Introduction to Monitoring Profiles
The Monitoring Profiles screen gives you granular control over your monitoring settings.
You can create tailored profiles for users, computers, departments, and Active Directory groups to dictate exactly what data is captured. Use these profiles to specify the level of collection for every channel (Screen Recording, Applications, Websites, Emails, etc.). This flexibility ensures you only track what's necessary, allowing you to easily balance your organizational needs with user privacy.
1. Click the New Profile button to create a new profile.
2. Click the Three Dots 
in front of a profile to access its context menu:
Select Preview Profile to see what settings the profile contains. See the Previewing a Profile section to learn more.
Select Edit Profile in a New Tab to view and edit the profile in a new browser tab. Editing a profile is similar to creating a new profile.
Select Clone Profile to create a duplicate copy of the profile.
Select Archive Profile to archive (delete) it.
3. Click the Custom Profile button to view employees who are assigned a Custom Profile:
Clicking on an employee's name will take you to the employee's details page.
Teramind comes with a Default settings profile. This profile is used by default for all users and cannot be deleted.
Creating a New Monitoring Profile
Click the Create Profile button near the top-right corner of the Monitoring settings screen. A pop-up window will be displayed.
1. Select users, departments, computers, etc., as the tracking targets for the profile. You can click on an empty space in the field or click the + button to add a target and press the X button to remove a target.
2. Give the profile a name.
3. Optionally, give it a description.
4. Click the Submit button. You will be taken to the Edit monitoring profile screen:
5. Click the Toggle 
buttons under the What to monitor column to enable or disable monitoring for a specific monitoring channel, such as Screen Recording, Applications, Websites, etc.
6. Click the Edit 
button under the Actions column to configure granular settings for each monitoring channel. See the Editing the Settings of Monitored Channels below for more information.
7. Click the Assigned button to view and modify which users, computers, or departments will be monitored.
8. Click the Gear 
button at the top-right to open the profile's settings panel. See the Profile Settings section below to learn more.
9. Click the Clock 
button to apply a single monitoring schedule to multiple monitoring channels at once, rather than setting each one individually. See the Monitoring Schedule section to learn more about monitoring schedule.
Profile Settings
The Profile Settings panel comes with two tabs. The Basic tab allows you to change the profile names, targets, monitoring schedule, etc. The Advanced tab gives you access to some advanced options.
Basic
Name:
You can change the profile’s name.
Description:
Optionally, change the profile's description.
Advanced
Modifying advanced monitoring settings can disrupt Teramind's tracking, cause system instability, or prevent network access. Proceed with caution.
Click the Advanced tab from the Profile settings screen to access the advanced settings panel:
DLP for processes:
The DLP for processes setting allows for the exclusion of specific processes from DLP scanning (i.e., Content Sharing rules). For example, you might exclude system processes like svchost.exe or System Idle Process. It is important to note that this is different from the Monitor only selected apps and keystrokes option in Applications monitoring settings. While that option disables all monitoring for a process (no activity capture, blacked out session recordings), the DLP for processes option only disables DLP scanning for the specified processes.
File driver:
The File driver setting controls the Teramind File Driver service (tmfsdrv2). If you disable the toggle button, the service will stop on user computers, resulting in the failure of features such as File Transfer reports, Content Sharing Rules, and Files-Based Activity. Please see the notes under Impact of Disabling the File / Network Driver below.
If the File driver toggle is enabled, a Don't track processes below field will appear. By entering specific processes or applications, you can exclude only those processes from the driver's tracking. For example, entering explorer.exe into this field will exclude Windows File Explorer. This is useful for troubleshooting or ignoring processes you do not wish to capture, while keeping general file transfers monitoring active. If this field is left empty, all file processes will be tracked by default.
Network driver:
The Network driver setting manages the Teramind Network Driver service (tm_filter). Disabling this toggle stops the service and prevents Teramind's 'Quick Web Proxy' certificate from being injected into browsers. Consequently, network-based activities will not be tracked, which disables features like the IM report, Network-Based Rules, and File Upload rules. Please see the notes under Impact of Disabling the File / Network Driver below.
Similar to the File driver, enabling the Network driver toggle reveals a Don't track processes below field. Entering processes here, will exclude only those specific processes from the network driver. For example, entering msedge.exe into this field will exclude Microsoft Edge from the network driver. This is helpful for troubleshooting or allowing certain apps to bypass network capture while keeping general network monitoring active. If the field remains empty, all network processes will be tracked.
RDP (Remote Desktop Protocol) options:
These settings control various RDP sharing and tracking capabilities:
Track printer: will enable/disable RDP printer sharing.
Track local drives: will enable/disable RDP drive blocking.
Track print screen: will enable/disable RDP print screen blocking.
Track portable device: will enable/disable RDP USB blocking.
Block clipboard sharing through RDP: will enable/disable RDP clipboard tracking. If this option is enabled, an additional field, Exclude processes below from clipboard tracking, is shown. This allows you to exempt specific applications or processes from the clipboard blocking rule by entering them into the field.
The settings under the RDP (Remote Desktop Protocol) options section are not available by default. To activate these features on your instance, please contact your Customer Service Representative or Account Executive.
It is critical to note that these configurations apply only to the RDP session host itself, not to the user's local computer. For example, if the Track portable device option is enabled, Teramind will block devices like USB drives and external webcams on the remote ‘host’ computer, not the ‘client’ computer the user is connecting from.
Restrictions:
Disable all local admin accounts, except built-in: Enabling this option requires you to specify a Built-in admin new username and Built-in admin new password. Upon an administrator's next login, a new Windows administrator account will be created, and all other existing local administrator accounts will be disabled.
Disable Bluetooth: This setting allows you to easily enable or disable the Bluetooth network functionality on the endpoint.
Disable Wi-Fi: Use this option to enable or disable Wi-Fi connectivity. Before you disable Wi-Fi, we recommend you ensure that the computer has an alternate method for internet connection, such as an Ethernet cable, before disabling Wi-Fi. Otherwise, the Agent will be unable to communicate with the server.
Disable USB devices (except keyboard & mouse): When enabled, this option will block all USB devices connected to the computer, with the sole exceptions being the keyboard and the mouse.
Disable built-in password manager of known browsers: Modern browsers often include a built-in password manager. While convenient for the user, it also presents a security risk by prompting users to save login credentials. Enabling this setting disables these built-in password managers, and users will be prevented from overriding the setting within their browser. Note that independent password managers, such as LastPass, will remain functional.
If you enable the Disable built-in password manager of known browsers option, another option, Allow application restarting becomes visible. Turning on this option enables the Teramind Agent to automatically restart any open browsers when the password manager setting changes, ensuring the new configuration takes effect immediately. This option also allows the Agent to automatically restart Mozilla Firefox and Tor browsers to inject the necessary proxy certificate for web traffic monitoring, preventing the need for a manual restart.
Data upload:
These settings are designed to manage network traffic when transferring user data from the endpoint to the server. They are especially useful for organizations with many users or a slow network connection. These controls help prevent network overload by throttling bandwidth and scheduling the upload time.
If you have many users or a slow network, the Max upload bandwidth option will help you prevent overloading your network infrastructure by imposing a throttled bandwidth and the asynchronous upload of video/audio recordings. Furthermore, you can use the time slider option so that the uploads take place during off-peak hours only. These options might also be useful if your end users have a slow connection. Here’s how the two settings work:
The time slider allows you to specify a time range during which the data upload activity can occur, often configured for off-peak hours. You can set the range by dragging the two orange slider dots
. If no timeframe is configured, the Agent will be allowed to upload data at any time.The Max upload bandwidth (KB/s) helps you prevent overloading the network connection by imposing a throttled bandwidth and the asynchronous upload of video/audio recordings. You can set a maximum upload bandwidth limit, measured in kilobytes per second (KB/s). If the field is left empty or set to
0, the upload bandwidth will be unlimited.
Restricting the Agent's upload bandwidth or timeframe can delay data availability on the Dashboard. This delay may impact the functionality of some features, such as the playback of video recordings and OCR capabilities.
Impact of Disabling the File / Network Driver
Disabling either the File Driver or the Network Driver significantly alters which activities Teramind can monitor and capture. The following sections detail the specific impact of disabling each driver on various activity types.
File Driver
Disabling the File Driver primarily impacts local file operations and certain app-based communications, though general application and web activities remain tracked:
App/Web Activities | Application and website usage is captured. |
Online Meetings | Some apps are tracked (e.g., Zoom calls), but others are not (e.g., Skype, Google Chat calls). |
Instant Messages | Will not be monitored. |
Emails | Emails and attachments from both desktop applications (e.g., Outlook client) and webmail (e.g., Gmail web) are monitored. |
File Transfers* | Web upload/Web download activities are tracked. However, local file activities (Access, Read, Write, Rename) are not tracked. File transfers through apps like Teams and Zoom are not tracked. |
RDP Transfers | RDP file transfers are not tracked. |
Behavior Rules | Any Content Sharing rules involving local files and the originating application will be ignored. |
Network Monitoring | Unaffected. |
Network Driver
Disabling the Network Driver primarily affects network-based activities, especially web uploads, web emails, and instant messaging:
App/Web Activities | General application and website usage is captured. |
Online Meetings | Incoming meetings on desktop meeting apps are tracked, but meetings conducted via the web (e.g., Zoom Web) are not tracked. |
Instant Messages | Will not be monitored. |
Emails | Emails and attachments from desktop applications (e.g., Outlook client) are tracked, but webmail (e.g., Gmail web) is not tracked. |
File Transfers* | Web Upload/Web Download activities are not tracked. However, general Upload/Download activities are tracked (e.g., uploading a file via the Google Drive desktop app is tracked as an Upload). Note: Uploads/downloads from certain desktop apps like Microsoft Teams are treated as web activities and will not be tracked. |
RDP Transfers | Copying files from the client to the remote host is tracked as a "Write" action. However, copying files from the host to the client is not tracked. |
Behavior Rules | Network rules and File rules for Upload/Download operations will not be triggered. |
Network Monitoring | General network activities will not be captured. |
*Additional Note on File Transfers Tracking:
A single web upload or web download can generate multiple separate file activities tracked by Teramind. This happens because the operating system often performs several actions behind the scenes during the process. For instance, a download might involve accessing data from the web server, writing a temporary file to the local disk, renaming the temporary file, and then completing the operation with another write operation.
If you disable the Network Driver, only the high-level Web Download activity will be ignored from tracking. However, the underlying local file activities (such as Write, Rename, etc.) will still be captured by the system. To prevent these local file activities from being tracked, you must disable the File Driver, as it is responsible for monitoring local file transfers.
Previewing a Profile
Click the Three Dots in front of a profile to access its context menu and then select the Preview Profile option to view what settings the profile contains:
You can click the Down/Up Arrows 
to expand/collapse a row.
Custom Profile
A Custom Profile is created automatically when you change the monitoring settings on an employee’s profile.
Click the Custom Profile name or the Custom Profile button on the Monitoring profiles screen to see which employees are using a custom profile:
Clicking on an employee's name will take you to the employee's details page.
Editing the Settings of Monitoring Channels
Monitoring Schedule
Each monitoring channel (except for Offline Recording, OS State, and OCR) has a simple scheduler at the bottom of its settings panel. Using this scheduler, you can quickly specify when the tracking will take place.
Click on a day to enable/disable it. Drag the two slider ends 
to adjust the time. Click the Reverse 
icon to reverse the time.
You can press the Apply to all button to apply the schedule to all monitoring channels. A warning will appear:
If you click the Apply to all button, it will override the monitoring schedule of all monitoring channel.
Screen Recording
Remote control:
Allow remote control: this option determines if the Remote Control and Freeze Input features will be available on the Session Player’s Live View Controls.
Messages to display:
During remote control: lets you specify messages to be shown when the Remote control feature is activated on the Session Player.
During input freeze: lets you specify messages to be shown when the Freezing input feature is activated on the Session Player.
If you keep these fields blank, then no messages will be shown to the user. See the Session Player’s Live Mode Controls section to learn more.
Video settings:
Async screen upload: If the user is using a Stealth Agent, this option will force Teramind to use a queue for screen recordings instead of uploading them in real time. It’s suitable for a slower network or a busy OCR server. However, you might experience some delay between the user activity and the recording appearing on the dashboard when this option is enabled.
Async screen upload only works on the Stealth Agents; the setting is ignored on Revealed Agents.
Record locked sessions: option allows you to continue recording even when the user locks their computer. A locked session can mean the user choosing the “Lock” (“Lock Screen” on Mac) command, a screen saver getting activated, or an RDP (remote desktop session) window minimized (see notes below)*.
Use modern screen grabbing: you should only enable the option on Windows 8 or above. If you are experiencing issues with screen captures, try toggling this option. Modern screen grabbing can often help with visual artifacts seen in the recordings, such as black spots when transparency effects are enabled in Windows 11.
Record only when behavior rule was violated: by enabling this option in combination with the Record Video rule action, you can capture the screen only when a rule is violated. This will help reduce the storage needed for the screen recordings or alleviate privacy concerns.
If you enable the Record only when behavior rule was violated option, you will have to use the Record Video rule action if you want to capture a user’s screen.
Update screen on events only: When enabled, Teramind will only capture the screen when mouse or keyboard activity is detected, or when a behavior rule is triggered. Otherwise, the recording remains paused on the last captured frame. In other areas, such as the Snapshots widget (which updates every 10 minutes), the system displays a random frame captured within that standard timeframe. If no activity triggered a frame capture during that period, the message “No record available” will appear.
Retention period:
Delete history after: this option is applicable to On-Premises customers only. If you specify any days in this field, the video recordings will be automatically deleted after those days. This will reduce your storage requirements and help you comply with data retention policies. Note that currently, Teramind on AWS doesn't support the removal of screen recordings from AWS S3 buckets. You can still use the Amazon S3 Lifecycle (! external link) to manage your storage.
Video quality:
Maximum frames per second (FPS): lets you specify how many frames per second will be captured. The range is 1-4, and the default frame rate is 2 frames per second.
Color and color quality of recodings: the three options, GrayScale / Color / HighColor, let you control the color of the recordings. Note that the HighColor mode is only available in On-Premises deployments and enables recording in 16-bit color compared to the default 8-bit color. It also uses the most space, and the recordings will be close to double the size of recordings without HighColor enabled.
Live screen scaling: lets you control the screen size of the recording.
Adjusting the Live screen scaling option might affect the OCR accuracy and performance or make it inoperable.
*How Locked Session Monitoring Works
If Record locked sessions is turned ON:
The Agent will continue to track work time when the desktop is locked.
The Live Player, Snapshots dashboard, Session Player, etc., will display the OS lock screen or any active screensaver.
The Current Task column of the Live Users dashboard will show the currently active task, and the Current Activity column will show nothing/blank. The dot icon next to the employee’s profile picture will show green.
The Online column on the Employees report will show “Online”.
The time the user spends in lock mode will be counted towards Work Time: Time, Work Time: Idle Time, and Login Sessions: Time.
On a Mac, the user will see a “Your screen is being observed” message near the top-right corner of the screen. If you want to hide from the user that their computer is being monitored, you should not enable this option on the Mac.
If Record locked sessions is turned OFF:
The Agent will not track the time and will stop any active task.
The Live Player, Snapshots dashboards, Session Player, etc., will display a blank/black screen (if it’s a normal desktop) or the “SESSION LOCKED” message (if it’s a remote/RDP desktop and the RDP window is minimized).
The Current Task column of the Live Users dashboard will show “No task,” and the Current Activity column will show nothing/blank. The dot icon next to the employee’s profile picture will show orange.
The Online column on the Employees report will show “Session locked”.
The time the user spends in lock mode will only be counted towards the Login Sessions: Time.
Applications
Monitor keystrokes for password fields in desktop apps:
If this option is enabled, then keystrokes in the password fields will be captured for all desktop apps.
Track window titles:
This gives you the ability to toggle tracking of application titles, including document names in the titles. If you disable this option, the “Title” column on dashboards and reports like Applications & Websites will not show any data. Note that if you turn off this option, the “Applications caption” criterion in the Applications rules might not work properly for all apps.
Track console commands:
You can turn monitoring on/off for console/terminal commands using this option.
Idle time threshold (minutes)*:
You can define the to set the application idle time. It’s used in the productivity reports, Agent Schedule-based rules, and other places by Teramind.
Applications and keystrokes to monitor:
Monitor all apps and keystrokes: if this option is enabled, all apps will be tracked. But you can specify exceptions by clicking the Exception button. You can also add extra conditions such as:
IP: allows you to monitor the app only if it’s launched from a computer using a certain IP address. For example, 192.168.1.1.
Range: allows you to specify an IP range. For example, 192.168.1.1 - 192.168.1.10.
CIDR: allows you to specify a Classless Inter-Domain Routing format. 192.168.1.1/32, 192.0.2.0/24, etc.
List: allows you to select a Network-based Shared List.
Monitor only selected apps and keystrokes: this option works the opposite of the Monitor all apps and keystrokes option. With this option selected, you can add apps to monitor by using the Add button.
Unmonitored Apps:
Unmonitored app windows will be blacked out in all screen recordings/video playback (see the Dynamic Blackout section below).
Keystrokes will not be captured.
It does not affect work time tracking or the activities log.
*Idle Time in Reports vs Rules
Note that the Idle time threshold (minutes) is used to measure Idle Time, Productive Idle Time, Unproductive Idle Time, etc., on the Productivity, Applications & Websites dashboards, etc. It doesn’t affect idle times in rules (for example, the Idle criterion in Agent Schedule rules, the Time Idle and Total Time Idle criteria in Applications/Websites-based rules, etc.). The rule will be triggered independently of the Idle time threshold value. For example, you can set your Idle time threshold to 30 minutes and create an Applications rule with the Time Idle criterion and set it to 10 minutes. In this case, the rule will trigger every 10 minutes if the employee remains idle. However, on the various productivity reports, the idle time will only be recorded if the employee remains idle for more than 30 minutes.
Websites
Don’t monitor private browsing:
Turn on this option to suspend monitoring for all private browsing (incognito) sessions. The browser window will be blacked out, and the keystrokes will not be captured from that window. However, the full URL is still captured in the activity log. For this reason, keystrokes might still be captured as part of the URL. For example, when you use a search engine like Google.
Monitor keystrokes for password fields in browser:
You can toggle monitoring of keystrokes in password fields. For example, a login page containing an HTML input field such as <input type="password">*. See the notes below for more information.
Websites to monitor:
Monitor all websites and keystrokes: if this option is enabled, all websites will be monitored, and keystrokes will be captured on those sites. You can add exceptions by clicking the Exception button.
Monitor only selected websites: this option works the opposite of the Monitor all apps and keystrokes option. With this option selected, you can add websites to monitor by using the Add button. You can also use the sub-option, Don’t monitor keystrokes for these websites for a site included in the exception field to disable keystroke tracking for it. This way, the website will then be monitored (e.g., included in the Applications & Websites dashboard/report, screen recordings, etc.), but the keystrokes typed in it will not be shown on the Keystrokes dashboard/report.
Unmonitored Apps:
Unmonitored app windows will be blacked out in all screen recordings/video playback (see the Dynamic Blackout section below).
Activities on these websites are tracked as the browser process (e.g.,
chrome.exe).Keystrokes will not be captured.
It does not affect work time tracking or the activities log.
Website content:
Don’t monitor websites that contain these words or terms: websites specified in this field will not be monitored if certain text/content is detected inside the loaded webpage. Keystrokes will not be recorded, and the screen will be blacked out. For example, by entering "password" in the field, you can dynamically suspend the login pages of most websites. Note that the text isn't case-sensitive.
IPs to monitor:
Monitor all IPs: This option lets you monitor all IPs. You can add exceptions by clicking the Exception button.
Monitor only selected IPs: this option works the opposite of Monitor all IPs. Click the Add button to add a list of IPs to monitor.
Please be careful when filtering monitoring by IPs. You may accidentally turn monitoring on/off for other sites, as there may be several sites with the same IP.
Invalid certificates:
Monitor these hosts with invalid certificates: click the Add button to add websites that have an invalid certificate. In some situations, this might be necessary. Because, by default, Teramind doesn't track connections to a website with a bad SSL certificate. So, for example, if your On-Premises server has a self-signed certificate, downloads from the Teramind Dashboard will not be recognized as web downloads. Adding the IP address of the server in this field will activate SSL traffic decryption so that Teramind will be able to properly parse and present the information on the Dashboard. However, this is not a recommended method, and this option should only be used as a last resort. Please see the notes below.
WSS Port:
This field lets you specify the port for web traffic redirection (Web Security Service). It’s used by the Teramind Agent's network filter driver to monitor web traffic. Generally, you don’t need to change the default port. However, in rare situations, you might need to change it. For example, if an application is using the default/same WSS port, you can assign a different port to the Agent using this field.
*Notes about password fields
Password field detection might not work on websites that use Java-based widgets.
Password field detection will only work if it's masked (e.g., the text field doesn't show the typed password, instead it shows special symbols like * or •) or if the name property of the field contains 'pass'. Otherwise, the Agent will capture all the keystrokes entered in the password field, even if the Monitor keystrokes for password fields option is disabled.
Excluding websites/IPs from monitoring
You can add websites/IPs to the Exception list (under the Websites to monitor and IPs to monitor sections) if you want to prevent Teramind Agent from injecting the Quick Proxy SSL certificate. Use them if it looks like the Agent's certificate is causing an issue with a website.
Excluding websites from monitoring
If you include a hostname in the exception list, then Teramind will not intercept traffic from these sites. But in the case of HTTPS, we still inject HTTPS certificates and recode encrypted data. This may lead to network issues.
Quick Proxy certificate IS injected.
Does NOT appear in the activity log.
Keystrokes ARE captured.
If, for example, you enter microsoft.com in the Don't monitor web traffic for these websites field, then the agent will not monitor activity for microsoft.com or other pages/subdomains like www.microsoft.com, support.microsoft.com, or accounts.microsoft.com.
Excluding IPs from monitoring
Filtering by IP may contain IPs, IPs with a mask, or the domain name of the site (excluding
http://orhttps://prefix). For domains, it works by requesting a list of IPs that correspond to this domain. Please be careful that, when using this field, you may accidentally turn off monitoring for other sites, as there may be several sites with the same IP. If the IP is in this list, then Teramind will not recode encrypted data, and there will be no influence on the HTTPS traffic.Quick Proxy certificate is NOT injected.
Behavior rules are NOT enforced.
Appears in the activity log.
Keystrokes ARE captured.
Any web pages entered in this field will appear in the activity reports (e.g., Applications & Websites reports). This field will accept IPs, an IP with a mask, or a domain name (excluding the http:// or https:// prefix). If you enter a domain instead of an IP address (e.g., microsoft.com), a domain lookup will be performed to query a list of IPs that correspond to the domain. Also, adding a primary domain such as microsoft.com will NOT prevent the certificate from being injected for sub-domains (e.g., support.microsoft.com, accounts.microsoft.com, etc.). This field also doesn't work with a wildcard, so, entering *.microsoft.com is not a valid entry. However, regular expressions are supported. Here are some examples:
To match only subdomains, excluding www:
^(?!www.)(?:.*\.)google\.comTo match only the root domain with or without www:
^(www.)?google\.com.*microsoft.com(.*is different than*.which is not a valid entry) will prevent the proxy certificate from being injected for:microsoft.comsupport.microsoft.comaccounts.microsoft.com, etc.
What sites should be excluded from monitoring?
Sites that reside on some domain name sometimes use resources from other domains. To exclude all sources of the problem, you need to exclude all used resources. You can get a list of the domain names by turning off the Teramind Agent, run Chrome, Open “Developer Tools”, select “Network” tab, set “Disable cache” = true, “Preserve log” = true, right click on the header of the table with the network requests, select “Domain”, then reproduce the situation that leads to an issue, and capture all domain names (from the Domain column) that were involved in the loading process.
Monitor these hosts with invalid certificates
This option will allow all hosts to work with invalid certificates. This is not a recommended thing to do as it may help disguise invalid certificates and allow phishing attacks. As an alternative, you can also use a Match Regular Expression condition matches regex/.*/ on any rules that require a URL/website address, such as below:
Dynamic Blackout
Also known as screenshot redaction, blurring, censoring, abridging, etc.
When you exclude a website or application from monitoring, Teramind will automatically blackout the relevant application window in the video recording or during the live view mode of the session player (check out the Session Player section to learn more about the session recording and live view).
The blackout feature works on both single-monitor and multi-monitor setups.
Social Media
Track these applications:
You can select which social media applications will be tracked.
Track these actions on selected applications:
You can select which social media activities will be tracked. Such as Create comment, Edit comment, Create post, Edit post, etc.
Emails
Email content:
Monitor email content (body copy): turn on this option to capture email content.
Capturing options: allows you to select if incoming, outgoing, or both types of emails will be captured. You can specify which email clients will be captured in the Monitor emails apps field. Teramind supports the most popular email clients, such as Outlook, Gmail, Yahoo, etc. - both desktop and web versions.
Don’t monitor these domains: this option can be used to prevent monitoring of emails if all email addresses to/from/bcc/cc fields are within the list of certain domains. The aim is to exclude corporate /internal emails from being monitored. For example: .*teramind.co will ignore all emails from teramind.co. These emails will also be excluded from any active policies and rules. Note that all email addresses in the to/from/bcc/cc fields have to be in the same domain(s) for this filter to work. Here are some examples:
a. Outgoing internal email:
From: [email protected]
b. Outgoing internal email with one external recipient:
From: [email protected]
c. Incoming internal email:
From: [email protected]
d. Incoming external email with an external recipient in the CC field:
From: [email protected]
In the above examples, only emails (a) and (c) will be ignored from monitoring because emails (b) and (d) contain other domains (gmail.com and yahoo.com).
Email attachments:
Capture email attachments: you can toggle incoming/outgoing attachments capture under this section.
Ignore attachments matching these file names: option to ignore any attachments you do not want captured. You can use comma-separated values such as “.teramind.co”, “.*teramind.co”, etc. You can also use regular expressions. For example, to ignore music and video files, you can use something like this: /\.(mp3|mp4|avi)/gi. Note that the emails will still be captured.
Delete attachments after (days): if you specify any value in this field, then all the attachments will be removed after the specified days. The default value of 0 means the attachments will not be removed.
Emails retention period:
Don’t monitor emails older than: the default value for this field is 0. Allowing you to monitor all emails. However, you can enter a day value in this field to cut off monitoring and capturing of emails older than the specified days. This option is sometimes useful for clients like Outlook, which may scan older emails if emails are moved or archival policies are run. In such situations, by default, the Agent will capture any emails being accessed. This setting tells the Agent to ignore scanning older emails.
Ignore alerts for older emails even if behaviors' rules are triggered: this sub-option will cause the rule engine to ignore emails older than the value specified in Don’t monitor emails older than field, preventing unexpected rule violations and false alerts.
Online Meetings
Monitor applications:
In this field, you can specify which online meeting apps to track. Teramind supports monitoring of Zoom, RingCentral, Microsoft Teams, AirCall, Webex, etc.
Instant Messaging
Monitor these applications:
You can specify which messaging applications to track in this field.
Capture content:
You can track incoming, outgoing, or both types of messages by selecting the options under this section.
Monitoring period:
Don’t monitor messages older than: this option allows you to cut off capturing IM conversations older than a certain days. Users might browse older messages on the IM client. With this option, you can instruct the Agent not to capture those messages by reducing noise in your monitoring reports.
Ignore events even if behavior policies match: this sub-option will cause the rule engine to ignore rules older than the value specified in Don’t monitor messages older than field, preventing unexpected rule violations and false alerts.
Keystrokes
Monitor clipboard:
Click this option to turn clipboard (copy/paste operation) tracking on/off.
Files
File types:
You can select which file extensions to track under this section, such as .txt, .docx, etc.
Custom file types:
If the files you want to track aren’t available under the File types section, you can use this field to manually enter file extensions. For example, .odm, pkg, etc.
File operations:
You can select which file operation (e.g., Copy, Rename, etc.) to track under this section.
File locations to skip:
If you don’t want certain locations (i.e., folders) to be tracked, you can specify them in this field. For example, Windows, ~/Downloads (to exclude the Download folder in Mac), etc.
File locations to skip (regex):
This field is similar to the above but lets you exclude multiple locations matching the regex pattern. For example: .*upload.*. You can also use local folders (e.g., Documents), network folders (e.g., \\corplan\Shared Drives), environmental/system variables (e.g., %APPDATA%), and wildcards (e.g., c:\user\*\appdata) in the field.
File origin:
This section lets you select which file origin (sources) to track, such as Local files, Network files, External drives, etc.
Cloud files:
This section lets you select which cloud drives to track for file uploads/downloads, such as Google Drive, OneDrive, Box, etc.
Note that Teramind cannot track the copy operation for a file from one network server to the same network server (e.g., source and destination are the same). For example, copying a file from \\103.247.55.101\source to \\103.247.55.101\destination cannot be tracked. Copy to and from the same local drives is detected as usual.
Also, copying of an empty file cannot be tracked since it will be impossible for the system to distinguish between the file create and copy operations due to the zero size of the file.
Printing
Print account credentials:
If you use a printer that requires login permissions, use the User and Password fields to specify the credentials. Otherwise, Teramind will not be able to monitor it.
Exclude printers:
In this field, you can add regular expressions to exclude any printers matching the name. For example, .*epson.
Printing capturing settings:
Content capturing: You can select whether to capture the Actual document or the Document’s name only.
Maximum document size: this field works a bit differently on Windows and Mac. On Windows, this option will determine the maximum number of pages that will be captured. For example, if you set the value to
50pages, and the user prints a document containing55pages, the Agent will capture only the first50pages of the document and ignore the rest. On Mac, the Agent will NOT capture the document at all if it exceeds the specified maximum size. The Document name will be captured, though.
Retention period:
Delete history after: applicable to On-Premises customers only. If you specify any days in this field, the video recordings will be automatically deleted after those days. This will reduce your storage requirements and help you comply with data retention policies. Note that currently, Teramind on AWS doesn't support the removal of screen recordings from AWS S3 buckets. You can still use the Amazon S3 Lifecycle (! external link) to manage your storage.
Geolocation
Time Threshold:
By default, every time a user changes their location, it’s reported. You can specify a threshold (in seconds) to configure how often the location data will be reported instead. This can be useful in situations where the location changes too often and you don’t want your Geolocation report to be flooded with information. For example, when you are traveling on a train or in a taxi with a laptop, your location may change every minute, and the Geolocation report will show all the updates. With this setting, you can set a wait time before changing a location update.
The default value is 600 (or 10 minutes). A value of 0 will disable this option.
Audio
Monitor all input / Monitor all output:
Allows you to enable/disable recording for all input (e.g., microphones, line-in) and all output devices (e.g., speaker, line-out).
By default, Teramind will capture the audio streams from the devices assigned as the default playback and recording device in Windows. If you enable the above options, then audio streams from all recording/playback devices will be captured.
Monitor when these apps use the microphone:
This field lets you capture audio only when the microphone is used by select applications. You can use the following in the field:
Empty/No Value: audio will be recorded continuously, in all applications, even if the input/output (I/O) device is not actually in use.
All: will record the audio in all applications, but only if the I/O device is currently in use.
Executable File Names/Apps: will record the audio in the specified applications, and only if the I/O device is currently in use. For example, zoom.exe will only record audio when the microphone is activated in Zoom.
Text List/Regexp List: similar to the third option, except that it will match the applications in the shared list.
Note that this option doesn't affect audio output.
Audio settings:
Automatic level adjustment: if this option is enabled, it will automatically adjust the sound levels for higher/lower tones.
Async audio upload: If the user is using a Stealth Agent, this option will force Teramind Agent to use a queue for audio recordings instead of uploading them in real time. It’s suitable for a slower network or a busy server. However, you might experience some delay between the user activity and the recording appearing on the dashboard when Async audio upload is enabled.
Async audio upload only works on the Stealth Agent; the setting is ignored on the Revealed Agent.
Bitrate: You can adjust the audio quality by choosing a bit rate. A higher value will give crisper audio but will use more CPU processing and storage.
OCR
OCR languages to process:
This option allows you to pick one or more languages to process.
Process screen start date:
Process screen records after: this option allows you to pick a starting date from which the recordings will be processed. Recordings before this date won’t be processed. This option can be useful if you didn't originally have the OCR feature enabled on your instance and activated it later.
Camera Usage
Camera Usage doesn’t come with any additional settings except for the monitoring schedules. If the Camera Usage is turned on, you will be able to detect when employees are using their webcams and the applications that are accessing the webcam from the Camera Usage dashboard.
Offline Recording
Offline recording’s buffer length:
This option allows you to specify how long the Teramind Agent will continue to record the screen while the user is disconnected from the internet or the Teramind server. By default, the buffer is set to 24 hours, but you can increase or decrease the time as needed. Note that you cannot enter a 0 value in the field. If you want to disable offline recording completely, turn off the Offline Recording option from a monitoring profile (Monitoring Profiles > Edit monitoring profile screen).
Offline recording’s buffer size limit:
This field is optional and can be used to limit the storage utilization by offline recordings (in megabytes). The default value of 0 means there will be no limit.
Note that if you use both the Offline recording’s buffer length and the Offline recording’s buffer size limit options, the lowest value will be prioritized. For example, if you specify a 24-hour buffer length but a 10-MB buffer size, the Agent will only capture a few minutes of screen recordings (depending on the screen resolution, number of desktops/monitors, user activity, etc.). Same way, if you specified a 999999-MB buffer size but only a 1-hour buffer length, only 1 hour’s worth of screen recordings will be captured, even though the buffer can possibly hold a much longer duration of recordings.
Currently, only the Stealth Agent supports offline recording.
The settings only apply to screen recordings. Other activities are recorded for up to 24 hours and cannot be changed.
OS State
Track these events:
The option allows you to specify which OS states will be tracked. For example, Lock, Sleep, and Screen Saver, etc. These states are sent to any SIEM integration (syslog event) you might have. These settings do not affect the monitoring of these events.
Registry
The Registry doesn’t come with any additional settings except for the monitoring schedules.
If the Registry monitoring is turned on, you will be able to detect registry entries such as programs, keys, and values with Activity-based rules.
Network
IP tracking:
Monitor all IPs: if this option is enabled, all IP addresses will be monitored. You can add exceptions by clicking the Exception button.
Monitor only selected IPs: this option works the opposite of the Monitor all IPs option. With this option selected, you can add IPs to monitor by using the Add button.
You can enter IP addresses (e.g., 10.2.33.1) or use Network-based Shared Lists for the above two options.
Ports tracking:
Similar to the IP tracking options above, but allows you to specify ports. For example, 443, 25, etc.
Note that Monitor all IPs and Monitor all ports have higher priority than the Monitor only selected IPs and Monitor only selected ports settings. For example, suppose you specified the IP 162.11.23.1 in the Monitor all IPs field but then used a Shared List in the Monitor only selected IPs, which also had these IPs: 162.11.23.0, 162.11.23.1, 162.11.23.2, etc., then 162.11.23.1 will be monitored (and the rest of the IPs in the Shared List will not be monitored).
Network processes:
Network processes to track: this field allows you to specify which network processes to track. You can use process names (e.g., chrome.exe, com.apple.safari, etc.), Text-based Shared Lists, or Regular Expressions (Regex)-based Shared Lists.
Network options:
SSL: you can turn this option off to disable monitoring secure connections (i.e., HTTPS / port: 443)*.
Track network connections: this option allows you to turn network monitoring on/off*.
Keep Teredo enabled: this option applies to Windows only. If enabled, this option will prevent Teramind from disabling Teredo. It’s used for secure communication over IPv6. If you encounter any problem with IP tracking, try toggling this setting.
*Difference Between SSL and Overall Network Monitoring Setting
If you turn off the SSL option, then packets will be intercepted back and forth, but the Teramind proxy certificate will not be injected. This means you might lose the ability to track web-based emails such as Gmail, file uploads/downloads to/from the web, instant messaging, social media, etc.
If you turn off the entire Network monitoring, no certificate will be injected, no network tracking will take place, and Network-based behavior rules will not work. You will still be able to track web activities in the activity logs, such as the Applications & Websites report. However, the Agent’s ability to intercept traffic without a proxy cert will be affected.
LLM
Monitor applications:
In this field, you can specify which LLM services you want to track. Currently, only “ChatGPT Web” is supported.