Introduction to Settings
The Settings menu allows you to configure different parts of the Teramind Dashboard, Agent, Security, Active Directory Integration etc. Note that, some of the settings on the Settings screen are applicable to the On-Premise / Private Cloud (AWS, Azure etc.) deployments only.
Accessing the Settings Menu
1. Click the Gear icon near the top-right corner of the Teramind Dashboard.
2. Click Settings from the pop-up menu.
About
Click the About tab on the Settings screen. You will see some details for your Teramind deployment including what versions of server, UI, Agents etc. are included. From here, you can also update your on-premise server image and change the license key.
Updating Your Teramind On-Premise Server
To update your server, download the latest server image from the Self-Hosted portal at https://www.teramind.co/portal/download. Scroll to Step 2. Download Packages. Download the Teramind Update file (with a TMU extension) by clicking the download button. Then do the following:
1. Click the Update Teramind link to expand it.
2. Click the Select update file button and select the TMU file you downloaded from the Self-Hosted portal.
3. Click the Update button. Depending on your deployment, Teramind will update the server in few minutes. You will see two update progress bars (one under the left-side menu and one on the Settings screen itself):
You can switch to other screens when the update is in progress.
Updating a Custom On-Premise Deployment
If you have a custom deployment (e.g., custom features/scripts/integrations/syncs/etc.) you will see a warning message. The warning is added because upgrading these types of deployments with the wrong TMU image might break something or cause other unexcepted behaviors.
The warning contains an email link to consult the Teramind Support Team. If an admin still tries to upload a TMU file, they will see another confirmation dialogue to continue or cancel the deployment:
Changing the License Key
If for any reasons, you wanted to change the license key (i.e. you upgraded from a trial to a paid account), you can do that from the About tab.
On the Setting screen’s About tab, enter your license key in the LICENSE KEY field located under the About the deployment section and then click the Change button. Once done, the system will display the updated entitlements for your license key.
Active Directory
This option is available on both Cloud and On-Premise/Private Cloud deployments. However, for Cloud deployments, this is a feature on request. Please reach out to your Customer Support/Account Representative to activate the feature on your instance.
Teramind can be integrated with Active Directory to import your users, computers, groups, attributes and other important meta-data. Teramind's integration with Active Directory is read-only. Remember, you can still monitor users that are not in the domain by simply installing an agent on their computer.
Active Directory/LDAP integration provides the following benefits:
The ability to report based on OU’s
The ability to filter reports with attributes
The ability to apply rules to OU’s and/or groups
The ability to remote install to computers based on name, or AD group membership
The ability to use Teramind only on a specific group
The ability to exclude a group from being monitored
The ability to log into dashboard via domain authentication
Note that Teramind treats Active Directory Organization Units (OUs) as Departments. You can set up special AD Groups and OUs to import and monitor users, PCs or disable monitoring. If you select all groups and OUs, Teramind will monitor all users and PCs present in AD.
Teramind can also import attributes. To import attributes, you will need to configure the Fetch objects (see below for more information). Teramind can also import custom attributes.
You can use the LDAP groups and attributes to filter the BI Reports.
Active Directory synchronization can be set up as follows:
1. You can set up multiple AD integrations from the tabs area above the screen. The Plus + button will let you add a new tab. You can set up each tab to refer to a different server/domain and configure it independently. Each DOMAIN NAME becomes a new tab. The Delete button will let you delete the currently selected tab.
2. Populate the upper set of fields as follows:
LDAP SERVER | Hostname or IP address of your domain controller, e.g. |
LDAP PORT | In most cases the default port 389 should work. |
ENCRYPTION | You can use tls, ldaps or none. Note that you might need to change the LDAP PORT if you change the encryption method.
If you choose the tls or the ldaps option, another option, LDAP CERTIFICATE VALIDATION TYPE will be displayed. See below: |
| This will allow you to choose how you want to validate the LDAP certificate and if wanted to upload your self-signed certificate:
|
| If you choose the Accept specified or valid option from the LDAP CERTIFICATE VERIFICATION TYPE menu, a new option, LDAP CERTIFICATE will be displayed. By clicking the Select file button, you will be able to upload your own CA certificate. |
LDAP LOGIN | Enter an account, e.g., |
UPDATE LDAP PASSWORD | Password for the above mentioned account |
DOMAIN NAME | Your Active Directory domain name, e.g. |
USE DOMAIN NAME REMAPPING | If enabled, allows remapping of a domain name in accordance with the rules, e.g. |
LIMIT FETCHING | If enabled, Teramind will show additional options where you can specify OUs and groups. See below: |
| If enabled, will fetch child OUs and groups only (respect hierarchy) |
| Limit fetching by entered OUs (comma separated names). If left empty, Teramind will fetch all OUs. |
| Limit fetching by entered groups (comma separated names). If left empty, Teramind will fetch all groups. |
REPLICATE COMPUTERS’ STATE | ON: replicate AD computer state with Teramind. AD-enabled computers will be imported as auto-monitored. AD-disabled computers will be imported as non-monitored. OFF: ignore AD computer state (old behavior, default) |
3. Click the NEXT: FETCH ATTRIBUTES button to fetch the attributes.
4. As soon as fetching is done, you will be able to specify additional options for attributes according to the table below. Note: If something went wrong during the fetch process, error messages will be displayed on the message area near the bottom of the screen (see item 5 below).
Please note that msDS-ManagedPassword
attribute is not readable from AD and attempting to import it will throw an error message during the import process, Error: Trying to pass ‘msDS-ManagedPassword’ attribute over insecure connection. Please change connection settings or uncheck the attribute
. As a workaround, uncheck the msDS-ManagedPassword
attribute in the IMPORT ATTRIBUTES field and repeat the import process.
UPDATE INTERVAL (DAYS) | Enter how often (in days) to perform active directory syncs. |
IMPORT ATTRIBUTES | Attributes can be sync'd to allow more detailed reporting and user grouping. Select the attributes you want to sync into Teramind. Default is |
IMPORT OBJECTS FROM THESE ORGANIZATIONAL UNITS (OUS) | Import users and computes from the selected organizational units into Teramind. Default is |
GROUP TO OU ATTRIBUTE* | Groups with this attribute set to |
MONITOR USERS IN THESE GROUPS* | Enable monitoring for users in these groups and disable monitoring for users not in these groups. |
DON'T MONITOR USERS IN THESE GROUPS | Disable monitoring for users in these groups. |
STOP MONITOR USERS THAT NO LONGER EXIST IN AD | If enabled, Teramind will automatically disable monitoring of all computers that is not in the AD or out of the synced OU. |
5. Click the SAVE SETTINGS button to save the settings. Click the IMPORT button to initiate the import process. You might have to wait for a couple of minutes depending on AD object count and hierarchy. Once the import is done, refresh the page to view the changes. Note: If something went wrong during the import process, error messages will be displayed on the message area near the bottom of the screen (see item 5 below).
6. The messages area below the screen shows the task progress and any error the system might encounter.
*Note that the DON’T MONITOR USERS IN THESE GROUPS option has higher priority over the MONITOR USERS IN THESE GROUPS option. For example, if you have a user in two groups and one of the groups has monitoring enabled and the other disabled, then the user will not be monitored.
After you have set up Active Directory, go to the Settings > Security tab to enable domain authentication for the Teramind Dashboard.
*How to avoid duplicate users when Active Directory domain changes?
if the user is the same and the domain changes, then you can use the TMDOMAINOVERRIDE Agent Installation/Configuration Parameter to keep the old domain. This won't fix the duplicate users already present on the Dashboard, but it will help you avoid new duplicate users. Note that, Teramind doesn't allow two users with the same user@domain.
Agent Defaults
This tab allows you to change the default settings for the Teramind Agent.
1. You can change the CURRENCY used. Most of the international currencies are supported. The currency you choose will be used to display the wage/salary in the BI Reports > Productivity report, TIME TRACKING > Employee Cost, TIME TRACKING > Task Cost, Payroll Widgets, Employee Profile, etc. - anywhere the currency is used.
2. You can assign a DEFAULT TASK for employees when they start their shift (this is applicable if the employee is using the Hidden Agent). Restart the user machine(s) after changing the default task for it to take affect. Note that you can change/override the default task for an employee from their profile under the ACCOUNT INFO tab.
3. If the CREATE NEW USERS ON FIRST AGENT CONNECTION option is enabled, and if the corresponding user does not exit, a new user will be created when the agent first connects. This is helpful, for example, when you have hundreds of accounts that you don't want to monitor and don’t want them to be in the system. For example, service accounts.
4. If the ENABLE MONITORING FOR NEW AGENT BY DEFAULT option is turned on and your license allows it, new agent installations will have monitoring enabled by default. If disabled, new agent installations will not be monitored until you activate them from the dashboard (you can toggle monitoring for users from the EMPLOYEES > Action menu).
5. If the ENABLE MONITORING FOR NEW COMPUTER BY DEFAULT option is turned on and your license allows it, new computer installations will have monitoring enabled by default. If disabled, new computer installations will not be monitored until you activate them from the dashboard (you can toggle monitoring for users from the COMPUTERS > Action menu).
6. Enable the WEB LOGIN… option if you want your users to be able to log into the dashboard to see their own work stats, enable this option. Note that you can change/override this setting by toggling the User can clock in and out using Web interface from an employee's profile under the ACCOUNT INFO tab.
7. The DEFAULT ACTION FOR SCREEN RECORDS DELETION option allows you to set the default option for screen record deletion dialogue box.
A confirmation dialogue box is shown when you try to delete time and screen records from the Time Records, Time Card (Day or Week view), Screen Snapshots report, etc. The dialogue box presents you with several option on how you want to remove the records:
Autoupdate
This tab allows you to change automatic update setting.
1. If you enable the ENABLE AUTOMATIC UPDATES settings, all computers will be automatically updated to the latest version of the Agent.
2. An UPDATE AVAILABLE! CLICK TO APPLY NOW button is shown if there's a new version of the Agent available. Click the button to manually update the Agent without waiting for auto update (or if auto update is disabled). When you press the button, it will show a note at the top of the screen and change the button to display a message like, "AUTOMATIC UPDATE IS SET FOR VERSION xx.xx.xxxx":
Alerts
Alerts tab allows you to define how rule violation messages will be displayed to the users. It’s a good idea to customize your alert messages so that they are visually distinctive and match with you company’s branding.
1. Some rule Actions such as Warn, Block, etc. allows you to use a HTML template to display the message:
By default, the USE HTML TEMPLATE option is disabled. If you enable the USE HTML USER ALERTS BY DEFAULT option, then the USE HTML TEMPLATE option will be enabled for all new rules (existing rules will not be affected). By default, the option is disabled.
2. You can customize the look and feel of your message box by editing the HTML in the CUSTOM USER ALERT HTML field. There are a few dynamic variables such as ALERT, DETAIL you can use in your message. In addition, the alert can have buttons like: OK, CANCEL. You can also include base64-encoded images in your HTML. This is great for displaying icons or logos. Please check out this article to learn how to use the customization feature.
3. You can preview how the alert will look by clicking the PREVIEW button.
4. SCREEN LOCATION defines where the alert will be displayed and positioned (i.e. Screen center, Top right, Bottom left, etc.). The default value is Screen center.
5. WIDTH changes the width of the alert box. The default value is 200 pixels.
6. HEIGHT changes the height of the alert box. The default value is 100 pixels.
7. ALERT EMAIL LIMIT defines the threshold where the system will group the alerts into a single email. The system will send this many identical alert emails, and then it will group them together into an email digest. For Cloud deployments, the range is 1-100 and for On-Premise deployments the range is 0-1000. If set to 0, it will send each alert individually. The default value is 16 emails.
8. USER ALERT THRESH HOLD applies to rules with a Warn or Block action. The threshold sets the minimum time, in seconds, to wait between alerts that the user sees. If set to 0, users will see all alerts they violate, regardless of the frequency. The default value is 120 seconds (2 minutes).
9. LOG ALERT THRESH HOLD sets the minimum time, in seconds, to wait between logging alerts to the Teramind system. If set to 0, it will not limit the number of alerts that are logged. The default value is 120 seconds (2 minutes).
10. MAXIMUM DAILY ALERTS COUNT limits the total number of alerts which get logged by Teramind on a daily basis per alert type. You can also set the alert limit at the rule level from the rule's Advanced Mode action panel (Choose maximum number of saved alerts per day). The default value is 5 alerts.
11. You can build rules in Teramind to set a user's task based on their activity by using the SET USER'S ACTIVE TASK action. The RULE TASK SELECTION ACTION TIMEOUT (SECONDS) defines the time out when switching tasks. If the user switches activity and remains in the new activity for the defined seconds, the rule will be re-evaluated. If user starts some activity and there are no rules for the new task, the task will be switched to default task (see DEFAULT TASK option under Agent Defaults settings) after the specified seconds. The default value is 300 seconds (5 minutes).
12. The AGENT ATTRIBUTES TO USE FOR NOTIFICATIONS option will allow you to choose LDAP attributes that will be added to the rule alert notification emails. The rule alert notification email is sent when a rule is violated that uses a Notify action. With this option, the email will include the selected LDAP attributes in addition to the usual alert details:
Note that the rule alert notification email will include the LDAP attributes if you have an Active Directory integration set up and for only the users who have the LDAP attributes set in their employee profile:
Login Screen
You can customize the appearance of the dashboard login screen to match with your company’s branding or user preference.
1. Use a LOGO IMAGE for uploading a logo image. Suggested resolution is 190×54 pixels.
2. Use a BACKGROUND IMAGE for uploading background image. Suggested resolution is 1400×933 pixels.
3. You can also change the LOGIN BUTTON COLOR by specifying a color in HTML/Hex format.
4. The USER CONSENT AGREEMENT TEXT field can be used to show a user a consent agreement/access consent (or any other information) during login. You can use different font and styling option to format the text. The text will then be displayed on the login screen:
The user will have to accept the agreement before they are allowed to log into the Dashboard.
The USER CONSENT AGREEMENT TEXT option is available on request. Please contact your customer service representative to activate this feature on your instance.
Security
Host
It’s best practice to give your Teramind server a DNS entry. This way you can click on links in the email alerts, use your own SSL certificates, and enjoy other benefits as well.
1. Enter a hostname such as acme.teramind.co
.
If you are using SSO and configured it before changing the hostname, it might not work properly. E.g., users might still get redirected to the old host/IP address. To fix that, login from your new host address, the SSO settings will be automatically updated. Click the SAVE button to save the new SSO settings. For more information, check out this troubleshooting article.
SSL
Teramind strongly recommends proper configuration of SSL in order to avoid browser warnings and restrictions. Some browsers will not allow WebSocket communications if the certificates are invalid. This may prevent you from watching live screens or record them.
For this reason, you should deploy your organization’s SSL certificates within Teramind, and add a DNS entry in your corporate name server for your Teramind implementation.
For an example of how to use a third-party certificate with your instance, please check out this article on the Teramind Knowledge Base. To learn how to generate your own self-signed certificates, check out this article.
Note that all certificates should be in the PEM format.
Here’s how you should setup the SSL:
1. Upload your server’s Private Key (usually a .key file), Public Key (usually a .crt file), Intermedia Key (a concatenated list of CA certificates that validates your server certificate) and the Root CA Key.
2. Click the VALIDATE KEYS button. After you’re done, please access Teramind via the new hostname. You’ll be asked to log-in again.
Using a Third-Party Signed, Encrypted Certificate
If you try to upload a protected certificate, you will be asked to enter the PASSPHARASE. If the passphrase is incorrect or not provided, you will see an error message, "Certificates upload failed: Private certificate is encrypted, please provide passphrase and try again.":
If the passphrase is correct, the server will decode the certificate (once you press the VALIDATE KEYS button), convert it to a regular RSA private key and you will be able to see the keys and values:
Dashboard Authentication
Teramind processes large volumes of confidential and private data, so it’s a best practice to lock down access to the dashboard as much as possible.
1. If you enable the FORCE USERS TO LOG IN USING 2-FACTOR AUTHENTICATION option, next time administrators log in they will be forced to enable 2FA before being given access to their dashboard. Teramind supports 2FA apps like Google Authenticator or Authy. Check out this Knowledge Base article to learn how to set up 2FA for a user.
2FA is always enforced on Cloud deployments unless the SINGLE-SIGN-ON AUTHENTICATION option is enabled.
2. Enabling the BASIC USER/PASSWORD AUTHENTICATION option will allow you to authenticate to the dashboard using the user-password credentials you created in Teramind. Check out this Knowledge Base article to learn how to create/change password for a user.
3. Enabling the ENABLE MFA VIA EMAIL option will let you receive 2FA codes via the email. Check out this article to learn how to set up email-based 2FA for a user.
4. If you have successfully set up Active Directory integration, you may want to use your domain credentials to login. In such a case, you can turn on the LDAP AUTHENTICATION option. Check out the Active Directory section to learn more about AD setup.
5. If you enable the SINGLE-SIGN-ON AUTHENTICATION option, it will reveal the Single Sign On Authentication section. Please see below for details on this section.
6. Changes to some settings on the Teramind Dashboard (e.g., changing an employee’s access level) require you to confirm the changes before they are applied. In such a case, a confirmation dialogue box is shown. By default, the dialogue box asks you to confirm the changes with your password:
The CONFIRMATION METHOD FOR DASHBOARD CHANGES option lets you choose the preferred authentication option for confirming these changes. Depending on the availability, you can choose from Password, 2FA Code and LDAP Password. If you choose the Disabled option, the Dashboard will no longer ask to confirm any changes.
Notes About Confirmation Methods
If you change the confirmation method from one type to another, make sure the new method is set up/available. For example, if you change the confirmation method from LDAP Password to Password, each admin/privileged user will have to set a password on their Teramind account (they can do so from their profile's Account Info tab). If they don't have a password set, they will be asked to do so before they can make any changes to the Dashboard.
A similar situation can happen if you change from LDAP Password to 2FA Code. In that case, the user will be asked to set up their 2FA. However, they will be able to do so, only if the 2FA FORCE USERS TO LOG IN USING 2-FACTOR AUTHENTICATION option is enabled. Otherwise, they might have trouble logging in or making any changes to the Dashboard.
For these reasons, you should make sure that all your admins/privileged users have the selected confirmation method set up before you change this setting.
Here are a few more things to note:
For the 2FA Code option to work, the user needs to have the 2FA method set and activated on their profile.
For the LDAP Password option to work, the user has to log in with their LDAP credential and admin rights. Also, make sure the user is configured as an External user (you can do so from a user's profile, under the Account Info tab). Note that, if you selected this option and you are using a self-signed certificate, you might see an error, "Invalid confirmation password" when confirming the Dashboard changes. To mitigate that, you can upload your self-signed certificate from the Activity Directory settings (ENCRYPTION section).
If a selected authentication option isn't available for a user, the Password option will be shown when confirming changes
7. The ALLOWED IP TO LOGIN option lets you specify which IP addresses are allowed to login to the dashboard.
Password Policy
The settings under the Password Policy section will help you enforce password rules to increase the security of your user accounts. These rules will be enforced whenever a user password is created, modified or during the user login process. Here's an explanation of each option:
1. MINIMUM PASSWORD LENGTH: is the minimum number of characters the password can have. The default value is 6.
2. MAXIMUM PASSWORD LENGTH: is the maximum number of characters allowed for the password. The default value is 64.
3. PASSWORD EXPIRY TIME (DAYS): lets you specify how long the password will stay valid. After this period, the user will be asked to change their password. The default value of 0 means it’s disabled.
4. REQUIRE AT LEAST 1 NUMBER: if enabled, the user will be asked to enter a password that contains at least one number, e.g., 1, 2, 3.
5. REQUIRE AT LEAST 1 SPECIAL SYMBOL: if checked, the user will be asked to enter a password that contains at least one special character, e.g., #, $, !, etc.
6. REQUIRE MIXED CASE LETTERS: if checked, the password must contain at least one uppercase and one lowercase letter, e.g., A, a, B, b, etc. By default, it's unchecked.
7. REQUIRE USERS TO RESET THEIR PASSWORDS: if checked, the users will be asked to change their passwords to comply with the updated policy. By default, it's unchecked and only shown if you make any changes to the other options.
8. USERS MAY NOT REUSE THE PAST N PASSWORDS: will let you specify and enforce how many of the most recent passwords cannot be reused. For example, if the value is 3, users cannot reuse the previous three passwords when changing their password. If set to 0, the user will not be able to reuse any of the previous passwords. The default value is 10.
9. LOCK ACCOUNT DUE TO INVALID PASSWORD ATTEMPTS option will let you toggle the account lockout feature. When enabled, this will show two options:
LOCK ACCOUNT AFTER: will let you specify how many attempts will be allowed after the account is locked out. For example, if you specify 3, the account will be locked out at the third invalid attempt
LOCKOUT DURATION: will let you specify how long (in minutes) the account will remain locked.
Single Sign On Authentication
SINGLE-SIGN-ON AUTHENTICATION option allows you to authenticate to the dashboard using a Single Sign On (SSO) service such as Okta, One Login etc. via SAML2 protocol. Newly generated users will still need to set password in order to make further changes to account or login using Teramind revealed agent.
Enabling the SSO option will reveal several options which you can use to configure the SSO integration. You will also see an AUTO REGISTER NEW AGENT option. If enabled, this will let you specify default options for newly registered users/agents on SSO.
Check out this article for details on these options and step by step instructions on setting up a SSO integration.
Dashboard Sessions
With these settings, you can control exactly how you want to mange your dashboard sessions such as cookie lifetime, session storage type and idle timeout.
You can now control exactly how you want to mange your dashboard sessions including:
1. COOKIE LIFETIME defines how long an authorization cookie will be valid (in minutes). An authorization cookie is a temporary secret used to authenticate the browser. It will be automatically updated in the background while the user is active. The update process takes a few seconds before it is going to expire. If the user closes the browser before the secret was updated, the session will be closed, and the user will need to authorize again.
2. STORAGE TYPE defines whether it will be Persistent storage or Session storage. A Persistent cookie is kept for the duration/lifetime of the Cookie lifetime. A Session cookie gets flushed when you close your browser (different per browser settings) or until Cookie lifetime expire.
3. IDLE TIMEOUT defines how long a session will remain active when the user is idle (in minutes). If the user is not active for the number of minutes defined, a pop-up window will ask the user if they want to resume the session:
If there is no response, the session will be closed automatically, even if the COOKIE LIFETIME is still valid.
Agent Removal Protection
You can optionally install the Teramind Hidden Agent in protected mode to make it more difficult for unauthorized users and administrators to remove it. If you do this, you should set the uninstall password so that you can remove the agent when you wish.
1. Enter a password to protect the Agent uninstallation.
You can protect an Agent from unauthorized uninstallation by using the DO_PROTECTION=yes parameter during the Agent installation. For more information, please check out the Agent Installation/Configuration Parameters (Windows) section in the Agent installation article.
Make sure to set the password before installing the Agent. If you set the password afterwards, there might be problems with managing the Agent and uninstalling it..
Outgoing Exported Data
By default, Teramind allows you to export reports and video recordings to any email address. But you can use the ALLOW DATA & VIDEO EXPORT EMAILS TO THIS DOMAIN option to restrict export to certain domain only.
1. Enter the last part of an email address (the domain address including the ‘@’ symbol) to restrict export emails to that domain only. For example, @teramind.co
. Note that this field is checking for an end of email, not strict match. Additionally, you can specify something like .teramind.co
. In that case any sub-domain of teramind.co will be included in the check. For example, [email protected]
, [email protected]
– both will be allowed as valid email addresses.
You can only specify a single domain. Multiple domain restrictions aren’t supported at the moment.
Note that this option does not affect scheduled reports (see Schedule export option under the Exporting a BI Report section to learn more about scheduled reports). You can still send scheduled reports to email recipients who are not on the Teramind Dashboard (i.e. they are not on the List of employees screen). To prevent access to such exported reports, enable the ONLY AUTHORIZED USERS CAN DOWNLOAD EXPORTED FILES option under the Access to exported data section.
Access to Exported Data
These settings control who can view exported data (e.g., exported reports, scheduled reports, daily digest/snapshot reports, etc.) and how.
1. The ONLY AUTHORIZED USERS CAN DOWNLOAD EXPORTED FILES option allows you to limit access to exported reports to valid Teramind users only.
If you send a report (using the BI Reports > Export > Schedule Export option or the Daily Export option under the Monitoring Reports' Settings) to an email recipient who is not on the Teramind Dashboard, the email recipient will still get the automated email, but the report download link in the email will not work:
This option would enable you to better control the privacy and security of your data. For example, if a recipient of the automated report accidentally or intentionally forwards the email to someone else, the other person will not be able to access this report unless they are authorized.
This option applies to scheduled export reports only. It does not apply to the reports available on the SYSTEMS > Video Export and SYSTEM > Report Export screens. It also does not affect the Session Player’s Video Download/Export option.
2. The DISALLOW MANAGERS TO SEE AND EXECUTE EXPORTS option allows you to show/hide the EXPORT button on the BI Reports and the PDF and CSV export buttons on the Monitoring Reports, effectively disabling the export of any reports by the department managers.
If you enable this option, all previously scheduled email delivery of Monitoring Reports/BI Reports will no longer work for the department managers either.
3. By default, only admins get the daily digest/snapshot report via email. The SEND DAILY SNAPSHOT EMAILS TO DEPARTMENT MANAGERS option lets you enable the emails for department managers too. The email looks exactly the same as the one received by the admins except that the data is shown only for the users the department manager is assigned to:
You can enable/disable the delivery of the daily digest/snapshot report for an admin by toggling the Disable daily digest report option from their employee profile, under the ACCOUNT INFO tab.
4. The MAXIMUM EMAIL BODY LENGTH option allows you to set the maximum character size for the 'Body' column of an exported emails report (e.g., BI Reports > Emails). For example, here's a CSV report from the BI Reports > Emails with the MAXIMUM EMAIL BODY LENGTH option set to 2000:
And, here's the same CSV report but this time the MAXIMUM EMAIL BODY LENGTH is set to 50:
Notice, how the text in the "Body" column is stripped to 50 characters and a "…" is added at the end of the text.
This feature is useful when you have many emails with large body text. Limiting the body text will make the report to process faster and reduce file size.
The default value for this field is 2000.
Server Management
Teramind can be deployed as a cluster of servers to handle a large number of users. If you can see this setting on your dashboard, then it means you are on a Master node. Additional nodes (such as the OCR database and screen mining nodes) may connect and want to join this cluster. Here you can configure which nodes you want to accept into the cluster, and what their function should be.
1. You can enable/disable multi-node deployments with the ENABLE MULTINODE DEPLOYMENT toggle button. It is necessary to keep it turned on if you have more than one Teramind servers.
2. Turn SSH access on or off with the ENABLE SSH ACCESS toggle button. SSH is needed for remote login and configuration of Teramind servers, especially, during the deployment phase.
3. ALLOW NEW NODES will allow connection of new nodes to the system. For security reasons, we recommend you turn it off after you have configured all your nodes.
4. Managers and administrators will be able to access the Teramind dashboard on the MANAGEMENT INTERFACE PORT. Make sure the port is available before using it*. If you change this port, you will need to specify it on the Teramind Agent download links. For example:
msiexec /i https://acme.teramind.co:480/d/teramind_agent_v8.0.msi /qn
5. Teramind Agent will query this LOAD BALANCER PORT instead of the default 443 when looking for a Teramind server to connect to. If you change it something other than 443, you will need to use the TMROUTER parameter when installing the Teramind Agent. For example*:
msiexec /i teramind_agent_x64_s.msi TMROUTER=101.12.1.2:1580 /qn
* Reserved Ports:
The following ports are reserved and cannot be used for the Management Interface or Load Balancing: 22, 111, 5432, 4730, 8000, 8001, 8002, 9000, 6379, 10000, 10001.
. If you have setup other nodes, you will see them under the Nodes section:
Click the REMOVE button to cancel approval (un-approve) for a previously approved node.
Click the FORGET button to completely delete a node. For example, if you deleted a Virtual Machine used by an OCR node, you can delete the node from here.
Click the APPROVE button to approve any pending node connection requests.
Please consult the relevant deployment guide to learn how to setup the OCR nodes. You can find the deployment guides on https://www.teramind.co/company/resources under the Product Guides category.
SMTP
Teramind uses the SMTP email standard to send notifications, deliver scheduled reports and for other communications purposes. You can specify your SMTP server configuration here so that Teramind can access it properly.
1. Provide details for the server, encryption, port, and username. Consult your email server’s settings for the SMTP configuration or contact your email provider.
2. SEND INSTANCE HOSTNAME option is disabled by default but could be enabled to send the hostname of the client to identify it to the server. It might be useful in fixing email relay related issues on clients like Gmail.
3. If you disable the VERIFY SERVER CERTIFICATE option, it will force the system to ignore any invalid certificates. This is useful when you want to use your own self-signed certificate which isn't trusted. Enabling this option will make the TRUSTED CERTIFICATE option available and you will be able to add a trusted CA certificate. To do so, click the Select file button and select a .pem
or a .crt
file to upload the certificate.
4. Enter an email address from where the email will be sent. Teramind's outgoing emails will appear to have been sent from this address. Then, enter a password for the email address.
5. Enable the IMAGES FROM INSTANCE option if you want to load images (for example, icons used on the daily email digest) from your instance instead of teramind.co.
6. Click the SAVE button to save any changes.
7. Use the email under Test your SMTP settings to test your settings. Click the SEND TEST MAIL WITH CURRENT SETTINGS button to test current settings (without the changes). Use the TEST EMAIL CHANGED SETTINGS to test the changes you just made.
Storage
The Storage tab shows the usage statistics of various internal volumes and lets you configure thresholds and alerts when they reach certain levels.
1. The first three sets of data show the size and usage statistics for the three types of storage volumes used by Teramind:
The PRIMARY VOLUME USAGE indicates the size and usage of the main system volume. This volume typically contains the Teramind database.
The RECORDING VOLUME USAGE shows the status of the screen recording volume. You can always adjust the volume usage by tweaking your screen recording settings and retention policies. Check out the How to reduce storage requirements? article to learn more.
The TOTAL NODES USAGE shows information about the OCR/TeraServer nodes.
2. The second three sets of fields allow you to configure threshold for the recording volume:
The MIN SPACE THRESHOLD tells Teramind to stop recording when it reaches this minimum space threshold. You can specify a value in MB or % (see THRESHOLD UNIT below). Please note that Teramind will automatically disable recordings at 500MB.
The EMAIL MIN SPACE THRESHOLD determines at what point an email alert will be sent. This value must be equal to or greater than minimum space threshold. You can specify a value in MB or % (see THRESHOLD UNIT below). A value of 0 will disable the email alert.
The THRESHOLD UNIT lets you specify what unit is used for the above two thresholds. You can select MB or %.
3. The NOTIFICATION EMAILS field lets you specify who will receive the notification email for the EMAIL MIN SPACE THRESHOLD alert. You can disable the notifications temporarily by clicking the FOR NEXT 12 HOURS You can turn off email notifications completely by leaving the NOTIFICATION EMAILS field empty or by specifying a value of ‘0’ in the EMAIL MIN SPACE THRESHOLD field.
OCR
The OCR tab shows the usage statistics of the OCR session mining node and lets you configure thresholds and alerts when its usage reaches certain level.
The first two data sets show the OCR processing status. LATEST MINED PIECE OF DATA IS FOR shows the date and time when the OCR engine last processed a screen image, and the OCR DELAY shows the time it took for the OCR engine to analyze the last screenshot and detect text inside that image.
The second three sets of fields allow you to configure threshold and email alerts for the recording volume. With the MINING DELAY THRESHOLD, HOURS you can set up a threshold (in hours) and specify email address(es) in the NOTIFICATION EMAILS field. If the mining delay crosses the defined threshold, the recipients in the emails will get a notification like the below example:
You can disable the notifications temporarily by clicking the FOR NEXT 12 HOURS button. You can turn off email notifications completely by leaving the NOTIFICATION EMAILS field empty or by specifying a value of ‘0’ in the MINING DELAY THRESHOLD, HOURS field.
System Health
System Health tab gives you a quick snapshot of the current status of the server load, session mining (OCR process) status and the BI status.
1. The System load section shows the TOTAL NUMBER OF CORES the CPU has, 5-MINUTE LOAD AVERAGE (%), MEMORY USAGE, STORAGE and SERVER TIME. Clicking the Click to see more link will take you to the Storage tab where you can view more information about the storage usage and set up threshold alerts.
2. The Session mining stats shows the OCR processing status. LATEST MINED PIECE OF DATA IS FOR shows the date and time when the OCR engine last processed a screen image, and the OCR DELAY shows the time it took for the OCR engine to analyze the last screenshot and detect text inside that image. Clicking the Click to see more link will take you to the OCR tab where you can view more information about the OCR usage and set up threshold alerts.
3. The BI Status shows three pieces of information:
The first field shows the current CLASSIFICATION VERSION used by the BI engine. Check out this article to learn how to update your BI Classifications.
The second field shows if the CATEGORIZATION of apps/websites is enabled. When enabled, Teramind will use the inCompass® NetSTAR, a comprehensive web categorization and filtering technology to automatically classify websites and their reputations. The update package contains these classification definitions.
The data displayed on the BI reports is not real-time. It can take up to 4 hours for it to refresh. The third field under BI Status shows the LAST SYNC TIME when BI the engine processed the reports.
4. Click the Refresh button to refresh the screen.
Localization
Localization tab allows you to change the time and language settings.
1. You can change the TIMEZONE you want to use.
2. Use the NTP SERVER to specify a time server. Teramind will automatically sync the clock with the server. You can select a generic server like clock.isc.org if your deployment has internet connectivity. Note that the NTP Server option is not available on Cloud deployments. Also, for the best result, make sure all your monitored endpoints and the Teramind server are on the same NTP server. Otherwise, you may see discrepancies between the time an activity happened vs. the time it is recorded in Teramind. An accurate NTP time source is also important if 2FA is enabled because any difference in time between the Teramind server's time and the 2FA authenticator's device time will reduce the 30-second window that a 2FA code is valid for.
3. You can change the TIME FORMAT to 12-hour or 24-hour format.
4. You can change the DEFAULT LANUGE used by the system. Teramind supports English, Spanish, Chinese, Portuguese, Russian and Turkish. Note that, you can change the language for an employee/user from their Profile (ACCOUNT INFO tab).
5. You can change the WEEK START DAY.
License Alerts
The License Alerts tab lets you toggle alerts for license overruns.
1. If the SEND LICENSE OVERUTILIZATION REPORT DAILY option is enabled, Teramind will send daily email alerts to the selected email addresses (see #2 below) if the monitored users/computers exceed the allotted number of licenses.
2. Enter the email address(es) in the NOTIFICATION EMAILS where the alerts will be sent. You will receive slightly different emails based on your license type. If you are under an endpoint-based licensing option (e.g., On-Premise deployments), then the email will list the endpoints (computers) that exceeded the license count. While a user-based licensing option (e.g., Cloud deployments) will list the users (agents). Both emails will show which logins were unsuccessful due to insufficient licenses:
You can see which users are currently “Unlicensed” from the Employees report under the Monitored column.
Daily Digest Alerts
By default, the Daily Digest/Snapshot email comes with several sections such as Alerts, Emails, Instant Messaging, Printing, Websites, etc.
You can configure which of these sections will be included from this screen:
Note that if no section is enabled the Daily Digest/Snapshot email will not be sent.