The Settings menu allows you to configure different parts of the Teramind Dashboard, Agent, Security, Active Directory Integration etc. Note that, some of the settings on the Settings screen are applicable to the On-Premise / Private Cloud (AWS, Azure etc.) deployments only.

1. Click the Gear icon near the top-right corner of the Teramind Dashboard.

2. Click Settings from the pop-up menu.

Click the About tab on the Settings screen. You will see some details for your Teramind deployment including what versions of server, UI, Agents etc. are included. From here, you can also update your on-premise server image and change the license key.

To update your server, download the latest server image from the Self-Hosted portal at https://www.teramind.co/portal/download. Scroll to Step 2. Download Packages. Download the Teramind Update file (with a TMU extension) by clicking the download button. Then do the following:

1. Click the Update Teramind link to expand it.

2. Click the Select update file button and select the TMU file you downloaded from the Self-Hosted portal.

3. Click the Update button. Depending on your deployment, Teramind will update the server in few minutes. You will see two update progress bars (one under the left-side menu and one on the Settings screen itself):

You can switch to other screens when the update is in progress.

If for any reasons, you wanted to change the license key (i.e. you upgraded from a trial to a paid account), you can do that from the About tab.

On the Setting screen’s About tab, enter your license key in the LICENSE KEY field located under the About the deployment section and then click the Change button. Once done, the system will display the updated entitlements for your license key.

Teramind can be integrated with Active Directory to import your users, computers, groups, attributes and other important meta-data. Teramind's integration with Active Directory is read-only. Remember, you can still monitor users that are not in the domain by simply installing an agent on their computer.

Active Directory/LDAP integration provides the following benefits:

Active Directory synchronization can be set up as follows:

1. You can set up multiple AD integrations from the tabs area above the screen. The Plus + button will let you add a new tab. You can set up each tab to refer to a different server/domain and configure it independently. Each DOMAIN NAME becomes a new tab. The Delete button will let you delete the currently selected tab.

2. Populate the upper set of fields as follows:

3. Click the NEXT: FETCH ATTRIBUTES button to fetch the attributes.

4. As soon as fetching is done, you will be able to specify additional options for attributes according to the table below. Note: If something went wrong during the fetch process, error messages will be displayed on the message area near the bottom of the screen (see item 5 below).

5. Click the SAVE SETTINGS button to save the settings. Click the IMPORT button to initiate the import process. You might have to wait for a couple of minutes depending on AD object count and hierarchy. Once the import is done, refresh the page to view the changes. Note: If something went wrong during the import process, error messages will be displayed on the message area near the bottom of the screen (see item 5 below).

6. The messages area below the screen shows the task progress and any error the system might encounter.

This tab allows you to change the default settings for the Teramind Agent.

1. You can change the CURRENCY used. Most of the international currencies are supported. The currency you choose will be used to display the wage/salary in the BI Reports > Productivity report, TIME TRACKING > Employee Cost, TIME TRACKING > Task Cost, Payroll Widgets, Employee Profile, etc. - anywhere the currency is used.

2. You can assign a DEFAULT TASK for employees when they start their shift (this is applicable if the employee is using the Hidden Agent). Restart the user machine(s) after changing the default task for it to take affect. Note that you can change/override the default task for an employee from their profile under the ACCOUNT INFO tab.

3. If the CREATE NEW USERS ON FIRST AGENT CONNECTION option is enabled, and if the corresponding user does not exit, a new user will be created when the agent first connects. This is helpful, for example, when you have hundreds of accounts that you don't want to monitor and don’t want them to be in the system. For example, service accounts.

4. If the ENABLE MONITORING FOR NEW AGENT BY DEFAULT option is turned on and your license allows it, new agent installations will have monitoring enabled by default. If disabled, new agent installations will not be monitored until you activate them from the dashboard (you can toggle monitoring for users from the EMPLOYEES > Action menu).

5. If the ENABLE MONITORING FOR NEW COMPUTER BY DEFAULT option is turned on and your license allows it, new computer installations will have monitoring enabled by default. If disabled, new computer installations will not be monitored until you activate them from the dashboard (you can toggle monitoring for users from the COMPUTERS > Action menu).

6. Enable the WEB LOGIN… option if you want your users to be able to log into the dashboard to see their own work stats, enable this option. Note that you can change/override this setting by toggling the User can clock in and out using Web interface from an employee's profile under the ACCOUNT INFO tab.

7. The DEFAULT ACTION FOR SCREEN RECORDS DELETION option allows you to set the default option for screen record deletion dialogue box.

A confirmation dialogue box is shown when you try to delete time and screen records from the Time Records, Time Card (Day or Week view), Screen Snapshots report, etc. The dialogue box presents you with several option on how you want to remove the records:

This tab allows you to change automatic update setting.

1. If you enable the ENABLE AUTOMATIC UPDATES settings, all computers will be automatically updated to the latest version of the Agent.

2. An UPDATE AVAILABLE! CLICK TO APPLY NOW button is shown if there's a new version of the Agent available. Click the button to manually update the Agent without waiting for auto update (or if auto update is disabled). When you press the button, it will show a note at the top of the screen and change the button to display a message like, "AUTOMATIC UPDATE IS SET FOR VERSION xx.xx.xxxx":

Alerts tab allows you to define how rule violation messages will be displayed to the users. It’s a good idea to customize your alert messages so that they are visually distinctive and match with you company’s branding.

1. Some rule Actions such as Warn, Block, etc. allows you to use a HTML template to display the message:

By default, the USE HTML TEMPLATE option is disabled. If you enable the USE HTML USER ALERTS BY DEFAULT option, then the USE HTML TEMPLATE option will be enabled for all new rules (existing rules will not be affected). By default, the option is disabled.

2. You can customize the look and feel of your message box by editing the HTML in the CUSTOM USER ALERT HTML field. There are a few dynamic variables such as ALERT, DETAIL you can use in your message. In addition, the alert can have buttons like: OK, CANCEL. You can also include base64-encoded images in your HTML. This is great for displaying icons or logos. Please check out this article to learn how to use the customization feature.

3. You can preview how the alert will look by clicking the PREVIEW button.

4. SCREEN LOCATION defines where the alert will be displayed and positioned (i.e. Screen center, Top right, Bottom left, etc.). The default value is Screen center.

5. WIDTH changes the width of the alert box. The default value is 200 pixels.

6. HEIGHT changes the height of the alert box. The default value is 100 pixels.

7. ALERT EMAIL LIMIT defines the threshold where the system will group the alerts into a single email. The system will send this many identical alert emails, and then it will group them together into an email digest. If set to 0, it will send each alert individually. The default value is 16 emails.

8. USER ALERT THRESH HOLD applies to rules with a Warn or Block action. The threshold sets the minimum time, in seconds, to wait between alerts that the user sees. If set to 0, users will see all alerts they violate, regardless of the frequency. The default value is 120 seconds (2 minutes).

9. LOG ALERT THRESH HOLD sets the minimum time, in seconds, to wait between logging alerts to the Teramind system. If set to 0, it will not limit the number of alerts that are logged. The default value is 120 seconds (2 minutes).

10. MAXIMUM DAILY ALERTS COUNT limits the total number of alerts which get logged by Teramind on a daily basis per alert type. You can also set the alert limit at the rule level from the rule's Advanced Mode action panel (Choose maximum number of saved alerts per day). The default value is 5 alerts.

11. You can build rules in Teramind to set a user's task based on their activity by using the SET USER'S ACTIVE TASK action. The RULE TASK SELECTION ACTION TIMEOUT (SECONDS) defines the time out when switching tasks. If the user switches activity and remains in the new activity for the defined seconds, the rule will be re-evaluated. If user starts some activity and there are no rules for the new task, the task will be switched to default task (see DEFAULT TASK option under Agent Defaults settings) after the specified seconds. The default value is 300 seconds (5 minutes).

12. The AGENT ATTRIBUTES TO USE FOR NOTIFICATIONS option will allow you to choose LDAP attributes that will be added to the rule alert notification emails. The rule alert notification email is sent when a rule is violated that uses a Notify action. With this option, the email will include the selected LDAP attributes in addition to the usual alert details:

Note that the rule alert notification email will include the LDAP attributes if you have an Active Directory integration set up and for only the users who have the LDAP attributes set in their employee profile:

You can customize the appearance of the dashboard login screen to match with your company’s branding or user preference.

Use a LOGO IMAGE for uploading a logo image. Suggested resolution is 190×54 pixels.

Use a BACKGROUND IMAGE for uploading background image. Suggested resolution is 1400×933 pixels.

You can also change the LOGIN BUTTON COLOR by specifying a color in HTML/Hex format.

It’s best practice to give your Teramind server a DNS entry. This way you can click on links in the email alerts, use your own SSL certificates, and enjoy other benefits as well.

1. Enter a hostname such as acme.teramind.co.

Teramind strongly recommends proper configuration of SSL in order to avoid browser warnings and restrictions. Some browsers will not allow WebSocket communications if the certificates are invalid. This may prevent you from watching live screens or record them.

For convenience, Teramind comes pre-shipped with an SSL certificate that’s valid for the hostname onsite.teramind.io.

If you wish to proceed without implementing your own certificates, you should add a line to your local hosts file and then access Teramind by browsing to https://onsite.teramind.io. You can do this by editing C:\Windows\System32\Drivers\Etc\hosts as Administrator and appending the following line to the file:

Where xxx.xxx.xxx.xxx is the IP you assigned to your Teramind Virtual Machine.

In the long run, you should deploy your organization’s SSL certificates within Teramind, and add a DNS entry in your corporate name server for your Teramind implementation.

Here’s how you should setup the SSL:

1. Upload your server’s Private Key (usually a .key file), Public Key (usually a .crt file), Intermedia Key (a concatenated list of CA certificates that validates your server certificate) and the Root CA Key.

2. Click the VALIDATE KEYS button. After you’re done, please access Teramind via the new hostname. You’ll be asked to log-in again.

Teramind processes large volumes of confidential and private data, so it’s a best practice to lock down access to the dashboard as much as possible.

1. If you enable the FORCE USERS TO LOG IN USING 2-FACTOR AUTHENTICATION option, next time administrators log in they will be forced to enable 2FA before being given access to their dashboard. Teramind supports 2FA apps like Google Authenticator or Authy. Check out this Knowledge Base article to learn how to set up 2FA for a user.

2. Enabling the BASIC USER/PASSWORD AUTHENTICATION option will allow you to authenticate to the dashboard using the user-password credentials you created in Teramind. Check out this Knowledge Base article to learn how to create/change password for a user.

3. If you have successfully set up Active Directory integration, you may want to use your domain credentials to login. In such a case, you can turn on the LDAP AUTHENTICATION option. Check out the Active Directory section to learn more about AD setup.

4. If you enable the SINGLE-SIGN-ON AUTHENTICATION option, it will reveal the Single Sign On Authentication section. Please see below for details on this section.

5. Changes to some settings on the Teramind Dashboard (e.g., changing an employee’s access level) require you to confirm the changes before they are applied. In such a case, a confirmation dialogue box is shown. By default, the dialogue box asks you to confirm the changes with your password:

The CONFIRMATION METHOD FOR DASHBOARD CHANGES option lets you choose the preferred authentication option for confirming these changes. Depending on the availability, you can choose from Password, 2FA Code and LDAP Password. If you choose the Disabled option, the Dashboard will no longer ask to confirm any changes.

6. The ALLOWED IP TO LOGIN option lets you specify which IP addresses are allowed to login to the dashboard.

The settings under the Password Policy section will help you enforce password rules to increase the security of your user accounts. These rules will be enforced whenever a user password is created or changed. Here's an explanation of each option:

1. MINIMUM PASSWORD LENGTH: is the minimum number of characters the password can have. The default value is 6.

2. MAXIMUM PASSWORD LENGTH: is the maximum number of characters allowed for the password. The default value is 64.

3. PASSWORD EXPIRY TIME (DAYS): lets you specify how long the password will stay valid. After this period, the user will be asked to change their password. The default value of 0 means it’s disabled.

4. REQUIRE AT LEAST 1 NUMBER: if enabled, the user will be asked to enter a password that contains at least one number, e.g., 1, 2, 3.

5. REQUIRE AT LEAST 1 SPECIAL SYMBOL: if checked, the user will be asked to enter a password that contains at least one special character, e.g., #, $, !, etc.

6. REQUIRE MIXED CASE LETTERS: if checked, the password must contain at least one uppercase and one lowercase letter, e.g., A, a, B, b, etc. By default, it's unchecked.

7. REQUIRE USERS TO RESET THEIR PASSWORDS: if checked, the users will be asked to change their passwords to comply with the updated policy. By default, it's unchecked and only shown if you make any changes to the other options.

SINGLE-SIGN-ON AUTHENTICATION option allows you to authenticate to the dashboard using a Single Sign On (SSO) service such as Okta, One Login etc. via SAML2 protocol. Newly generated users will still need to set password in order to make further changes to account or login using Teramind revealed agent.

Enabling the SSO option will reveal several options which you can use to configure the SSO integration. You will also see an AUTO REGISTER NEW AGENT option. If enabled, this will let you specify default options for newly registered users/agents on SSO.

Check out this article for details on these options and step by step instructions on setting up a SSO integration.

With these settings, you can control exactly how you want to mange your dashboard sessions such as cookie lifetime, session storage type and idle timeout.

You can now control exactly how you want to mange your dashboard sessions including:

1. COOKIE LIFETIME defines how long an authorization cookie will be valid (in minutes). An authorization cookie is a temporary secret used to authenticate the browser. It will be automatically updated in the background while the user is active. The update process takes a few seconds before it is going to expire. If the user closes the browser before the secret was updated, the session will be closed, and the user will need to authorize again.

2. STORAGE TYPE defines whether it will be Persistent storage or Session storage. A Persistent cookie is kept for the duration/lifetime of the Cookie lifetime. A Session cookie gets flushed when you close your browser (different per browser settings) or until Cookie lifetime expire.

3. IDLE TIMEOUT defines how long a session will remain active when the user is idle (in minutes). If the user is not active for the number of minutes defined, a pop-up window will ask the user if they want to resume the session:

If there is no response, the session will be closed automatically, even if the COOKIE LIFETIME is still valid.

You can optionally install the Teramind Hidden Agent in protected mode to make it more difficult for unauthorized users and administrators to remove it. If you do this, you should set the uninstall password so that you can remove the agent when you wish.

1. Enter a password to protect the Agent uninstallation.

By default, Teramind allows you to export reports and video recordings to any email address. But you can use the ALLOW DATA & VIDEO EXPORT EMAILS TO THIS DOMAIN option to restrict export to certain domain only.

1. Enter the last part of an email address (the domain address including the ‘@’ symbol) to restrict export emails to that domain only. For example, @teramind.co. Note that this field is checking for an end of email, not strict match. Additionally, you can specify something like .teramind.co. In that case any sub-domain of teramind.co will be included in the check. For example, [email protected], [email protected] – both will be allowed as valid email addresses.

These settings control who can view exported data (e.g., exported reports, scheduled reports, daily digest/snapshot reports, etc.) and how.

1. The ONLY AUTHORIZED USERS CAN DOWNLOAD EXPORTED FILES option allows you to limit access to exported reports to valid Teramind users only.

If you send a report (using the BI Reports > Export > Schedule Export option or the Daily Export option under the Monitoring Reports' Settings) to an email recipient who is not on the Teramind Dashboard, the email recipient will still get the automated email, but the report download link in the email will not work:

This option would enable you to better control the privacy and security of your data. For example, if a recipient of the automated report accidentally or intentionally forwards the email to someone else, the other person will not be able to access this report unless they are authorized.

2. The DISALLOW MANAGERS TO SEE AND EXECUTE EXPORTS option allows you to show/hide the EXPORT button on the BI Reports and the PDF and CSV export buttons on the Monitoring Reports, effectively disabling the export of any reports by the department managers.

3. By default, only admins get the daily digest/snapshot report via email. The SEND DAILY SNAPSHOT EMAILS TO DEPARTMENT MANAGERS option lets you enable the emails for department managers too. The email looks exactly the same as the one received by the admins except that the data is shown only for the users the department manager is assigned to:

4. The MAXIMUM EMAIL BODY LENGTH option allows you to set the maximum character size for the 'Body' column of an exported emails report (e.g., BI Reports > Emails). For example, here's a CSV report from the BI Reports > Emails with the MAXIMUM EMAIL BODY LENGTH option set to 2000:

And, here's the same CSV report but this time the MAXIMUM EMAIL BODY LENGTH is set to 50:

Notice, how the text in the "Body" column is stripped to 50 characters and a "…" is added at the end of the text.

This feature is useful when you have many emails with large body text. Limiting the body text will make the report to process faster and reduce file size.

The default value for this field is 2000.

Teramind can be deployed as a cluster of servers to handle a large number of users. If you can see this setting on your dashboard, then it means you are on a Master node. Additional nodes (such as the OCR database and screen mining nodes) may connect and want to join this cluster. Here you can configure which nodes you want to accept into the cluster, and what their function should be.

1. You can enable/disable multi-node deployments with the ENABLE MULTINODE DEPLOYMENT toggle button. It is necessary to keep it turned on if you have more than one Teramind servers.

2. Turn SSH access on or off with the ENABLE SSH ACCESS toggle button. SSH is needed for remote login and configuration of Teramind servers, especially, during the deployment phase.

3. ALLOW NEW NODES will allow connection of new nodes to the system. For security reasons, we recommend you turn it off after you have configured all your nodes.

4. Managers and administrators will be able to access the Teramind dashboard on the MANAGEMENT INTERFACE PORT. Make sure the port is available before using it*. If you change this port, you will need to specify it on the Teramind Agent download links. For example:

5. Teramind Agent will query this LOAD BALANCER PORT instead of the default 443 when looking for a Teramind server to connect to. If you change it something other than 443, you will need to use the TMROUTER parameter when installing the Teramind Agent. For example*:

. If you have setup other nodes, you will see them under the Nodes section:

Please consult the relevant deployment guide to learn how to setup the OCR nodes. You can find the deployment guides on https://www.teramind.co/company/resources under the Product Guides category.

Teramind uses the SMTP email standard to send notifications, deliver scheduled reports and other communications purposes. You can specify your SMTP server configuration here so that Teramind can access it properly.

1. Provide details for the server, encryption, port, and username. Consult your email server’s settings for the SMTP configuration or contact your email provider.

2. SEND INSTANCE HOSTNAME option is disabled by default but could be enabled to send the hostname of the client to identify it to the server. It might be useful in fixing email relay related issues on clients like Gmail.

3. If you disable the VERIFY SERVER CERTIFICATE option, it will force the system to ignore any invalid certificates. This is useful when you want to use your own self-signed certificate which isn't trusted. Enabling this option will make the TRUSTED CERTIFICATE option available and you will be able to add a trusted CA certificate. To do so, click the Select file button and select a .pem or a .crt file to upload the certificate.

4. Enter an email address from where the email will be sent. Teramind's outgoing emails will appear to have been sent from this address. Then, enter a password for the email address.

5. Enable the IMAGES FROM INSTANCE option if you want to load images (for example, icons used on the daily email digest) from your instance instead of teramind.co.

6. Click the SAVE button to save any changes.

7. Use the email under Test your SMTP settings to test your settings. Click the SEND TEST MAIL WITH CURRENT SETTINGS button to test current settings (without the changes). Use the TEST EMAIL CHANGED SETTINGS to test the changes you just made.

The Storage tab shows the usage statistics of various internal volumes and lets you configure thresholds and alerts when they reach certain levels.

1. The first three sets of data show the size and usage statistics for the three types of storage volumes used by Teramind:

2. The second three sets of fields allow you to configure threshold for the recording volume:

3. The NOTIFICATION EMAILS field lets you specify who will receive the notification email for the EMAIL MIN SPACE THRESHOLD alert. You can disable the notifications temporarily by clicking the FOR NEXT 12 HOURS You can turn off email notifications completely by leaving the NOTIFICATION EMAILS field empty or by specifying a value of ‘0’ in the EMAIL MIN SPACE THRESHOLD field.

The OCR tab shows the usage statistics of the OCR session mining node and lets you configure thresholds and alerts when its usage reaches certain level.

The first two data sets show the OCR processing status. LATEST MINED PIECE OF DATA IS FOR shows the date and time when the OCR engine last processed a screen image, and the OCR DELAY shows the time it took for the OCR engine to analyze the last screenshot and detect text inside that image.

The second three sets of fields allow you to configure threshold and email alerts for the recording volume. With the MINING DELAY THRESHOLD, HOURS you can set up a threshold (in hours) and specify email address(es) in the NOTIFICATION EMAILS field. If the mining delay crosses the defined threshold, the recipients in the emails will get a notification like the below example:

You can disable the notifications temporarily by clicking the FOR NEXT 12 HOURS button. You can turn off email notifications completely by leaving the NOTIFICATION EMAILS field empty or by specifying a value of ‘0’ in the MINING DELAY THRESHOLD, HOURS field.

System Health tab gives you a quick snapshot of the current status of the server load, session mining (OCR process) status and the BI status.

1. The System load section shows the TOTAL NUMBER OF CORES the CPU has, 5-MINUTE LOAD AVERAGE (%), MEMORY USAGE, STORAGE and SERVER TIME. Clicking the Click to see more link will take you to the Storage tab where you can view more information about the storage usage and set up threshold alerts.

2. The Session mining stats shows the OCR processing status. LATEST MINED PIECE OF DATA IS FOR shows the date and time when the OCR engine last processed a screen image, and the OCR DELAY shows the time it took for the OCR engine to analyze the last screenshot and detect text inside that image. Clicking the Click to see more link will take you to the OCR tab where you can view more information about the OCR usage and set up threshold alerts.

3. The BI Status shows three pieces of information:

4. Click the Refresh button to refresh the screen.

Localization tab allows you to change the time and language settings.

1. You can change the TIMEZONE you want to use.

2. Use the NTP SERVER to specify a time server. Teramind will automatically sync the clock with the server. You can select a generic server like clock.isc.org if your deployment has internet connectivity. Note that the NTP Server option is not available on Cloud deployments. Also, for the best result, make sure all your monitored endpoints and the Teramind server are on the same NTP server. Otherwise, you may see discrepancies between the time an activity happened vs. the time it is recorded in Teramind. An accurate NTP time source is also important if 2FA is enabled because any difference in time between the Teramind server's time and the 2FA authenticator's device time will reduce the 30-second window that a 2FA code is valid for.

3. You can change the TIME FORMAT to 12-hour or 24-hour format.

4. You can change the DEFAULT LANUGE used by the system. Teramind supports English, Spanish, Chinese, Portuguese, Russian and Turkish. Note that, you can change the language for an employee/user from their Profile (ACCOUNT INFO tab).

5. You can change the WEEK START DAY.

The License Alerts tab lets you toggle alerts for license overruns.

1. If the SEND LICENSE OVERUTILIZATION REPORT DAILY option is enabled, Teramind will send daily email alerts to the selected email addresses (see #2 below) if the monitored users/computers exceed the allotted number of licenses.

2. Enter the email address(es) in the NOTIFICATION EMAILS where the alerts will be sent. You will receive slightly different emails based on your license type. If you are under an endpoint-based licensing option (e.g., On-Premise deployments), then the email will list the endpoints (computers) that exceeded the license count. While a user-based licensing option (e.g., Cloud deployments) will list the users (agents). Both emails will show which logins were unsuccessful due to insufficient licenses: