of that device:

  • Green: The device has sent data to the Code42 cloud within the past three days.
  • Yellow: Indicates a warning state, meaning that the device hasn't sent any new data to the Code42 cloud in three days.
  • Red: Indicates a critical state, meaning that the device hasn't sent any new data to the Code42 cloud in seven days (or longer).

In addition, statistics displayed throughout the Code42 console can help you identify devices that may need attention:

  • In the Devices list, the Last Backup Activity column displays the amount of time that has elapsed since the device last sent data to Code42.
  • On the Device details screen, Authority Connection indicates whether the device is Online (and authenticated with the Code42 cloud) or Offline. Offline does not necessarily indicate a problem with that device as users may be on vacation or extended leave and not actively using it.
  • On the Device details screen, Last Activity displays the time elapsed since the device last sent backup data to Code42. If there hasn't been activity for multiple days:
    • Verify that the computer has been turned on and connected to the Internet.
    • Access the client device to verify that it’s connected to the Code42 cloud and is operational.
    • Run a network connection test over port 4287 to the destination's IP address to verify connectivity.
  • On the Device details screenCompleted represents the time elapsed since the device reached 100% backed up. If this shows that the last 100% backup happened many days or weeks ago, the device is likely sending new files, but a small number of files may be locked and preventing backup. To troubleshoot these situations, follow these articles:
Devices with multiple backup sets
If a device has multiple backup sets backing up to the same destination, the backup progress and statistics indicate the combined status of all backup sets. (Devices using Code42 agent 10.x and earlier only report the status of the backup set with the most recent activity.)

Endpoint dashboard

The Endpoint dashboard (available for Incydr Advanced only) helps you identify device issues by showing endpoint activity throughout your entire Code42 environment, including endpoints that aren't reporting security events

Device Status report

Use the Device Status report to gather information about the devices in your Code42 environment. You can use this report to:

  • Identify devices with abnormally small archives (such as 10 MB or less), which may indicate installation or deployment errors that prevent those devices from sending data to the Code42 cloud.
  • Verify the version of the Code42 agent installed on devices to determine which may need to be upgraded.
  • List devices by the date and time they last sent data to the Code42 cloud. This can help you identify those that have not connected in some time.
  • List devices by the date and time they last completed a backup. This can help you identify devices with locked files or other issues that are preventing backup.

For more information, see Device status report use cases.

Email warnings

The Code42 cloud sends out warning emails if a device hasn't sent data to any backup destinations after a certain time period. The default is to send a warning message after three days and a critical message after five days. A warning email indicates that further investigation is needed.

You can configure the number of days that trigger either warning or critical emails in the organization Reporting settings.

Data Connections status

Data Connections allow you to monitor file movement and sharing in your corporate cloud storage environments (like Box, Google Drive, or Microsoft OneDrive) as well as monitor files emailed as attachments in your corporate email service (such as Gmail or Microsoft Office 365 email). 

If you have authorized a Code42 data connection, you can quickly view its status in the Data Connections table. A connection in an Error state indicates that the connection may not be collecting file activity, which means you might have a blind spot. See one of these articles for more information on troubleshooting data connection errors:

Code42 API

The APIs available in the Code42 Developer Portal give you comprehensive access to information about your environment. You can use them to query for details about users and devices, to integrate with other systems and monitoring tools you use, or to automate tasks or responses. Pay special attention to the following APIs:

  • Device: List all devices in your environment sorted by the date and time they last connected to the Code42 cloud.

  • User: Identify the users in your environment who are active, inactive, or blocked, and can list all of the devices owned by specific users.

  • File Events: Determine whether devices are reporting file activity to Code42 and when that activity was recorded.

  • Legal Hold and Cases: Identify the users who are associated with active investigations and gather information about the file events involved. From this information, you can identify devices that may need to be preserved until the investigation completes. 

Code42 CLI

The Code42 command-line interface tool gives the same access to data as the Code42 API, but lets you interact with your Code42 environment without using the Code42 console or making API calls directly. For example, you can use it to extract data for use in a security information and event management (SIEM) tool to visualize and automate environment monitoring. Lists generated from CLI commands can also be saved to CSV or JSON formats for use with other applications.

These APIs in the Code42 CLI are the most useful for identifying environment health issues:

  • Legal Hold and Cases: Identify the users who are associated with active investigations and gather information about the file events involved. From this information, you can identify devices that may need to be preserved until the investigation completes.

Code42 Insider Threat app for Splunk

If you use Splunk, the Code42 Insider Threat app for Splunk adds Code42-specific dashboards to Splunk Enterprise or Splunk Cloud that show activity happening across your Code42 environment. You can also ingest audit log and device health data from Code42 to determine when devices last connected to the Code42 cloud or reported file activity. You can then use this information to diagnose connection issues or clean up your environment by deactivating unneeded users or devices.

Actions to improve environment health

Ensure devices are up-to-date

When a device is running an outdated version of the Code42 agent, it may not be reporting all file activity efficiently (or may not be reporting activity for new exfiltration vectors and destinations at all), which may represent a weakness in your insider risk strategy. Use the tools in the Code42 console, Code42 API, or Code42 CLI to identify devices that aren't running the current version of the Code42 agent.

To troubleshoot device updates:

  • Verify that those devices are still in use and can connect to the Code42 cloud. Deactivate devices that are no longer used to connect to Code42.
  • Verify that devices are using current deployment policy properties, scripts, and tokens. If the Code42 agent is deployed to a device with incorrect properties, initial installation may not have completed successfully (and thus, subsequent upgrades cannot complete either). Ensure that the scripts used to associate a username with a device are correct and use the appropriate commands and arguments for the operating system. Generate a new token as needed. 
  • If needed, uninstall and reinstall the Code42 agent to resolve issues with upgrading.

Troubleshoot connection issues

If a user's device is unable to connect to the Code42 cloud, Code42 cannot accurately report security events, file activity, or statistics regarding backup completions occurring on that endpoint.


The most common reasons that a device cannot connect to the Code42 cloud include:

  • The user is on extended leave, and his or her endpoint is powered off or is not actively in use.
  • The user has left the organization but has not been deactivated.
  • The user has received a new device and no longer needs to use the previous endpoint.
  • Other applications installed on the device are interfering with connectivity.
  • Communication between the Code42 agent installed on the device and the Code42 cloud is blocked.
  • The user has uninstalled the Code42 agent or has stopped the Code42 service.
  • An administrator is using deep packet inspection to examine traffic from devices to the Code42 cloud.
  • Mac devices don't have full disk access, or the .mobileconfig file deployed to the device isn't set up correctly.

To resolve device connectivity issues, take the following actions:

Troubleshoot backup issues

Even though an endpoint may be able to connect to the Code42 cloud, it may not be able to successfully complete a backup.


The most common reasons that a device cannot complete a backup include the following:

  • The file selection is incorrect.
    • The file selection may include files that are constantly changing (such as log files).
    • The file selection may include temporary files that no longer exist at the next backup session.
  • Files are locked, or the Code42 agent doesn't have the correct permissions to back up those files.
  • Users may have paused backups.
  • If CPU throttling is restricted, the Code42 agent may not have the CPU resources required to complete a backup.
  • If network throttling is restricted (either in the Code42 agent or by your organization's network settings), the Code42 agent may not have enough bandwidth to send the backup data.
  • The frequency between backup sessions is too short when compared to the size of the backup set, making the Code42 agent unable to complete a backup before the next backup begins.

To resolve device backup issues, take these actions:

Resolve devices with invalid archives

Generally, a device demonstrates that it can successfully connect to and send data to the Code42 cloud when it has an archive that is larger than 10 MB. Devices with archives smaller than 10 MB likely have issues that need attention.

Use the Device Status report to list devices with archives smaller than 10 MB for investigation.

Deactivate unneeded users and unused devices

An unmanaged environment can include any number of users who are no longer with the organization or devices that are no longer used to connect to Code42. These unneeded users and unused devices pose risks to your organization's insider risk strategy:

  • Unnecessary data may violate your organization's data retention policies.
  • They delay investigations by making it difficult to understand which questions need to be answered.
  • It's difficult to diagnose which users or devices are involved in risky activity, resulting in unfocused investigations and unclear outcomes.
  • They cause processing delays and inefficiencies.

An accurate user and device inventory allows you to act with intention and clarity to secure your valuable business data. To identify users and devices that are no longer needed in Code42:

  • Work with your Human Resources department to list users that are no longer with your organization. You can also use the Code42 API to develop a list of users who do not have any associated devices, but keep in mind that some of these users may be administrators, security analysts, or other valid users of Code42 that may not have an associated device that's being monitored.
  • Work with your Legal department to identify users or devices that are currently under investigation and should not be deactivated in Code42. You can also use the Code42 API or Code42 CLI to list legal holds or cases under investigation in your organization that are associated with users and devices. Remember that users and devices involved in legal holds cannot be deactivated and still contribute to active user and device totals.
  • Secure your environment by deactivating unneeded users and devices in Code42.

Additional resources

Code42 has a number of additional resources available to help you get the most value from your Code42 environment while securing your organization's vital data.

  • Use the tools in our customer toolkit to get up and running quickly and discover how to optimize Code42 to elevate your security and insider risk programs.
  • Consult with our Professional Services team for help with deploying Code42 across your organization and integrating with tools you already use.
  • Engage one of our Technical Account Managers (TAMs) to gain extensive insights about the health of your environment and fully leverage all Code42 features, customized for your organization. (TAM services may already be included in your support plan.)
  • Visit the Code42 University to access on-demand and instructor training to learn how to get the most value from your Code42 security monitoring. Classes are available to help you develop an insider risk program; practice configuration, administration, and workflow tasks; and workshop Code42 CLI skills to integrate with other security tools you already use. 

Contact your Customer Success Manager (CSM) for more information about how to access these resources. If you do not know your CSM, please contact our Technical Support Engineers.

  • Was this article helpful?