Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, no.

Code42 Support

Monitor and improve Incydr environment health


A healthy Code42 environment is one that actively collects file activity from active endpoints or data connectors and reports it in the Code42 console for review and investigation in Forensic Search, on dashboards, and in Alerts. This article helps you identify and resolve issues to maintain and improve your Incydr Professional, Enterprise, Horizon, and Gov F2 environment health.

For information on monitoring and resolving issues for Incydr Basic, Advanced, and Gov F1, see Identify and resolve device issues in the Code42 console.

Environment monitoring tools

Risk Exposure dashboard

After you log in to the Code42 console, Code42 immediately opens the Risk Exposure dashboard. The Risk Exposure dashboard shows you file activity that Code42 has detected occurring outside of your trusted domains, and gives you a "one-stop shop" to identify unusual activity that may need further investigation. From the Risk Exposure dashboard, you can drill down into more details about the users, devices, and destinations involved in this activity.

Insider Risk Trends dashboard

The Insider Risk Trends dashboard shows how risk in your organization changes over time. The dashboard shows fluctuations in the number of users causing risky file events, the departments that cause the most untrusted events, the types of files involved in exfiltration events, and the vectors by which that untrusted activity occurs.

You can use these trends to identify where to focus controls, training, and engagement to improve your organization's risk profile. For more information, see View Insider Risk Trends for your organization.

User data sources

The Data Sources tab on the user details screen shows the devices associated with a user along with the date and time those devices last reported any activity to the Code42 cloud. Use this information to identify specific devices that may not have reported any activity within a given timeframe or that may need to be upgraded.

Device details

Clicking a device listed in the Devices table or on the user details Data Sources tab opens the details for that device. Two fields on the device details screen can help you identify devices that may have issues:

  • Agent version lists the version of the Code42 app installed on the device to help you identify devices that may need to be upgraded.
  • Last check-in shows the date and time the device last connected to the Code42 cloud. This can help you identify devices that haven't connected in some time and thus may not be reporting file activity or may need to be upgraded.

Data Connections status

Data Connections allow you to monitor file movement and sharing in your corporate cloud storage environments (like Box, Google Drive, or Microsoft OneDrive) as well as monitor files emailed as attachments in your corporate email service (such as Gmail or Microsoft Office 365 email). 

If you have authorized a Code42 data connection, you can quickly view its status in the Data Connections table. A connection in an Error state indicates that the connection may not be collecting file activity, which means you might have a blind spot. See one of these articles for more information on troubleshooting data connection errors:

Code42 API

The APIs available in the Code42 Developer Portal give you comprehensive access to information about your environment. You can use them to query for details about users and devices, to integrate with other systems and monitoring tools you use, or to automate tasks or responses. Pay special attention to the following APIs:

  • Device: List all devices in your environment sorted by the date and time they last connected to the Code42 cloud.

  • User: Identify the users in your environment who are active, inactive, or blocked, and can list all of the devices owned by specific users.

  • File Events: Determine whether devices are reporting file activity to Code42 and when that activity was recorded.

  • Cases: Identify the users who are associated with active investigations and gather information about the file events involved in the case. From this information, you can identify devices that may need to be preserved until the investigation completes. 

Code42 CLI

The Code42 command-line interface tool gives the same access to data as the Code42 API, but lets you interact with your Code42 environment without using the Code42 console or making API calls directly. For example, you can use it to extract data for use in a security information and event management (SIEM) tool to visualize and automate environment monitoring. Lists generated from CLI commands can also be saved to CSV or JSON formats for use with other applications.

These APIs in the Code42 CLI are the most useful for identifying environment health issues:

  • Cases: Identify the users who are associated with active investigations and gather information about the file events involved in the case. From this information, you can identify devices that may need to be preserved until the investigation completes.

Code42 Insider Threat app for Splunk

If you use Splunk, the Code42 Insider Threat app for Splunk adds Code42-specific dashboards to Splunk Enterprise or Splunk Cloud that show activity happening across your Code42 environment. You can also ingest audit log and device health data from Code42 to determine when devices last connected to the Code42 cloud or reported file activity. You can then use this information to diagnose connection issues or clean up your environment by deactivating unneeded users or devices.

Actions to improve environment health

Ensure devices are up-to-date

When a device is running an outdated version of the Code42 app, it may not be reporting all file activity efficiently (or may not be reporting activity for new exfiltration vectors and destinations at all), which may represent a weakness in your insider risk management strategy. Use the tools in the Code42 console, Code42 API, or Code42 CLI to identify devices that aren't running the current version of the Code42 app.

To troubleshoot device updates:

  • Verify that those devices are still in use and can connect to the Code42 cloud. Deactivate devices that are no longer used to connect to Code42.
  • Verify that devices are using current deployment policy properties, scripts, and secrets. If the Code42 app is deployed to a device with incorrect properties, initial installation may not have completed successfully (and thus, subsequent upgrades cannot complete either). Reactivate expired secrets or extend those that are about to expire as needed. 
  • If needed, uninstall and reinstall the Code42 app to resolve issues with upgrading.

Troubleshoot connection issues

If a device is unable to connect to the Code42 cloud, Code42 cannot accurately report security events or file activity occurring on that endpoint. Devices that are not connecting properly are also at risk of missing upgrades and may thus be running outdated versions of the Code42 app.


The most common reasons that a device cannot connect to the Code42 cloud include:

  • The user is on extended leave, and his or her endpoint is powered off or is not actively in use.
  • The user has left the organization but has not been deactivated.
  • The user has received a new device and no longer needs to use the previous endpoint.
  • Other applications installed on the device are interfering with connectivity.
  • Communication between the Code42 app installed on the device and the Code42 cloud is blocked.
  • An administrator is using deep packet inspection to examine traffic from devices to the Code42 cloud.
  • Mac devices don't have full disk access, or the .mobileconfig file deployed to the device isn't set up correctly.

To resolve device connectivity issues, take the following actions:

  • Use the Code42 console, Code42 API, or Code42 CLI to verify that endpoints are connecting to the Code42 cloud and reporting file events as they should.
  • Verify employee status with managers or your organization's Human Resources department.
  • Deactivate users that are no longer with your organization.
  • Deactivate devices that are no longer used to connect to Code42.
  • Verify that you have created exceptions for Code42 in any antivirus, security, or endpoint detection and response (EDR) applications your organization uses, and that those exception are valid and working correctly.
  • Verify that the IP addresses and ports used by Code42 are open and that there is no deep packet inspection on Code42 traffic on port 4287. Verify that network traffic settings are optimized for where your employees work.
  • Use Jamf's Privacy Preferences Policy Control (PPPC) Utility to create and deploy a .mobileconfig file to the Mac devices in your environment to grant these devices full disk access. When creating this file, verify that the settings are correct for your organization:
    • In Properties, all areas you want to monitor are selected.
    • In Apple Events, all web browsers you want to monitor for uploads are selected.
    • In System Extensions, the Code42 app team identifier and system extension are correct.

Deactivate unneeded users and unused devices

An unmanaged environment can include any number of users who are no longer with the organization or devices that are no longer used to connect to Code42. These unneeded users and unused devices pose risks to your organization's insider risk strategy:

  • Unnecessary data may violate your organization's data retention policies.
  • They delay investigations by making it difficult to understand which questions need to be answered.
  • It's difficult to diagnose which users or devices are involved in risky activity, resulting in unfocused investigations and unclear outcomes.
  • They cause processing delays and inefficiencies.

An accurate user and device inventory allows you to act with intention and clarity to secure your valuable business data. To identify users and devices that are no longer needed in Code42:

  • Work with your Human Resources department to list users that are no longer with your organization. You can also use the Code42 API to develop a list of users who do not have any associated devices, but keep in mind that some of these users may be administrators, security analysts, or other valid users of Code42 that may not have an associated device that's being monitored.
  • Work with your Legal department to identify users or devices that are currently under investigation and should not be deactivated in Code42. You can also use the Code42 API or Code42 CLI to list legal holds or cases under investigation in your organization that are associated with users and devices. Remember that users and devices involved in legal holds cannot be deactivated and still contribute to active user and device totals.
  • Secure your environment by deactivating unneeded users and devices in Code42.

Additional resources

Code42 has a number of additional resources available to help you get the most value from your Code42 environment while securing your organization's vital data.

  • Use the tools in our customer toolkit to get up and running quickly and discover how to optimize Code42 to elevate your security and insider risk programs.
  • Consult with our Professional Services team for help with deploying Code42 across your organization and integrating with tools you already use.
  • Engage one of our Technical Account Managers (TAMs) to gain extensive insights about the health of your environment and fully leverage all Code42 features, customized for your organization. (TAM services may already be included in your support plan.)
  • Visit the Code42 University to access on-demand and instructor training to learn how to get the most value from your Code42 security monitoring. Classes are available to help you develop an insider risk program; practice configuration, administration, and workflow tasks; and workshop Code42 CLI skills to integrate with other security tools you already use. 

Contact your Customer Success Manager (CSM) for more information about how to access these resources. If you do not know your CSM, please contact our Technical Support Engineers.

  • Was this article helpful?