The Actions tab is where you define the system's response to a rule violation. This can include warning or blocking a user, sending a notification email to an admin, or recording a video of the desktop.
Keep in mind that not all actions are available for every rule type. For example, most Agent Schedule rules only support the Notify action. Similarly, certain rule types have unique actions. For instance, Webpages has a Redirect action that isn't available for other rule types.
On Mac, only the following actions are supported: Notify, Block, Warn, Lock User. Some actions might not be supported for all the rule criteria. Actions may also behave slightly differently from Windows.
Please see this article on our Knowledge Base to learn more about what rules and features are supported on Mac.
In some cases, you can use multiple actions as long as they don't conflict. For example, you can use the Notify and Block actions together because they serve different purposes. However, you can't use Block and Lock User simultaneously, as both prevent the user from performing an action. The Rule Editor will automatically disable any actions that conflict with your current selections.
There are two ways you can set up actions:
Basic Actions
The Basic mode is the easiest way to configure actions and is recommended for beginners. With this mode, you can set up simple actions, but you cannot configure any advanced options like the alert frequency, risk thresholds, etc.
Notify (Windows & Mac)
The Notify action sends an email notification to the specified users or email addresses whenever a rule is violated. You can select recipients from your existing user list or manually add email addresses.
The email will look like this:
You can configure how the emails will be sent from the Settings > Alerts > Alert emails limit field.
General Notes:
You can send notifications to a maximum of 15 email addresses.
Notes About Mac:
On a Mac, the Notify action is available for all supported rules except for the Keystrokes rule.
Notes About OCR Rules:
By default, OCR notify alerts are limited to one per rule, app, user, and computer within a four-minute window. However, on-premises customers can change this by adding the following line to their teramind.config file:
web_instances_disable_ocr_alert_throttling=onsite
After editing the configuration file, you must restart your teraweb container for the changes to take effect.
Block (Windows & Mac)
The Block action stops a user activity from completing. For example, it can block a web upload before any data is sent to a site.
You can choose to display a message to the user when this action is triggered. To format the message and improve its appearance, you can use the Use HTML Template option. To learn more about this, see the Settings > Alerts > Custom Alert Template section.
You can use the Settings > Alerts > User notification alert threshold option to specify the duration Teramind should wait before showing multiple alert messages.
General Notes:
In most cases, if you use this action with a Webpages rule, the browser tab for that webpage or URL will close immediately after the message is shown. However, if the rule is triggered after a delay (e.g., by an Idle Time criterion), the tab won't close. Instead, the webpage will be replaced by a blank page with your message, and the same message will also appear in a pop-up window.
If you use this action with an Emails rule to block a user from sending an email, the email will not be sent, and the draft will be deleted.
Lock User (Windows & Mac)
The Lock User action displays a standard message box to the user if you have set a message. When they click the "OK" button, they will be taken to the lock screen and locked out of the system:
If you don't specify a message, no message box will be shown, and the user will be locked out immediately.
If the user tries to log back in, they will be logged out automatically. An administrator must unlock the user for them to be able to log in again. You can find more information on unlocking a user in the Employee Actions Menu section.
General Notes:
This action is designed to work only with the Stealth Agent and will not be enforced on the Revealed Agent. Please note that the lockout feature is not a complete protection against user tampering and has the following limitations:
While this action does not have the Use HTML Template option like the Warn or Block actions, you can still show an HTML-formatted message if you enable the Alerts > Custom alert template option as the default.
Only the selected user account will be locked out. If other user accounts exist on the computer, those users will still be able to log in.
A user may still be able to log in using Windows Recovery mode.
A user could potentially remove the computer's hard drive and connect it to another machine to access data.
Notes About Mac:
On Mac systems, when this action is triggered, the user is locked out only once and taken to the login screen, and they can log back in.
If the action is configured with an Applications condition, the last active application specified in the condition will be terminated, and the user will be locked out.
If the action is used with a Networking rule, the network connection that triggered the rule will be closed.
The Lock action for Webpages rules is supported only by the Webpage Title criterion.
Redirect (Windows)
The Redirect action sends a user to a different website when they try to access a specific URL. For example, if a user attempts to visit a gambling site, you can redirect them to your company's policy page instead.
General Notes:
This action is available for Webpages rules only.
Warn (Windows & Mac)
The Warn action displays a warning message to the user. To format the message and improve its appearance, you can use the Use HTML Template option. To learn more about this, see the Settings > Alerts > Custom Alert Template section.
You can use the Settings > Alerts > User notification alert threshold option to specify how long Teramind should wait before showing multiple alert messages.
Switch Task (Windows)
With the Switch Task action, you can automatically assign a new task to a user when a rule is violated. For instance, if you detect a user is idle (by using the "Time idle" criterion in an Applications or Webpages rule), you can automatically switch their task to "Break" or a similar designation.
You can use the Settings > Alerts > Rule task selection action timeout option to specify how long Teramind should wait before assigning the new task to the user.
General Notes:
This action is only applicable to the Teramind Stealth Agent.
Record (Windows)
The Record action automatically captures a video clip of a rule violation incident. You can specify how many minutes before and after the incident the recording should be.
This action is useful if you don't want to record the screen continuously, but only during and around a specific rule violation.
General Notes:
To use this action, you must enable the Screen Recording > Record only when behavior rule was violated option.
Even if video recording is disabled in your Screen Recording monitoring settings, you can still record a video clip of the rule violation incident with this action.
Command (Windows)
The Command action allows you to automatically execute a Windows command or script when a rule is violated.
This is a powerful feature because it lets you run any application or script on a user's computer. For example, you could force a PC to shut down with shutdown /s /f /t 0, kill a specific task using taskkill -im, and much more.
Advanced Actions
In Advanced mode, you can set up risk thresholds and severity levels for a rule. This allows you to add multiple thresholds, assign different risk levels, and trigger various actions based on how often a rule is violated.
For example, you could create a Files rule that:
Sets a Low-risk severity and triggers a Warn action if a user uploads more than 5 files in a day.
Escalates to a High-risk severity and triggers both Block and Notify actions if the user uploads more than 50 files in a day.
The risk levels you define in this mode are used to calculate the overall risk score, which is reflected in places like the Risk column on the Behavior Alerts dashboard.
1. From the Choose time period for threshold list, select the desired time period for your thresholds (e.g., Hourly, Daily, Monthly).
2. In the Choose maximum numbers of saved alerts per day field, enter the maximum number of alerts that can be triggered for this rule in a single day. If the number of alerts exceeds this limit, Teramind will not save any further alerts, and they will not appear on the Behavior Alerts dashboard. Leaving the field empty means there is no daily limit. Setting it to 0 will prevent any alerts from being generated for the rule, though the rule will still trigger. Note that you can also set a global daily maximum for alerts in the Settings > Alerts screen.
3. Click the New Threshold button to add a new threshold. For each threshold you add, you can set the following:
a. Enter a number in the Frequency field to define how many times the rule can be violated before an action is triggered.
b. Select a risk severity from the Severity drop-down list. Your options are None, Low, Moderate, High, or Critical.
c. Click the Add button to add one or more actions. These actions (e.g., Notify, Warn) are the same as those available in the Basic mode.
Customizing Action Messages/Alerts
You can display a customized alert message to an employee or user in case of a policy/rule violation incident. Warn, Block, and Lock Out User rule actions support displaying custom user messages.
By default, alerts appear on the top-right corner of the user's desktop in a small white box. You can format the alert message using HTML codes. You can also change the default alert template to change the look and feel of the alert box. For example, to match the brand of your company, or to link to your company policy.
To learn how to customize the alert message, HTML template, and other settings, check out the How to customize Teramind to suit your preferences and brand article in the Knowledge Base.