Configuring Collector level anonymization
Anonymization capabilities
Nexthink offers various ways to anonymize data along with granular controls for user privacy. The approach described in this article complements similar features offered by the data storage layer, ensuring that data leaving the Microsoft Windows or macOS devices is anonymized.
If the data anonymization is enabled for the user name and activity at the Collector level, there is no need to enable the server-side equivalents.
Data | Description | Available privacy options | Default privacy options |
---|---|---|---|
User name | User logon name reported from the device. |
Note: The integration with Microsoft Active Directory using the Data Enricher (classic) or Microsoft Entra ID using the Connector for Microsoft Entra ID are independent from this Collector configuration. Ensure that the list of AD fields retrieved by the Data Enricher (classic) and Connector for Microsoft Entra ID is properly configured. |
|
User Principal Name (UPN) | Standardized user identifier that usually takes the form of an email address. The UPN allows the system to identify a user across systems uniquely. Nexthink also uses the UPN to enrich user objects with data from third-party services. |
|
|
Focus time | Reports the application focus duration while the application’s windows were in focus. |
|
|
User activity | Controls the reporting of the time the user was interacting with the mouse, touchpad or keyboard. |
|
|
Wi-Fi network | Manages the reporting of the identification details for both the SSID and the BSSID with Wi-FI performance metrics. |
|
|
Network connections | Manages the reporting of network connection data. |
|
|
Domain name | Manages the reporting of the destination’s domain name for network connections. |
|
|
Data privacy filter for network connections | Report network connections according to a user-defined | Refer to data privacy filter section for more information. | Collector reports all network connections |
Changing the default privacy options
There are various configuration options to change the default privacy setting for each data type. Review the different options to find the right method for your environment and situation.
Configuration via | Used for | User name | UPN | Focus time | User activity | Wi-Fi network | Network connections | Domain name | Data privacy filter |
---|---|---|---|---|---|---|---|---|---|
Remote Actions | Existing installations | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Windows Collector installer | New installations | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Windows registry | Existing installations | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
macOS Collector installer | New installations | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
macOS Collector configuration | Existing installations | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Remote Actions
Change the Collector configuration parameter for the User name, Wi-Fi Network, and UPN on Windows and macOS operating systems with the Set anonymization features remote action.
Configure Focus time and User activity on Windows and macOS operating systems with the Set Collector configuration remote action.
Configure Network connections, Domain name and Data privacy filter on Microsoft Windows and macOS operating systems with the Set application connectivity configuration remote action.
The remote actions set the appropriate registry keys and configuration fields for you.
Windows Collector installer
Use the following optional parameters to change the default values for each data type:
User name | Parameter name: Parameter values:
Example: |
User Principal Name (UPN) | Parameter name: Parameter values:
Example: |
Focus time | Parameter name: Parameter values:
Example: |
User activity | Parameter name: Parameter values:
Example: |
Wi-Fi network | Parameter name: Parameter values:
Example: |
Network connections | Parameter name: Parameter values:
Example: |
Domain name | Parameter name: Parameter values:
Example: |
Data privacy filter | Parameter name: Parameter values: Example: Refer to data privacy filter section for more information. |
Windows registry
Use the Windows registry to adjust the default value of the relevant key.
User name | Adjust the UserName value of AnonymizedData key. Key name: Data type: Value name: Value data:
|
User Principal Name (UPN) | Adjust the UpnPrivacy value of the AnonymizedData key. Key name: Data type: Value name: Value data:
|
Focus time | Adjust the Enabled value of the WindowFocusTimeMonitoring key. Key name: Data type: Value name: Value data:
|
User activity | Adjust the Disabled value of the UserInteractionTimeMonitoring key. Key name: Data type: Value name: Value data:
|
Wi-Fi network | Adjust the WifiNetwork value of the AnonymizedData key. Key name: Data type: Value name: Value data:
|
Network connections | Adjust the ConnectionsReporting value of the AppConnectivity key. Key name: Data type: Value name: Value data:
|
Domain name | Adjust the DomainNameReporting value of the AnonymizedData key. Key name: Data type: Value name: Value data:
|
Data privacy filter | Adjust the DataPrivacyFilter value of the AppConnectivity key. Key name: Data type: Value name: Value data example: |
For the changes to take effect, follow this sequence:
Stop Collector.
Modify the registry.
Start Collector.
macOS Collector installer
Use the following optional parameters to change the default values for each data type:
User name | Parameter name: Parameter values:
Example: |
User Principal Name (UPN) | Parameter name: Parameter values:
Example: |
Focus time | Parameter name: Parameter values:
Example: |
User activity | Parameter name: Parameter values:
Example: |
Wi-Fi network | Parameter name: Parameter values:
Example: |
Network connections | Parameter name: Parameter values:
Example: |
Domain name | Parameter name: Parameter values:
Example: |
Data privacy filter | Parameter name: Parameter values: Example: Refer to data privacy filter section for more information. |
macOS Collector configuration
Use the macOS Collector configuration file config.json
located in the folder /Library/Application Support/Nexthink
to add the following parameters on a new line at the end of the file before the closing curly bracket:
User name | Parameter name: Parameter values:
Example of the end of a configuration file: |
User Principal Name (UPN) | Parameter name: Parameter values:
Example of the end of a configuration file: |
Focus time | Parameter name: Parameter values:
Example of the end of a configuration file: |
User activity | Parameter name: Parameter values:
Example of the end of a configuration file: |
Wi-Fi network | Parameter name: Parameter values:
Example of the end of a configuration file: |
Network connections | Parameter name: Parameter values:
Example of the end of a configuration file: |
Domain name | Parameter name: Parameter values:
Example of the end of a configuration file: |
Data privacy filter | Parameter name: Parameter values: Example of the end of a configuration file: Refer to data privacy filter section for more information. |
For the changes to take effect, follow this sequence:
Stop Collector.
Modify the configuration file.
Start Collector.
Data privacy filter
Configure Collector to report only connections to specific destinations. Refer to the Windows registry and macOS Collector configuration sections for more information.
The DataPrivacyFilter
configuration parameter takes a comma-separated list of ALLOW
and BLOCK
filter rules. Each filter rule takes the following form: ALLOW | BLOCK [PATTERN]
There are four options for the [PATTERN]
:
A domain name with an optional port number, for example:
abc.intra.nexthink.com:443
A domain name with a leading wildcard (“*”) and an optional port number, for example:
*.nexthink.com:443
An IP address (IPv4 or IPv6) with optional port number, for example:
192.0.2.123:443
A subnet mask, for example:
192.0.2.0/24
Users must put IPv6 IP addresses into brackets to combine them with a port number, for example: ALLOW [fe80::1ff:fe23:4567:890a]:8080
The brackets are optional for IPv6-base rules without port number.
Domain Name with Wildcard
In domain name based patterns, use a “*” wildcard to match zero, one, or multiple sub-domains.
For example, ALLOW *.nexthink.com
matches all these domain names:
nexthink.com
intra.nexthink.com
abc.intra.nexthink.com
The domain name based patterns with a “*” wildcard must start with the “*” wildcard instead of a sub-domain.
ALLOW *.nexthink.com
-> OKALLOW intra.*.nexthink.com
-> not OKALLOW nexthink.*
-> not OKALLOW *nexthink.com
-> not OK
Default Rules
There are two default rules:
System default rule:
BLOCK *
("block everything else"). The system automatically adds this rule, if there is at least one user-defined rule.User-defined default rule:
ALLOW *
("allow everything else").
The user-defined default rule overwrites the system default rule.
These defaults apply to the following cases:
Case | Default |
---|---|
The DataPrivacyFilter is not configured or parameter value is empty. | The Collector reports all connections. |
The DataPrivacyFilter is configured and there is at least one user-defined rule. | The Collector |
The Collector reports no connections if you only define BLOCK
rules.
Filter Rule Evaluation
Collector evaluates rules in the order from more specific to less specific:
IP address with port number.
IP address without port number.
Domain name with many sub-domains before domain names with fewer sub-domains.
Domain name with port before domain name without port.
Domain name without wildcard (
*
) before domain name with a wildcard.Subnet mask.
User-defined default rule (
ALLOW *
) before system default rule (BLOCK *
).
Considerations
You can configure up to 1,000 filter rules. The system only evaluates the first 1,000 if there are more filter rules.
Rules based on domain names do not apply to connections without a domain name.
In case of a connection with multiple domain names and conflicting matching rules (
ALLOW
/BLOCK
), theALLOW
rule overrules theBLOCK
pattern.Collector does not support IPv4 addresses in IPv6 format. An IPv4 filter rule in IPv6 format does not match connections with the corresponding IPv4 address.
Last updated