The Monitoring Settings screen lets you create/edit monitoring profiles for users, computers, departments, and Active Directory groups and precisely control how much information will be collected for each monitored system (such as Websites, Apps, Emails, etc.). You can track as much or as little as you want based on your organization's needs and alleviate any privacy concerns.

Some use cases of using Monitoring Settings are:

1. Click the Gear icon near the top-right corner of the Teramind Dashboard.

2. Click Monitoring settings from the pop-up menu.

1. Click the NEW PROFILE button near the top-right corner of the main Monitoring Settings screen. A pop-up window will be displayed.

2. Give the profile a name.

3. Optionally, give it a description.

4. Click APPLY CHANGES. You will be taken to a different screen with a list of all monitoring features.

Note that, Teramind comes with some default settings for each of the monitored systems. You can change them according to your needs.

5. Click the EDIT PROFILE INFO button at the top-right corner to edit the profile's name and description.

6. Click the EDIT OBJECTS TO TRACK button at the top-right corner to add objects that will be tracked. This will open a pop-up window:

You can add Users, Computers, Departments, and Active Directory Groups to the profile. Note that a user can be a member of multiple profiles. In such cases, profile conflicts can arise. Please see the Addressing Profile Conflicts/Prioritization section below for more information.

7. Click the ADVANCED button to access advanced options (see the Advanced Monitoring Settings below for more information on advanced settings).

8. The Clock button allows you to apply a single monitoring schedule (date and time) to multiple monitored objects instead of setting them one by one. See the Monitoring Schedule section to learn more.

9. Click the YES/NO button in front of a monitored system to turn monitoring on or off for it.

10. Click the small Gear icon at the right side of an object to edit its settings. See the Editing the Settings for Monitored Systems section below to continue setting up individual monitoring objects).

A user can be a member of multiple profiles. For example, a user can be a member of the Marketing profile. They can also be a member of an AD group that's part of another profile.

When this happens, you will see an Exclamation button near the top-right corner of the Monitoring Settings screen. Clicking the button will show you the profile conflicts:

You can unassign the conflicting profile(s) to fix the conflicts. If you leave the conflicts, the monitoring will be prioritized as follows (a lower number means higher priority):

1. Click the ADVANCED button to change advanced settings. This will pop up a window:

2. FILE DRIVER: if disabled, the tmfsdrv2 service will be stopped on the users’ computers. As a result, the File Transfer report, Content Sharing Rules, Files-Based Activity, etc. will not work. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.

3. NETWORK DRIVER: if disabled, the tm_filter service will be stopped on the users’ computers and the proxy certificate will not be injected into the browsers. As a result, network-based activities will not be tracked and things like the IM report, Network-Based Rules, File Upload rules, etc. will not work. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.

4. DON'T TRACK DLP FOR PROCESSES: allows you to exclude certain process(es) from the DLP scanning (e.g., data discovery and classification) and DLP rules. For example, svchost.exe, System Idle Process, etc. Note that, this is different from disabling monitoring for an application using the SUSPEND MONITORING WHEN THESE APPLICATIONS ARE USED option on the Applications Monitoring Settings. That option disables all monitoring for a process (activity will not be captured and app will be blacked out on the session recording). On the other hand, DON'T TRACK DLP FOR PROCESSES will only disable DLP scanning for a process.

5. EXCLUDE PROCESSES FROM FILE DRIVER: is similar to the FILE DRIVER option except it allows you to enter specific processes/apps that will be excluded from the file driver instead of all processes/apps. For example, entering winword.exe into this field will exclude Microsoft Word from the file driver, chrome.exe will exclude Google Chrome browser, etc. This could be helpful for troubleshooting purposes. Also, with this option, you can ignore processes you don't want to capture while keeping the file transfers monitoring active. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.

6. EXCLUDE PROCESSES FROM NETWORK DRIVER: is similar to the NETWORK DRIVER option except it allows you to enter specific processes/apps that will be excluded from the network driver instead of all processes/apps. For example, entering slack.exe into this field will exclude Slack from the network driver. This could be helpful for troubleshooting purposes. Also, with this option, you can ignore processes you don't want to capture while keeping the network monitoring active. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.

7. ALLOW APPLICATION RESTARTING: if this setting is turned on, the Teramind Agent will automatically restart any open browsers when the DISABLE BUILT-IN PASSWORD MANAGER OF KNOWN BROWSERS option (see below) has changed so that the setting can take effect automatically. Otherwise, you will have to manually restart the browsers. It also allows you to restart the Mozilla Firefox and Tor browsers to inject the proxy certificate (required to monitor web traffic). Otherwise, you will have to manually restart the browsers.

8. DISABLE BUILT-IN PASSWORD MANAGER OF KNOWN BROWSERS: Most modern browsers have a password manager that prompts you to save passwords from login forms on websites. While this is convenient, it's a security risk. This setting allows you to disable these built-in password managers. The user will not be able to override the option from their browsers. However, independent password managers such as LastPass will still work.

9. Under the RDP and clip blocking section, you will see several toggle options to enable/disable some functions in an RDP (Remote Desktop Protocol) session. For example, sharing of the printers, use of portable (USB) devices, etc. You can also disable screen snapshots and clipboard copy/paste operations for select apps.

10. If you enable the RESTRICTIONS option, you will see more options:

11. If you have many users or a slow network, the MAX UPLOAD BANDWIDTH (KB/S) option will help you prevent overloading your network infrastructure by imposing a throttled bandwidth and the async upload of video/audio recordings. Furthermore, you can use the TIMEFRAME TO UPLOAD COLLECTED DATA option so that the uploads take place during off peak hours only. These options might also be useful if your end users have a slow connection. Here’s how the two settings work:

12. Click the APPLY CHANGES button to save the changes or the Cancel button to cancel them.

Each Monitoring feature (except for Offline Recording, OS State, and OCR) has a simple scheduler under the TRACKING DAYS AND TIME section at the bottom of its settings panel. Using this scheduler, you can quickly specify when the tracking and recording of the Monitoring feature will take place.

The ALLOW REMOTE CONTROL option determines if Remote Control and Freeze Input features will be available on the Session Player’s Live Mode Controls.

If the user is using a Hidden Agent, ASYNC SCREEN UPLOAD will force Teramind to use a queue for screen recordings instead of uploading them in real-time. It’s suitable for a slower network or a busy OCR server. However, you might experience some delay between the user activity and the recording appearing on the dashboard when ASYNC is enabled.

The RECORD LOCKED SESSIONS option allows you to continue recording even when the user locked their computer. A locked session can mean the user choosing the “Lock” (“Lock Screen” on Mac) command, a screen saver getting activated, or an RDP (remote desktop session) window minimized (see notes below)*.

By enabling RECORD ONLY WHEN BEHAVIOR RULE WAS VIOLATED in combination with the RECORD VIDEO rule action, you can capture the screen only when a rule is violated. This will help reduce the storage needed for the screen recordings or alleviate privacy concerns.

If UPDATE SCREEN ON EVENTS ONLY option is enabled, the screen on the Live Mode on the Session Player will only update the screen if any activity on the keyboard or mouse is detected or any behavior rule is triggered. Otherwise, the screen will remain still.

You can also control the FPS (frame per second) by the MAXIMUM FRAMES PER SECOND option. The range is 1-4 and the default frame rate is 2 frames per second.

You should only enable the USE MODERN SCREEN GRABBING option on Windows 8 or above. If you are experiencing issues with screen captures, try toggling this option. Modern screen grabbing can often help with visual artifacts seen in the recordings such as black spots when transparency effects are enabled in Windows 11).

The GRAYSCALE / COLOR / HIGHCOLOR option controls the color of the recordings. Note that HIGHCOLOR mode is only available in On-Premise deployments and enables recording in 16-bit color compared to the default 8-bit color. It also uses the most space and the recordings will be close to double the size of recordings without HIGHCOLOR enabled.

The LIVE SCREEN SCALING controls the size of the recording.

On-Premise customers can specify when the recordings will be automatically deleted under the DELETE HISTORY AFTER setting. This will further reduce your storage requirements and help you comply with data retention policies. Note that, currently Teramind on AWS doesn't support the removal of screen recordings from AWS S3 buckets. If you have such a deployment, you will see a message, "Retention settings for cloud storage are not supported yet. Please setup retention policy manually in the cloud" under this setting and you won’t be able to edit the value in the field:

You can still use the Amazon S3 Lifecycle to manage your storage.

You can specify the MESSAGE DURING REMOTE CONTROL / MESSAGE DURING INPUT FREEZE when using those features in the Session Player’s Live Mode Controls.

AUTOMATIC LEVEL ADJUSTMENT will automatically adjust the sound levels for higher/lower tones.

If the user is using a Hidden Agent, ASYNC AUDIO UPLOAD will force Teramind Agent to use a queue for audio recordings instead of uploading them in real-time. It’s suitable for a slower network or a busy server. However, you might experience some delay between the user activity and the recording appearing on the dashboard when ASYNC is enabled.

You can adjust the BITRATE to increase/decrease audio quality. Lower bitrate will require less CPU processing and storage.

You can toggle the MONITOR ALL INPUT DEVICES / OUTPUT DEVICES options to enable/disable recording for all microphones, speakers and line-in/out. By default, Teramind will capture the audio streams from the devices assigned as the default playback and recording device in Windows. If you enable this option, then audio streams from all recording/playback devices will be captured.

The MONITOR WHEN THESE APPLICATIONS USE MICROPHONE field will let you capture audio only when the microphone is used by select applications. You can use the following in the field:

Note that, this option doesn't affect the output playback/output audio.

You can turn monitoring on/off for the WINDOW TITLES. This gives you the ability to not track the title for apps which includes document name in their title. If you do not want Teramind to capture the document name, turning this option off can be helpful.

You can also turn monitoring on/off for CONSOLE COMMANDS (commands executed on the Windows Command Prompt or Terminal).

The MONITOR ONLY THESE APPLICATIONS field lets you select applications you want to monitor. If you enter an app in the field, all other apps will be blacked out on the Session Player/screen recordings. This option doesn’t impact worked time being tracked. It doesn't affect activities log either. Activities and keystrokes WILL be captured for non-monitored apps.

You can configure Applications settings to monitor only select applications; SUSPEND MONITORING* or SUSPEND KEYSTROKE monitoring when certain applications are used.

You can conditionally suspend monitoring*/keystrokes logging using the two …WITH CONDITION options. For example, you can suspend monitoring Firefox while it’s used from an IP approved by an access control list. Same way, you can suspend keystrokes logging of the Windows Installer when it’s launched from an IP range. For the CONDITION, you can select from a list of Any, a single IP, an IP range, list (Network Shared Lists), and cidr (Classless Inter-Domain Routing).

Finally, you can define the IDLE TIME* (used in the Productivity report, Agent Schedule-based rules and other places by Teramind).

MONITOR ONLY THESE WEBSITES field allows you to define websites or a list of websites, for which you want to record the screen and keystrokes. If you use this field, all other websites will be blacked-out in the Live Mode and recordings of the Session Player. Activities on other websites are tracked as the browser process (e.g., chrome.exe).

DON'T MONITOR WEB TRAFFIC FOR THESE WEBSITES* defines the websites for which you want to suspend recording. Screen and keystroke recording for all other sites will be enabled. Please see the notes below.

SUSPEND MONITORING WHEN THESE WEBSITES ARE VISITED* does not capture any activity, and keystrokes when the specified websites are visited. The browser window is blacked-out in the video recording or during the live view mode of the session player. Please see the notes below.

SUSPEND MONITORING WHEN WEBSITE CONTAINS CONTENT* – will suspend monitoring of a website if certain text/content is detected inside the loaded webpage. Keystrokes will not be recorded, and the screen will be blacked out. For example, by entering "password" in the field, you can dynamically suspend login pages of most websites. Note that, the text isn't case-sensitive.

The DON'T MONITOR WEB TRAFFIC FOR THESE IPS* prevents the Teramind Agent from injecting the Quick Proxy SSL certificate. See the notes below for more information.

The MONITOR WEB TRAFFIC FOR THESE IPS is the exact opposite of the ‘DON'T MONITOR WEB TRAFFIC FOR THESE IPS’ option.

The next three settings are the same as above, the only difference is, you use IP addresses instead of URLs. Please see the notes below.

SUSPEND MONITORING WHEN BROWSING TO IPS/DOMAINS NOT IN LIST* allows you to enter either IPs or domains you want to monitor (and suspend monitor of all other websites/IPs). Other suspension rules apply. Please see the notes below.

You can also SUSPEND KEYSTROKE … setting to suspend just the keystroke recordings.

You can suspend monitoring for all PRIVATE BROWSING (incognito) sessions. The browser window will be blacked out and the keystrokes will not be captured from that window. However, the full URL is still captured in the activity log. For this reason, keystrokes might still be captured as part of the URL. For example, when you use a search engine like Google.

You can turn off the MONITOR KEYSTROKES FOR PASSWORD FIELDS option to suspend capturing of keystrokes in password fields. For example, a login page containing a HTML input field such as <input type="password">*. See the notes below for more information.

MONITOR CONNECTION TO HOSTS WITH INVALID CERTIFICATES allows you to monitor websites that have an invalid certificate. In some situation this might be necessary. Because, by default, Teramind doesn't track connections to a website with a bad SSL certificate. So, for example, if your On-Premise server has a self-signed certificate, downloads from the Teramind Dashboard will not be recognized as web downloads. Adding the IP address of the server in the MONITOR CONNECTION TO HOSTS WITH IVALID CERTIFICATE* field will activate SSL traffic decrypting so that Teramind will be able to properly parse and present the information on the Dashboard. However, this is not a recommended method and this option should only be used as a last resort. Please see the notes below.

WSS PORT field lets you specify the port for web traffic redirection (Web Security Service). It’s used by the Teramind Agent's network filter driver to monitor web traffic. Generally, you don’t need to change the default port. However, in rare situations, you might need change it. For example, if an application is using the default/same WSS port, you can assign a different port to the Agent using this field.

You can use the settings to CAPTURE INCOMING / OUTGOING emails, CAPTURE EMAIL CONTENT and SAVE OUTGOING / INCOMING ATTACHMENTS, etc. Note that, the options like the SAVE OUTGOING ATTACHMENTS, SAVE INCOMING ATTACHMENTS, CAPTURE EMAIL CONTENT, etc. are dependent on the CAPTURE INCOMING and CAPTURE OUTGOING options. For example, if you disable the CAPTURE INCOMING option, then enable the SAVE INCOMING ATTACHMENT will not capture the incoming email attachments.

You can specify which email systems will be captured using the CAPTURE EMAIL THROUGH option. Teramind supports the most popular email clients such as Outlook, Gmail, Yahoo, etc. - both desktop and web versions. Check out this article to learn more about supported platforms.

You can use regular expressions to ignore any attachments you do not want captured using the IGNORE ATTACHMENT... option. For example, to ignore music and video files, you can use something like this: /\.(mp3|mp4|avi)/gi. Note that, the emails will still be captured.

If you specify any value in the DELETE ATTACHMENTS AFTER (DAYS) field, then all the attachments will be removed after the specified days. The default value of 0 means the attachments will not be removed.

The IGNORE EVENTS OLDER THAN (DAYS) option allows you to cut off monitoring and capturing of emails older than certain days. This option is sometimes useful for clients like Outlook which may scan older emails if emails are moved, or archival policies are run. In such situations, by default, the Agent will capture any emails being accessed. This setting tells the Agent to ignore scanning older emails. However, behavior policies or rules for these old emails will still get triggered which might create false positives. To avoid that, you can enable the IGNORE EVENTS EVEN IF BEHAVIOR POLICIES MATCH option. This will prevent triggering of unexpected rule violations and false alerts by ignoring older emails. The default value for this option is 0, which means, all emails are captured.

The IGNORE EMAILS IF ALL DOMAINS MATCH (REGEX) option can be used to prevent monitoring of emails if all email addresses to/from/bcc/cc are all in the list of certain domain(s). The aim is to exclude corporate /internal emails from being monitored. For example: .*teramind.co will ignore all emails from teramind.co. These emails will also be excluded from any active policies and rules. Note that, all emails addresses (in to/from/bcc/cc, etc.) fields have to be in same domain(s) for this filter to work. Here are some examples:

1: Outgoing internal email:

From: [email protected]

To: [email protected]

2: Outgoing internal email with one external recipient:

From: [email protected]

To: [email protected], [email protected]

3: Incoming internal email:

From: [email protected]

To: [email protected]

4: Incoming external email with an external recipient in the CC field:

From: [email protected]

To: [email protected]

CC: [email protected]

In the above examples, only emails 1 and 3 will be ignored from monitoring because email 2 and 4 contains other domains (gmail.com and yahoo.com).

BASIC SETTINGS:

On the this tab, you can specify WHAT TO TRACK such as: LOCAL FILES, NETWORK FILES, LOCAL DOCUMENTS, NETWORK DOCUMENTS, EXTERNAL DOCUMENTS, CD/DVD BURNING, EXTERNAL DRIVES (i.e. USB / pen drives), etc.

You can select which file types to track under the FILE TYPES TO TRACK section. For example, TXT, DOC, XLS, PPT, etc.

If the files you want to track aren’t available under the FILE TYPES TO TRACK section, you can use the FILE EXTENSIONS LIST TO TRACK field to manually enter file extensions. For example, “.odm”, “pkg”, etc.

You can specify which applications should be monitored for upload/download activities in the TRACK DOWNLOADS AND UPLOADS FROM THESE APPLICATIONS field.

If you don’t want certain locations (i.e. folders) to track, you can specify them in the DO NOT MONITOR THESE LOCATIONS field..

You can also use the DO NOT MONITOR THESE LOCATIONS (REGEX) field to exclude multiple locations matching the regex pattern. For example: .*upload.*. You can also use local folders (e.g., Documents), network folders (e.g., \\corplan\Shared Drives), environmental/system variables, (e.g., %APPDATA%) and wildcards (e.g., c:\user\*\appdata) in the fields.

ADDITIONAL SETTINGS:

On the this tab, you can specify which file operations to track such as COPY (see notes below), RENAME, UPLOAD, DOWNLOAD, DELETE, etc.

If you use a printer that requires login permissions, use the PRINTER TRACKING ACCOUNT USER and the TRACKING ACCOUNT PASSWORD fields to specify the credentials. Otherwise, Teramind will not be able to monitor it.

You can turn CAPTURE ACTUAL DOCUMENT on/off to enable/disable capturing of the actual document. If you disable this option, the document name will still be captured and displayed on reports like the BI Reports > Printing but not the document itself.

The MAXIMUM CAPTURE DOCUMENT SIZE (no. of pages) field works a bit differently on Windows and Mac. On Windows, this option will determine the maximum number of pages that will be captured. For example, if you set the value to 50 pages, and the user prints a document containing 55 pages, the Agent will capture only the first 50 pages of the document and ignore the rest. On Mac, the Agent will NOT capture the document at all if it exceeds the specified maximum size. The Document name will be captured though.

With the MONITORING_SETTINGS_EXCLUDED… option , you can add regular expressions to exclude any printers matching the name. For example, .*epson.

If you specify any value in the DELETE PRINTED DOCS AFTER (DAYS) field, then all the captured documents will be removed after the specified days. The default value of 0 means the documents will not be removed.

You can turn CLIPBOARD tracking on/off from the Keystrokes settings panel.

You can specify which messaging APPLICATIONS to track. Teramind supports the popular IMs such as Facebook, Skype, Slack, etc.

You can TRACK INCOMING MESSAGES only or TRACK OUTGOING MESSAGES only or both.

IGNORE EVENTS OLDER THAN (DAYS) option allows you to cut off capturing IM conversations older than certain days. Users might browse older messages on the IM client. With this option, you can instruct the Agent not to capture those messages reducing noise in your monitoring reports.

IGNORE EVENTS EVEN IF BEHAVIOR POLICIES MATCH option allows you to determine if the rule engine should also ignore older messages. This will prevent the triggering of unexpected rule violations and false alerts by ignoring older messages.

You can specify which messaging APPLICATIONS to track. Teramind supports the popular social media platforms such as Facebook, Twitter, LinkedIn, etc. You can track NEW COMMENT, EDIT COMMENT, NEW POST, and EDIT POST activities in those applications.

You can turn SSL off to disable monitoring secure connections (i.e. HTTPS / port: 443)*.

TRACK NETWORK CONNECTIONS option allows you turn network monitoring on/off*.

DON'T DISABLE TEREDO is applicable to Windows only. If enabled, this option will prevent Teramind from disabling Teredo. It’s used for secure communication over IPv6. If you encounter any problem with IP tracking, try toggling this setting.

TRACK ONLY THESE IPS allows you to monitor specific IP(s) only. You can enter IP addresses (e.g., 192.168.1.22) or use Network-based Shared Lists.

DO NOT TRACK THESE IPS does the opposite of TRACK ONLY THESE IPS.

TRACK ONLY THESE PORTS allows you to track only certain ports. For example, 25, 443, etc.

DO NOT TRACK THESE PORTS: does the opposite of TRACK ONLY THESE PORTS.

TRACK PROCESSES - allows you to specify which network processes to track. You can use process names (e.g., chrome.exe, com.apple.safari, etc.), Text-based Shared Lists or Regular Expressions (Regex)-based Shared Lists.

The first option, OFFLINE RECORDING BUFFER LENGTH (HRS) allows you to specify how long the Teramind Agent will continue to record user actions while the user is disconnected from the internet or Teramind server. By default, the buffer is set to 24 hours, but you can increase or decrease the time as needed. Note that, you cannot enter a 0 value in the field. If you want to disable offline recording completely, turn off the OFFLINE RECORDING option from a monitoring profile (Monitoring Settings > Monitoring profile).

The OFFLINE RECORDING BUFFER SIZE (MB) setting is optional and can be used to limit the storage utilization by offline recordings (in megabytes). The Default value of 0 means, there will be no limit.

Note that, if you use both the OFFLINE RECORDING'S BUFFER LENGTH (HRS) and the OFFLINE RECORDING BUFFER SIZE (MB) options, the lowest value will be prioritized. For example, if you specify a 24-hour buffer length but a 10-MB buffer size, the Agent will only capture a few minutes of screen recordings (depending on the screen resolution, number of desktops/monitors, user activity, etc.). Same way, if you specified a 999999-MB buffer size but only a 1-hour buffer length, only 1 hour's worth of screen recordings will be captured even though the buffer can possibly hold a much longer duration of recordings.

These settings will enable event notifications for operating system states such as Lock, Sleep and Screen Saver to any SIEM integration (syslog event) you might have. These settings do not affect the monitoring of these event.

In the TRACK THESE APPLICATIONS field, you can specify which online meeting apps to track. Teramind supports monitoring of AirCall, Microsoft Teams, RingCentral, Zoom, 8x8, Webex, BlueJeans, and Google Meet, etc.

The Registry doesn’t come with any additional settings except for the monitoring schedules.

If the Registry monitoring is turned on, you will be able to detect registry entries such as programs, keys, and values with Activity-based rules. Please see the Rules Guide for more information.

By default, every time a user changes their location it’s reported.

With the TIME THRESHOLD, you can specify a threshold (in seconds) to configure how often the location data will be reported instead. This can be useful in situations where the location changes too often and you don’t want your Geolocation report to be flooded with the information. For example, when you are traveling on a train or in a taxi with a laptop, your location may change every minute and the Geolocation report will show all the updates. With this setting, you can set a wait time before changing a location update.

The default value is 600 (or 10 minutes). A value of 0 will disable this option.

Camera Usage doesn’t come with any additional settings except for the monitoring schedules. If the Camera Usage is turned on, you will be able to detect when employees are using their webcams and the applications that are accessing the webcam from the BI Reports > Camera Usage report.

The OCR LANGUAGES allows you to pick one or more languages to process.

The PROCESS SCREEN RECORDS AFTER allows you to pick a starting date from which the recordings will be processed. Any recordings before this date will not be processed. This option can be useful if you didn't originally have the OCR feature enabled on your instance and activated it later.