Overview
Configure deployment packages that install Code42 agents on your users' devices according to your specifications. Integrate your apps with SSO, for example, and install silently, without user intervention. This article describes each element of the Deployment Policies interface.
Considerations
This article assumes you understand the introduction to deployment provided by the article Deploy Code42 agents.
- To use these deployment tools, you need to sign in to your Code42 console as a user with the Security Administrator role.
- In the Code42 federal environment, app installations must be deployed with a deployment policy to ensure the use of FIPS encryption in the Code42 agent. Users cannot download the installation package from the Code42 console or an email message.
- Do not restore Code42 application files backed up from one device as a means to install the insider risk agent on a different device. Application files are unique to each device and cannot be transferred to a new device.
Insider risk agent
Deployment policies
To view and manage deployment policies:
- Sign in to the Code42 console.
- Select Administration > Agent Management > Deployment.
If your Code42 environment does not yet have any deployment policies, you see the option to Create deployment policy. If your environment already has one or more policies, you see the deployment policies list.
| Item | Description | |
|---|---|---|
| a | Create deployment policy | Open the interface for defining a new insider risk agent deployment policy. |
| b | Name | The name of the policy. |
| c | Created | The date the policy was created and the username of the administrator who created the policy. |
| d | Registration organization |
Insider risk agents deployed with this policy register with this organization. The organization determines the authentication method and optional proxy address for the policy. If you deactivate an organization, the associated policy will not work. |
| e | Organization Status | The status of the registration organization. |
| f |
View details |
Allows you to view and change details of the policy. |
Policy details
In the deployment policies list, click View details to see details about the policy.
| Item | Description | |
|---|---|---|
| a | Policy name | The name of the policy. |
| b | Delete | Removes the policy from your Code42 environment. Insider risk agents deployed to use that policy, but not yet run and installed, will fail to install. |
| c | Edit |
Change details of the policy. |
| d | Details | The details of the policy. |
| e | Scripts | The user detection scripts for the policy. |
| f | Registration organization |
Insider risk agents deployed with this policy register with this organization. If your custom script specifies a value for The organization determines the authentication method and optional proxy address for the policy. |
| g | Created and Last modified dates | The dates the policy was created and last saved. |
| h | Configured operating systems | The operating systems the policy is configured for (Windows, Mac, or Linux). |
| i | Use organization's proxy URL | Specifies whether agents should use a proxy URL to connect to the Code42 cloud. |
| j | Deployment properties |
Use these strings as arguments to a command that installs an insider risk agent:
Click the links to download or copy the properties. For more information about the DEPLOYMENT_URL and DEPLOYMENT_POLICY_TOKEN, see Deployment script and command reference for the insider risk agent. |
| k | Command-line arguments | These strings provide arguments for a command that installs an insider risk agent. Use them in your device management tool or installation scripts. See Deployment script and command reference for the insider risk agent for more details. |
Scripts
In the policy details view, click the Scripts tab. To update the scripts, click Edit.
For information about user detection scripts, see Deployment script and command reference for the insider risk agent.
Deploying both the insider risk and backup agents to a single device requires:
- Two code42.deployment.properties files (the deployment policy contains separate properties for each agent type).
- A single user detection script. Only use the user detection script for the backup agent; it also detects the user for the insider risk agent. If you use the detection script for the insider risk agent, the backup agent will not be able to register.
Create or edit deployment policy
In the Deployment policies view, select Create deployment policy, or in the policy details click Edit.
| Item | Description | |
|---|---|---|
| a | Deployment policy name | Enter a name to describe and identify this policy. |
| b | Registration organization |
Select the organization to use this deployment policy. Users register according to the authentication method and directory services configured for their organization. If an organization already has another deployment policy, it is excluded from the dropdown list. Choose a different organization, or edit the existing policy for that organization. If your custom script specifies a value for |
| c | User detection scripts |
Select all operating systems you want to use in your deployment policy, and then enter the custom user detection scripts you want to use for each. Your custom script defines how the username and the user's organization are determined. A summary of script requirements is listed below, but for complete details about customizing scripts, see Deployment script and command reference for the insider risk agent. All custom scripts must end by writing the echo C42_USERNAME=<value> echo C42_ORG_REG_KEY=<value>
|
| d | Do your clients need a proxy URL to connect to the Code42 cloud? |
|
Deployment secrets
In the deployment policies view, click Deployment secrets to see available secrets.
Deployment Secrets are used in the policy details to authorize the agent and limit the time in which an agent can register. Every deployment policy must have a deployment secret. A deployment secret can be used by any deployment policy for any organization in the tenant.
Deployment secrets expire after a set amount of time to ensure ongoing security. By default, deployment secrets expire after one year. If a secret expires, you can extend it to reactivate it.
Before the end of the one-year period, extend the secret to authorize its use for another year. If a deployment secret expires, deployments using that secret fail until the secret is extended.
You can disable a deployment policy at any time by revoking the deployment secret. The policy definition remains intact, but insider risk agents actively making requests for this policy can no longer use the policy. To re-enable the policy, extend the secret.
| Item | Description | |
|---|---|---|
| a | Active | Select to show active secrets that can be used in deployment policies. |
| b | Expired |
Select to view secrets that have passed their expiration date or have been revoked. When viewing expired secrets, click Reactivate to reinstate the secret. |
| c | Create deployment secret | Create a new secret that can be used in deployment policies. By default, newly-created secrets do not expire for one year. |
| d | Secret |
The secret's unique string. Secrets appear in the policy's details. A deployment token must always be presented with a secret in the deployment policy. |
| e | Expiration date (UTC) | The date the secret is no longer valid to authorize an agent installation. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC). |
| f | Extend | Lengthen the amount of time that the secret is active by a year. |
| g | Revoke | Nullify the secret. Revoking the secret prevents registration for clients deployed with the secret that have not yet connected to the Code42 cloud. Clients already registered with the secret are not affected. To re-enable the policy, extend the secret. |
Uninstall secrets
Requires insider risk agent version 1.10.0 or later. Windows and Mac devices only.
Uninstall secrets prevent unauthorized users from removing the insider risk agent by requiring a code to uninstall. Maintaining better control over who can uninstall the agent helps keep your data more secure by ensuring the insider risk agent continues running on user devices.
To view and manage uninstall secrets:
- Sign in to the Code42 console as a user with the Custom Cloud Admin or Security Administrator role.
- Select Administration > Agent Management > Deployment.
- Select the Uninstall secrets tab.
Considerations
- Active secrets are valid for all devices in your organization.
- To facilitate secret rotation, you can create multiple secrets with varying expiration dates.
- Agents requiring an uninstall secret can only be uninstalled via the command line. The secret must be included as a parameter in the uninstall command.
- To uninstall the agent with a secret listed on the Deployment > Uninstall secrets tab, the device must be online and able to connect to the Code42 cloud. To uninstall the agent from an offline device, use a temporary Agent secret instead.
- To help an end user uninstall the agent from a single device (while troubleshooting, for example), use a device-specific Agent secret. Unlike the organization-wide secrets listed on this screen, agent secrets are only valid for 6 hours and are unique to each device.
- Uninstall secrets prevent local admin users from uninstalling the agent. The insider risk agent runs as a system process, so users without local admin permissions cannot uninstall the agent even if uninstall secrets are disabled.
| Item | Description | |
|---|---|---|
| a | Active | Shows active secrets available to uninstall the insider risk agent. Any active secrect can be used to uninstall any agent from any device. |
| b | Expired |
Shows secrets that:
Click Reactivate to reinstate the secret. |
| c | Settings |
Provides options to:
|
| d | Create uninstall secret | Create a new secret that can be used to uninstall the agent. |
| e | Secret |
The secret's unique string. Click Show to view the entire string. Click the copy icon |
| f | Expiration date (UTC) | After this date, the secret cannot be used to uninstall an agent. The time is reported in Coordinated Universal Time (UTC). |
| g | Extend | Extend the secret's expiration date. By default, secrets are extended for 6 months. If you set a custom Uninstall secret lifespan, the secret is extended by your chosen custom value. |
| h | Revoke | Deactivate the secret. Revoking the secret prevents it from being used to authorize uninstallation of the agent. To re-enable the secret, click Extend. |
Code42 backup and legacy agent
Legacy agent end-of-life
On April 10, 2024, the Code42 legacy agent reached end-of-life. Devices with the legacy agent are no longer backing up, and Incydr monitoring has stopped. See our FAQ for steps to upgrade to a supported agent.
Deployment policies
To view and manage deployment policies:
- Sign in to the Code42 console.
- Select Administration > Agent Management > Deployment.
If your Code42 environment does not yet have any deployment policies, you see the option to Create New Deployment Policy. If your environment already has one or more policies, you see the Deployment Policies list.
| Item | Description | |
|---|---|---|
| a | Create deployment policy | Define a new Code42 agent deployment policy. |
| b | Name | The name of the policy. Click to see policy details. |
| c | Created | The date the policy was created and the username of the administrator who created the policy. |
| d | Registration organization |
Code42 agents deployed with this policy register with this organization. The organization determines the authentication method and optional proxy address for the policy. If you deactivate an organization, the associated policy will not work. |
| e | Organization Status | The status of the registration organization. |
| f |
View details |
Allows you to view and change details of the policy. |
Policy details
In the Deployment Policies list, click a policy name to see details about the policy, then select the Backup agent or Legacy agent tab. For details about the Insider risk agent tab, see Insider risk agent above.
| Item | Description | |
|---|---|---|
| a | Policy name | The name of the policy. |
| b | Delete | Deletes the policy. Any Code42 agents deployed with this policy that have not yet completed installation will fail to install. |
| c | Edit Policy |
Change details of the policy. |
| d | Details | The details of the deployment policy. |
| e | Scripts | The user detection scripts for the policy. |
| f | Registration organization |
Code42 agents deployed with this policy register with this organization. If your custom script specifies a value for The organization determines the authentication method and optional proxy address for the policy. |
| g | Authentication |
The method the registration organization uses to validate the usernames and passwords entered by users in the Code42 agent.
|
| h | Auto Register Users |
|
| i |
Created and Last modified dates |
The dates the policy was created and last saved. |
| j | Configured operating systems | The operating systems the policy is configured for (Windows, Mac, or Linux). |
| k | Launch desktop app after install |
|
| l | Use organization's proxy URL |
|
| m | Installation properties | These strings provide arguments for a command that installs a Code42 agent. Use them in your device management tool or installation scripts. See Deployment script and command reference for the backup and legacy agents for more details. |
| n | Generate new token |
Give the policy a new identifier string.
|
Create or edit deployment policy
In the Deployment Policy view, select Create New Policy or Edit Policy.
| Item | Description | |
|---|---|---|
| a | Deployment policy name | Enter a name to describe and identify this policy. |
| b | Registration organization |
Determines the user's organization. If your custom script specifies a value for Users register according to the authentication method and directory services configured for their organization. If an organization already has another deployment policy, it is dimmed in the dropdown and cannot be selected. Choose a different organization, or edit the existing policy for that organization. |
| c | Do you want to automatically register users? |
|
|
d |
User detection scripts |
Select all operating systems you want to use in your deployment policy, then enter the custom user detection scripts you want to use for each. Your custom script defines how the username, user home directory, and the user's organization are determined. A summary of script requirements is listed below, but for complete details about customizing scripts, see Deployment script and command reference for the backup and legacy agents. All custom scripts must end by writing the echo C42_USERNAME=<value> echo C42_USER_HOME=<value> echo C42_ORG_REG_KEY=<value>
Require users to manually enter their usernames
The main purpose of selecting operating systems in this section is to generate the appropriate scripts to automatically detect the username during Code42 agent installation. To require users to manually enter their usernames, do not select any operating systems. By leaving all operating systems blank, a deployment policy is still created, but there is no user detection script. As a result, users must enter their usernames to complete the installation process on their device. The server address is still automatically populated for users by the deployment policy. |
| e | Do your clients need a proxy URL to connect to the Code42 cloud? |
|
| h | Launch desktop app after initial install? |
|
Authentication mismatch
Mismatches occur when you:
- Define an organization to use SSO authentication.
- Assign that organization a deployment policy with auto-registration.
- Edit the organization to use local authentication.
The policy becomes invalid because the organization can no longer support auto-registration.
The solution is to reconfigure the organization or edit the policy.