Introduction to Monitoring Profiles
The Monitoring Profiles screen lets you create/edit monitoring profiles for users, computers, departments, and Active Directory groups and precisely control how much information will be collected for each monitored system (such as Websites, Apps, Emails, etc.). You can track as much or as little as you want based on your organization's needs and alleviate any privacy concerns.
1. Click the New Profile button to create a new profile.
2. Click the Three Dots 
in front of a profile to access its context menu:
Select Preview Profile to see what settings the profile contains. See the Previewing a Profile section to learn more.
Select Edit Profile in a New Tab to view and edit the profile in a new browser tab. Editing a profile is similar to creating a new profile.
Select Clone Profile to create a duplicate copy of the profile.
Select Archive Profile to archive (delete) it.
3. Click the Custom Profile button to view employees who are assigned a Custom Profile:
Clicking on an employee's name will take you to the employee's details page.
Teramind comes with a Default settings profile. This profile is used by default for all users and cannot be deleted.
Creating a New Monitoring Profile
Click the Create Profile button near the top-right corner of the Monitoring settings screen. A pop-up window will be displayed.
1. Select users, departments, computers, etc., as the tracking targets for the profile. You can click on an empty space in the field or click the + button to add a target and press the X button to remove a target.
2. Give the profile a name.
3. Optionally, give it a description.
4. Click the Submit button. You will be taken to the Edit monitoring profile screen:
1. Click the Toggle 
buttons under the What to monitor column to turn monitoring on/off for a monitored system (e.g., Screen Recording, Applications, etc.).
2. Click the Edit 
button under the Actions column to access additional settings for a monitored system (see the Editing the Settings of Monitored Systems below)
3. Click the Assigned button to view/change the assigned targets (users, computers, departments, etc.) for the profile.
4. Click the Gear 
button near the top-right corner to open the profile’s settings panel. See the Profile Settings section below to learn more.
Profile Settings
The Profile Settings panel comes with two tabs. The Basic tab allows you to change the profile names, targets, monitoring schedule, etc. The Advanced tab gives you access to some advanced options.
Basic
Name:
You can change the profile’s name.
Description:
Optionally, change the profile's description.
Assign To:
Optionally, assign employees, departments, and computers to the profile. If you don’t assign anything, “Nobody” will be used.
Advanced
Be careful when making changes to the Advanced monitoring settings, as it might disrupt Teramind’s tracking capabilities, make the system unstable, prevent users from accessing their network, etc.
Click the Advanced tab from the Profile settings screen to access the advanced settings panel:
DLP for processes:
Allows you to exclude certain processes from the DLP scanning (e.g., data discovery and classification) and DLP rules. For example, svchost.exe, System Idle Process, etc. Note that this is different from disabling monitoring for applications using the Monitor only selected apps and keystrokes option on the Applications monitoring settings. That option disables all monitoring for a process (activity will not be captured, and the app will be blacked out on the session recording). On the other hand, Don’t track DLP will only disable DLP scanning for a process.
File driver:
If you leave the Don't track processes below field empty, Teramind File Driver (tmfsdrv2 service) will be stopped on the users’ computers. As a result, File Transfer reports, Content Sharing Rules, Files-Based Activity, etc., will not work. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.
If you enter specific processes/apps, the driver will remain active, but only those processes/apps will be excluded from the driver. For example, entering explorer.exe into this field will exclude Windows File Explorer. This could be helpful for troubleshooting purposes. Also, with this option, you can ignore processes you don't want to capture while keeping the file transfers monitoring active. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.
Network driver:
If you leave the Don't track processes below field empty, Teramind Network Driver (tm_filter service) will be stopped on the users’ computers, and the ‘Quick web proxy’ certificate will not be injected into the browsers. As a result, network-based activities will not be tracked, and things like the IM report, Network-Based Rules, File Upload rules, etc., will not work. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.
If you enter specific processes/apps, the driver will remain active, but only those processes/apps will be excluded from the driver. For example, entering msedge.exe into this field will exclude Microsoft Edge from the network driver. This could be helpful for troubleshooting purposes. Also, with this option, you can ignore processes you don't want to capture while keeping the network monitoring active. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.
RDP (Remote Desktop Protocol) options:
The setting under these sections applies to RDP (Remote Desktop Protocol) sessions:
Track printer: will enable/disable RDP printer sharing.
Track local drives: will enable/disable RDP drive blocking.
Track print screen: will enable/disable RDP print screen blocking.
Track portable device: will enable/disable RDP USB blocking.
Block clipboard sharing through RDP: will enable/disable RDP clipboard tracking. If you enable this option, another option, Exclude processes below from clipboard tracking will be shown. You can exclude certain apps/processes from the blocking by entering them in this field.
Please note that the RDP settings aren’t available by default. Please reach out to your Customer Service Representative or Account Executive to activate these features on your instance.
Also note that these settings apply to an RDP session only and not the user's computer. For example, if you enable the Track portable devices option, Teramind will block devices such as USB drives, external webcams, etc., on the remote host computer, not the user's computer.
Restrictions:
Disable all local admin accounts, except built-in: If you turn on this option, you can specify a new admin user and password. Then, when an admin logs in as a current Windows user, a new admin will be created, and all existing admin accounts will be disabled.
Disable Bluetooth: You can enable/disable the Bluetooth network.
Disable Wi-Fi: This option lets you enable/disable Wi-Fi. Make sure the computer has an alternate method to connect to the internet (e.g., Ethernet) before disabling the Wi-Fi. Otherwise, the Agent will not be able to connect.
Disable USB devices (except keyboard & mouse): If you turn on this option, then all the USB devices will be blocked except for the keyboard and mouse.
Disable built-in password manager of known browsers: Most modern browsers have a password manager that prompts you to save passwords from login forms on websites. While this is convenient, it's a security risk. This setting allows you to disable these built-in password managers. The user will not be able to override the option from their browsers. However, independent password managers such as LastPass will still work. If you enable the Disable built-in password manager for known browsers option, another option, Allow application restarting will be shown. If this setting is turned on, the Teramind Agent will automatically restart any open browsers when the Disable built-in password manager of known browsers option (see below) has changed, so that the setting can take effect automatically. Otherwise, you will have to manually restart the browsers. It also allows you to restart the Mozilla Firefox and Tor browsers to inject the proxy certificate (required to monitor web traffic). Otherwise, you will have to manually restart the browsers.
Please note that if the Allow application restarting option is enabled, Teramind will automatically restart any open browsers so that the Disable built-in password manager of known browsers setting can take effect automatically. Otherwise, you will have to manually restart the browsers.
Data upload:
If you have many users or a slow network, the Max upload bandwidth option will help you prevent overloading your network infrastructure by imposing a throttled bandwidth and the asynchronous upload of video/audio recordings. Furthermore, you can use the time slider option so that the uploads take place during off-peak hours only. These options might also be useful if your end users have a slow connection. Here’s how the two settings work:
The time slider lets you specify a time range for the upload activity. You can drag the two orange slider dots
to adjust the time. If no timeframe is configured, the Agent will be able to upload data anytime.The Max upload bandwidth (KB/s) field allows you to set the maximum upload bandwidth (in kilobytes per second). If no value or a 0 value is set in the field, the bandwidth will be unlimited.
Please note that restricting the Agent upload bandwidth/timeframe might delay the data availability on the Dashboard and impact some features. For example, playback of video recordings, OCR search, etc.
*FILE DRIVER vs NETWORK DRIVER
FILE DRIVER
App/Web Activities: Will be tracked.
Online Meetings: Some apps might be tracked, others not. For example, Skype and Google Chat calls will not be tracked. However, Zoom calls will be tracked.
Instant Messaging: Will not be tracked.
Emails: Emails including attachments from both desktop apps (e.g., Outlook desktop client) and web emails (e.g., Gmail web) will be tracked.
File Transfer: Web Upload/Web Download will be tracked. No other local file activities, such as Access, Read, Write, Rename, etc., will be tracked. File transfers through apps such as Zoom, Teams, etc., will not be tracked. RDP transfers will not be tracked.
Behavior Rules: Any Content rules involving local files and the app will be ignored.
NETWORK DRIVER
App/Web Activities: will be tracked.
Online Meetings: incoming meetings will be tracked on desktop meeting apps. However, meetings from the web (e.g., Zoom Web) will not be tracked.
Instant Messaging: Will not be tracked.
Emails: Emails and attachments from a desktop app (e.g., Outlook desktop client) will be tracked. But web emails (e.g., Gmail web) will not be tracked.
File Transfer: Web Upload/Web Download will not be tracked. But Upload/Download will be tracked. For example, if you uploaded a file through the Google Drive desktop version, it will be tracked as an upload activity. However, if you uploaded a file through the web version of Google Drive, it will be considered a Web Upload and will NOT be tracked. However, uploads/downloads from some desktop applications, such as Microsoft Teams, are considered web uploads/ downloads activities and will not be tracked.
Note that there might be several file activities tracked by Teramind for a single web upload/web download event. This is because the OS might undertake several separate file actions when it’s uploading and downloading a file. For example, it might take the data from the web server, write a temporary file to the local disk, rename the temporary file, and then complete the download with another write operation. In that case, if you disable the NETWORK DRIVER, only the Web Download activity will not be tracked. However, the other local file activities (Write, Rename, etc.) will still be tracked. If you don’t want to track these activities, you will need to disable the FILE DRIVER, which deals with local file transfers.
RDP Transfers: If you copy from the remote client to the remote host, the copy operation will be tracked as a “Write” action. However, copying from the remote host to the remote client will not be tracked.
Network Monitoring: Network activities will not be captured on dashboards.
Behavior Rules: Network rules and File rules for upload/download will not be tracked.
Previewing a Profile
Click the Three Dots in front of a profile to access its context menu and then select the Preview Profile option to view what settings the profile contains:
You can click the Down/Up Arrows 
to expand/collapse a row.
Custom Profile
A Custom Profile is created automatically when you change the monitoring settings on an employee’s profile.
Click the Custom Profile name or the Custom Profile button on the Monitoring profiles screen to see which employees are using a custom profile:
Clicking on an employee's name will take you to the employee's details page.
Editing the Settings of Monitored Systems
Monitoring Schedule
Each Monitoring system (except for Offline Recording, OS State, and OCR) has a simple scheduler at the bottom of its settings panel. Using this scheduler, you can quickly specify when the tracking will take place.
Click on a day to enable/disable it. Drag the two slider ends 
to adjust the time. Click the Reverse 
icon to reverse the time.
You can press the Apply to all button to apply the schedule to all monitored systems. A warning will appear:
If you click the Apply to all button, it will override the monitoring schedule of all monitored systems.
Screen Recording
Remote control:
Allow remote control: this option determines if the Remote Control and Freeze Input features will be available on the Session Player’s Live View Controls.
Messages to display:
During remote control: lets you specify messages to be shown when the Remote control feature is activated on the Session Player.
During input freeze: lets you specify messages to be shown when the Freezing input feature is activated on the Session Player.
If you keep these fields blank, then no messages will be shown to the user. See the Session Player’s Live Mode Controls section to learn more.
Video settings:
Async screen upload: If the user is using a Stealth Agent, this option will force Teramind to use a queue for screen recordings instead of uploading them in real time. It’s suitable for a slower network or a busy OCR server. However, you might experience some delay between the user activity and the recording appearing on the dashboard when this option is enabled.
Async screen upload only works on the Stealth Agents; the setting is ignored on Revealed Agents.
Record locked sessions: option allows you to continue recording even when the user locks their computer. A locked session can mean the user choosing the “Lock” (“Lock Screen” on Mac) command, a screen saver getting activated, or an RDP (remote desktop session) window minimized (see notes below)*.
Use modern screen grabbing: you should only enable the option on Windows 8 or above. If you are experiencing issues with screen captures, try toggling this option. Modern screen grabbing can often help with visual artifacts seen in the recordings, such as black spots when transparency effects are enabled in Windows 11.
Record only when behavior rule was violated: by enabling this option in combination with the Record Video rule action, you can capture the screen only when a rule is violated. This will help reduce the storage needed for the screen recordings or alleviate privacy concerns.
If you enable the Record only when behavior rule was violated option, you will have to use the Record Video rule action if you want to capture a user’s screen.
Update screen on events only: if this option is enabled, the screen in the Live Mode on the Session Player will only update the screen if any activity on the keyboard or mouse is detected or any behavior rule is triggered. Otherwise, the screen will remain still.
Retention period:
Delete history after: this option is applicable to On-Premises customers only. If you specify any days in this field, the video recordings will be automatically deleted after those days. This will reduce your storage requirements and help you comply with data retention policies. Note that currently, Teramind on AWS doesn't support the removal of screen recordings from AWS S3 buckets. You can still use the Amazon S3 Lifecycle (! external link) to manage your storage.
Video quality:
Maximum frames per second (FPS): lets you specify how many frames per second will be captured. The range is 1-4, and the default frame rate is 2 frames per second.
Color and color quality of recodings: the three options, GrayScale / Color / HighColor, let you control the color of the recordings. Note that the HighColor mode is only available in On-Premises deployments and enables recording in 16-bit color compared to the default 8-bit color. It also uses the most space, and the recordings will be close to double the size of recordings without HighColor enabled.
Live screen scaling: lets you control the screen size of the recording.
Adjusting the Live screen scaling option might affect the OCR accuracy and performance or make it inoperable.
*How Locked Session Monitoring Works
If Record locked sessions is turned ON:
The Agent will continue to track work time when the desktop is locked.
The Live Player, Snapshots dashboard, Session Player, etc., will display the OS lock screen or any active screensaver.
The Current Task column of the Live Users dashboard will show the currently active task, and the Current Activity column will show nothing/blank. The dot icon next to the employee’s profile picture will show green.
The Online column on the Employees report will show “Online”.
The time the user spends in lock mode will be counted towards Work Time: Time, Work Time: Idle Time, and Login Sessions: Time.
On a Mac, the user will see a “Your screen is being observed” message near the top-right corner of the screen. If you want to hide from the user that their computer is being monitored, you should not enable this option on the Mac.
If Record locked sessions is turned OFF:
The Agent will not track the time and will stop any active task.
The Live Player, Snapshots dashboards, Session Player, etc., will display a blank/black screen (if it’s a normal desktop) or the “SESSION LOCKED” message (if it’s a remote/RDP desktop and the RDP window is minimized).
The Current Task column of the Live Users dashboard will show “No task,” and the Current Activity column will show nothing/blank. The dot icon next to the employee’s profile picture will show orange.
The Online column on the Employees report will show “Session locked”.
The time the user spends in lock mode will only be counted towards the Login Sessions: Time.
Applications
Monitor keystrokes for password fields in desktop apps:
If this option is enabled, then keystrokes in the password fields will be captured for all desktop apps.
Track window titles:
This gives you the ability to toggle tracking of application titles, including document names in the titles. If you disable this option, the “Title” column on dashboards and reports like Applications & Websites will not show any data. Note that if you turn off this option, the “Applications caption” criterion in the Applications rules might not work properly for all apps.
Track console commands:
You can turn monitoring on/off for console/terminal commands using this option.
Idle time threshold (minutes)*:
You can define the to set the application idle time. It’s used in the productivity reports, Agent Schedule-based rules, and other places by Teramind.
Applications and keystrokes to monitor:
Monitor all apps and keystrokes: if this option is enabled, all apps will be tracked. But you can specify exceptions by clicking the Exception button. You can also add extra conditions such as:
IP: allows you to monitor the app only if it’s launched from a computer using a certain IP address. For example, 192.168.1.1.
Range: allows you to specify an IP range. For example, 192.168.1.1 - 192.168.1.10.
CIDR: allows you to specify a Classless Inter-Domain Routing format. 192.168.1.1/32, 192.0.2.0/24, etc.
List: allows you to select a Network-based Shared List.
Monitor only selected apps and keystrokes: this option works the opposite of the Monitor all apps and keystrokes option. With this option selected, you can add apps to monitor by using the Add button.
An unmonitored app window will be blacked out on the Session Player/screen recordings and will not be captured in the Keystrokes dashboard. However, it doesn’t affect the work time being tracked. It doesn't affect the activities log either. Activities and keystrokes WILL be captured for unmonitored apps.
*Idle Time in Reports vs Rules
Note that the Idle time threshold (minutes) is used to measure Idle Time, Productive Idle Time, Unproductive Idle Time, etc., on the Productivity, Applications & Websites dashboards, etc. It doesn’t affect idle times in rules (for example, the Idle criterion in Agent Schedule rules, the Time Idle and Total Time Idle criteria in Applications/Websites-based rules, etc.). The rule will be triggered independently of the Idle time threshold value. For example, you can set your Idle time threshold to 30 minutes and create an Applications rule with the Time Idle criterion and set it to 10 minutes. In this case, the rule will trigger every 10 minutes if the employee remains idle. However, on the various productivity reports, the idle time will only be recorded if the employee remains idle for more than 30 minutes.
Websites
Don’t monitor private browsing:
Turn on this option to suspend monitoring for all private browsing (incognito) sessions. The browser window will be blacked out, and the keystrokes will not be captured from that window. However, the full URL is still captured in the activity log. For this reason, keystrokes might still be captured as part of the URL. For example, when you use a search engine like Google.
Monitor keystrokes for password fields in browser:
You can toggle monitoring of keystrokes in password fields. For example, a login page containing an HTML input field such as <input type="password">*. See the notes below for more information.
Websites to monitor:
Monitor all websites and keystrokes: if this option is enabled, all websites will be monitored, and keystrokes will be captured on those sites. You can add exceptions by clicking the Exception button.
Monitor only selected websites: this option works the opposite of the Monitor all apps and keystrokes option. With this option selected, you can add websites to monitor by using the Add button. You can also use the sub-option, Don’t monitor keystrokes for these websites for a site included in the exception field to disable keystroke tracking for it. This way, the website will then be monitored (e.g., included in the Applications & Websites dashboard/report, screen recordings, etc.), but the keystrokes typed in it will not be shown on the Keystrokes dashboard/report.
Unmonitored websites will be blacked out in the Live View and recordings on the Session Player. Activities on these websites are tracked as the browser process (e.g., chrome.exe).
Website content:
Don’t monitor websites that contain these words or terms: websites specified in this field will not be monitored if certain text/content is detected inside the loaded webpage. Keystrokes will not be recorded, and the screen will be blacked out. For example, by entering "password" in the field, you can dynamically suspend the login pages of most websites. Note that the text isn't case-sensitive.
IPs to monitor:
Monitor all IPs: This option lets you monitor all IPs. You can add exceptions by clicking the Exception button.
Monitor only selected IPs: this option works the opposite of Monitor all IPs. Click the Add button to add a list of IPs to monitor.
Please be careful when filtering monitoring by IPs. You may accidentally turn monitoring on/off for other sites, as there may be several sites with the same IP.
Invalid certificates:
Monitor these hosts with invalid certificates: click the Add button to add websites that have an invalid certificate. In some situations, this might be necessary. Because, by default, Teramind doesn't track connections to a website with a bad SSL certificate. So, for example, if your On-Premises server has a self-signed certificate, downloads from the Teramind Dashboard will not be recognized as web downloads. Adding the IP address of the server in this field will activate SSL traffic decryption so that Teramind will be able to properly parse and present the information on the Dashboard. However, this is not a recommended method, and this option should only be used as a last resort. Please see the notes below.
WSS Port:
This field lets you specify the port for web traffic redirection (Web Security Service). It’s used by the Teramind Agent's network filter driver to monitor web traffic. Generally, you don’t need to change the default port. However, in rare situations, you might need to change it. For example, if an application is using the default/same WSS port, you can assign a different port to the Agent using this field.
*Notes about password fields
Password field detection might not work on websites that use Java-based widgets.
Password field detection will only work if it's masked (e.g., the text field doesn't show the typed password, instead it shows special symbols like * or •) or if the name property of the field contains 'pass'. Otherwise, the Agent will capture all the keystrokes entered in the password field, even if the Monitor keystrokes for password fields option is disabled.
Excluding websites/IPs from monitoring
You can add websites/IPs to the Exception list (under the Websites to monitor and IPs to monitor sections) if you want to prevent Teramind Agent from injecting the Quick Proxy SSL certificate. Use them if it looks like the Agent's certificate is causing an issue with a website.
Excluding websites from monitoring
If you include a hostname in the exception list, then Teramind will not intercept traffic from these sites. But in the case of HTTPS, we still inject HTTPS certificates and recode encrypted data. This may lead to network issues.
Quick Proxy certificate IS injected.
Does NOT appear in the activity log.
Keystrokes ARE captured.
If, for example, you enter microsoft.com in the Don't monitor web traffic for these websites field, then the agent will not monitor activity for microsoft.com or other pages/subdomains like www.microsoft.com, support.microsoft.com, or accounts.microsoft.com.
Excluding IPs from monitoring
Filtering by IP may contain IPs, IPs with a mask, or the domain name of the site (excluding
http://orhttps://prefix). For domains, it works by requesting a list of IPs that correspond to this domain. Please be careful that, when using this field, you may accidentally turn off monitoring for other sites, as there may be several sites with the same IP. If the IP is in this list, then Teramind will not recode encrypted data, and there will be no influence on the HTTPS traffic.Quick Proxy certificate is NOT injected.
Behavior rules are NOT enforced.
Appears in the activity log.
Keystrokes ARE captured.
Any web pages entered in this field will appear in the activity reports (e.g., Applications & Websites reports). This field will accept IPs, an IP with a mask, or a domain name (excluding the http:// or https:// prefix). If you enter a domain instead of an IP address (e.g., microsoft.com), a domain lookup will be performed to query a list of IPs that correspond to the domain. Also, adding a primary domain such as microsoft.com will NOT prevent the certificate from being injected for sub-domains (e.g., support.microsoft.com, accounts.microsoft.com, etc.). This field also doesn't work with a wildcard, so, entering *.microsoft.com is not a valid entry. However, regular expressions are supported. Here are some examples:
To match only subdomains, excluding www:
^(?!www.)(?:.*\.)google\.comTo match only the root domain with or without www:
^(www.)?google\.com.*microsoft.com(.*is different than*.which is not a valid entry) will prevent the proxy certificate from being injected for:microsoft.comsupport.microsoft.comaccounts.microsoft.com, etc.
What sites should be excluded from monitoring?
Sites that reside on some domain name sometimes use resources from other domains. To exclude all sources of the problem, you need to exclude all used resources. You can get a list of the domain names by turning off the Teramind Agent, run Chrome, Open “Developer Tools”, select “Network” tab, set “Disable cache” = true, “Preserve log” = true, right click on the header of the table with the network requests, select “Domain”, then reproduce the situation that leads to an issue, and capture all domain names (from the Domain column) that were involved in the loading process.
Monitor these hosts with invalid certificates
This option will allow all hosts to work with invalid certificates. This is not a recommended thing to do as it may help disguise invalid certificates and allow phishing attacks. As an alternative, you can also use a Match Regular Expression condition matches regex/.*/ on any rules that require a URL/website address, such as below:
Dynamic Blackout
Also known as screenshot redaction, blurring, censoring, abridging, etc.
When you exclude a website or application from monitoring, Teramind will automatically blackout the relevant application window in the video recording or during the live view mode of the session player (check out the Session Player section to learn more about the session recording and live view).
The blackout feature works on both single-monitor and multi-monitor setups.
Social Media
Track these applications:
You can select which social media applications will be tracked.
Track these actions on selected applications:
You can select which social media activities will be tracked. Such as Create comment, Edit comment, Create post, Edit post, etc.
Emails
Email content:
Monitor email content (body copy): turn on this option to capture email content.
Capturing options: allows you to select if incoming, outgoing, or both types of emails will be captured. You can specify which email clients will be captured in the Monitor emails apps field. Teramind supports the most popular email clients, such as Outlook, Gmail, Yahoo, etc. - both desktop and web versions.
Don’t monitor these domains: this option can be used to prevent monitoring of emails if all email addresses to/from/bcc/cc fields are within the list of certain domains. The aim is to exclude corporate /internal emails from being monitored. For example: .*teramind.co will ignore all emails from teramind.co. These emails will also be excluded from any active policies and rules. Note that all email addresses in the to/from/bcc/cc fields have to be in the same domain(s) for this filter to work. Here are some examples:
a. Outgoing internal email:
From: [email protected]
b. Outgoing internal email with one external recipient:
From: [email protected]
c. Incoming internal email:
From: [email protected]
d. Incoming external email with an external recipient in the CC field:
From: [email protected]
In the above examples, only emails (a) and (c) will be ignored from monitoring because emails (b) and (d) contain other domains (gmail.com and yahoo.com).
Email attachments:
Capture email attachments: you can toggle incoming/outgoing attachments capture under this section.
Ignore attachments matching these file names: option to ignore any attachments you do not want captured. You can use comma-separated values such as “.teramind.co”, “.*teramind.co”, etc. You can also use regular expressions. For example, to ignore music and video files, you can use something like this: /\.(mp3|mp4|avi)/gi. Note that the emails will still be captured.
Delete attachments after (days): if you specify any value in this field, then all the attachments will be removed after the specified days. The default value of 0 means the attachments will not be removed.
Emails retention period:
Don’t monitor emails older than: the default value for this field is 0. Allowing you to monitor all emails. However, you can enter a day value in this field to cut off monitoring and capturing of emails older than the specified days. This option is sometimes useful for clients like Outlook, which may scan older emails if emails are moved or archival policies are run. In such situations, by default, the Agent will capture any emails being accessed. This setting tells the Agent to ignore scanning older emails.
Ignore alerts for older emails even if behaviors' rules are triggered: this sub-option will cause the rule engine to ignore emails older than the value specified in Don’t monitor emails older than field, preventing unexpected rule violations and false alerts.
Online Meetings
Monitor applications:
In this field, you can specify which online meeting apps to track. Teramind supports monitoring of Zoom, RingCentral, Microsoft Teams, AirCall, Webex, etc.
Instant Messaging
Monitor these applications:
You can specify which messaging applications to track in this field.
Capture content:
You can track incoming, outgoing, or both types of messages by selecting the options under this section.
Monitoring period:
Don’t monitor messages older than: this option allows you to cut off capturing IM conversations older than a certain days. Users might browse older messages on the IM client. With this option, you can instruct the Agent not to capture those messages by reducing noise in your monitoring reports.
Ignore events even if behavior policies match: this sub-option will cause the rule engine to ignore rules older than the value specified in Don’t monitor messages older than field, preventing unexpected rule violations and false alerts.
Keystrokes
Monitor clipboard:
Click this option to turn clipboard (copy/paste operation) tracking on/off.
Files
File types:
You can select which file extensions to track under this section, such as .txt, .docx, etc.
Custom file types:
If the files you want to track aren’t available under the File types section, you can use this field to manually enter file extensions. For example, .odm, pkg, etc.
File operations:
You can select which file operation (e.g., Copy, Rename, etc.) to track under this section.
File locations to skip:
If you don’t want certain locations (i.e., folders) to be tracked, you can specify them in this field. For example, Windows, ~/Downloads (to exclude the Download folder in Mac), etc.
File locations to skip (regex):
This field is similar to the above but lets you exclude multiple locations matching the regex pattern. For example: .*upload.*. You can also use local folders (e.g., Documents), network folders (e.g., \\corplan\Shared Drives), environmental/system variables (e.g., %APPDATA%), and wildcards (e.g., c:\user\*\appdata) in the field.
File origin:
This section lets you select which file origin (sources) to track, such as Local files, Network files, External drives, etc.
Cloud files:
This section lets you select which cloud drives to track for file uploads/downloads, such as Google Drive, OneDrive, Box, etc.
Note that Teramind cannot track the copy operation for a file from one network server to the same network server (e.g., source and destination are the same). For example, copying a file from \\103.247.55.101\source to \\103.247.55.101\destination cannot be tracked. Copy to and from the same local drives is detected as usual.
Also, copying of an empty file cannot be tracked since it will be impossible for the system to distinguish between the file create and copy operations due to the zero size of the file.
Printing
Print account credentials:
If you use a printer that requires login permissions, use the User and Password fields to specify the credentials. Otherwise, Teramind will not be able to monitor it.
Exclude printers:
In this field, you can add regular expressions to exclude any printers matching the name. For example, .*epson.
Printing capturing settings:
Content capturing: You can select whether to capture the Actual document or the Document’s name only.
Maximum document size: this field works a bit differently on Windows and Mac. On Windows, this option will determine the maximum number of pages that will be captured. For example, if you set the value to
50pages, and the user prints a document containing55pages, the Agent will capture only the first50pages of the document and ignore the rest. On Mac, the Agent will NOT capture the document at all if it exceeds the specified maximum size. The Document name will be captured, though.
Retention period:
Delete history after: applicable to On-Premises customers only. If you specify any days in this field, the video recordings will be automatically deleted after those days. This will reduce your storage requirements and help you comply with data retention policies. Note that currently, Teramind on AWS doesn't support the removal of screen recordings from AWS S3 buckets. You can still use the Amazon S3 Lifecycle (! external link) to manage your storage.
Geolocation
Time Threshold:
By default, every time a user changes their location, it’s reported. You can specify a threshold (in seconds) to configure how often the location data will be reported instead. This can be useful in situations where the location changes too often and you don’t want your Geolocation report to be flooded with information. For example, when you are traveling on a train or in a taxi with a laptop, your location may change every minute, and the Geolocation report will show all the updates. With this setting, you can set a wait time before changing a location update.
The default value is 600 (or 10 minutes). A value of 0 will disable this option.
Audio
Monitor all input / Monitor all output:
Allows you to enable/disable recording for all input (e.g., microphones, line-in) and all output devices (e.g., speaker, line-out).
By default, Teramind will capture the audio streams from the devices assigned as the default playback and recording device in Windows. If you enable the above options, then audio streams from all recording/playback devices will be captured.
Monitor when these apps use the microphone:
This field lets you capture audio only when the microphone is used by select applications. You can use the following in the field:
Empty/No Value: audio will be recorded continuously, in all applications, even if the input/output (I/O) device is not actually in use.
All: will record the audio in all applications, but only if the I/O device is currently in use.
Executable File Names/Apps: will record the audio in the specified applications, and only if the I/O device is currently in use. For example, zoom.exe will only record audio when the microphone is activated in Zoom.
Text List/Regexp List: similar to the third option, except that it will match the applications in the shared list.
Note that this option doesn't affect audio output.
Audio settings:
Automatic level adjustment: if this option is enabled, it will automatically adjust the sound levels for higher/lower tones.
Async audio upload: If the user is using a Stealth Agent, this option will force Teramind Agent to use a queue for audio recordings instead of uploading them in real time. It’s suitable for a slower network or a busy server. However, you might experience some delay between the user activity and the recording appearing on the dashboard when Async audio upload is enabled.
Async audio upload only works on the Stealth Agent; the setting is ignored on the Revealed Agent.
Bitrate: You can adjust the audio quality by choosing a bit rate. A higher value will give crisper audio but will use more CPU processing and storage.
OCR
OCR languages to process:
This option allows you to pick one or more languages to process.
Process screen start date:
Process screen records after: this option allows you to pick a starting date from which the recordings will be processed. Recordings before this date won’t be processed. This option can be useful if you didn't originally have the OCR feature enabled on your instance and activated it later.
Camera Usage
Camera Usage doesn’t come with any additional settings except for the monitoring schedules. If the Camera Usage is turned on, you will be able to detect when employees are using their webcams and the applications that are accessing the webcam from the Camera Usage dashboard.
Offline Recording
Offline recording’s buffer length:
This option allows you to specify how long the Teramind Agent will continue to record the screen while the user is disconnected from the internet or the Teramind server. By default, the buffer is set to 24 hours, but you can increase or decrease the time as needed. Note that you cannot enter a 0 value in the field. If you want to disable offline recording completely, turn off the Offline Recording option from a monitoring profile (Monitoring Profiles > Edit monitoring profile screen).
Offline recording’s buffer size limit:
This field is optional and can be used to limit the storage utilization by offline recordings (in megabytes). The default value of 0 means there will be no limit.
Note that if you use both the Offline recording’s buffer length and the Offline recording’s buffer size limit options, the lowest value will be prioritized. For example, if you specify a 24-hour buffer length but a 10-MB buffer size, the Agent will only capture a few minutes of screen recordings (depending on the screen resolution, number of desktops/monitors, user activity, etc.). Same way, if you specified a 999999-MB buffer size but only a 1-hour buffer length, only 1 hour’s worth of screen recordings will be captured, even though the buffer can possibly hold a much longer duration of recordings.
Currently, only the Stealth Agent supports offline recording.
The settings only apply to screen recordings. Other activities are recorded for up to 24 hours and cannot be changed.
OS State
Track these events:
The option allows you to specify which OS states will be tracked. For example, Lock, Sleep, and Screen Saver, etc. These states are sent to any SIEM integration (syslog event) you might have. These settings do not affect the monitoring of these events.
Registry
The Registry doesn’t come with any additional settings except for the monitoring schedules.
If the Registry monitoring is turned on, you will be able to detect registry entries such as programs, keys, and values with Activity-based rules.
Network
IP tracking:
Monitor all IPs: if this option is enabled, all IP addresses will be monitored. You can add exceptions by clicking the Exception button.
Monitor only selected IPs: this option works the opposite of the Monitor all IPs option. With this option selected, you can add IPs to monitor by using the Add button.
You can enter IP addresses (e.g., 10.2.33.1) or use Network-based Shared Lists for the above two options.
Ports tracking:
Similar to the IP tracking options above, but allows you to specify ports. For example, 443, 25, etc.
Note that Monitor all IPs and Monitor all ports have higher priority than the Monitor only selected IPs and Monitor only selected ports settings. For example, suppose you specified the IP 162.11.23.1 in the Monitor all IPs field but then used a Shared List in the Monitor only selected IPs, which also had these IPs: 162.11.23.0, 162.11.23.1, 162.11.23.2, etc., then 162.11.23.1 will be monitored (and the rest of the IPs in the Shared List will not be monitored).
Network processes:
Network processes to track: this field allows you to specify which network processes to track. You can use process names (e.g., chrome.exe, com.apple.safari, etc.), Text-based Shared Lists, or Regular Expressions (Regex)-based Shared Lists.
Network options:
SSL: you can turn this option off to disable monitoring secure connections (i.e., HTTPS / port: 443)*.
Track network connections: this option allows you to turn network monitoring on/off*.
Keep Teredo enabled: this option applies to Windows only. If enabled, this option will prevent Teramind from disabling Teredo. It’s used for secure communication over IPv6. If you encounter any problem with IP tracking, try toggling this setting.
*Difference Between SSL and Overall Network Monitoring Setting
If you turn off the SSL option, then packets will be intercepted back and forth, but the Teramind proxy certificate will not be injected. This means you might lose the ability to track web-based emails such as Gmail, file uploads/downloads to/from the web, instant messaging, social media, etc.
If you turn off the entire Network monitoring, no certificate will be injected, no network tracking will take place, and Network-based behavior rules will not work. You will still be able to track web activities in the activity logs, such as the Applications & Websites report. However, the Agent’s ability to intercept traffic without a proxy cert will be affected.