Configuring Collector level anonymization

Anonymization capabilities

Nexthink offers various ways to anonymize data along with granular controls for user privacy. The approach described in this article complements similar features offered by the data storage layer, ensuring that data leaving the Microsoft Windows or macOS devices is anonymized.

If the data anonymization is enabled for the user name and activity at the Collector level, there is no need to enable the server-side equivalents.

DataDescriptionAvailable privacy optionsDefault privacy options

User name

User logon name reported from the device.

cleartext The collector reports the username in cleartext.

hashed The collector hashes the username before sending it to the backend.

no_import Collector does not collect the username at all.

Note: The integration with Microsoft Active Directory using the Data Enricher (classic) or Microsoft Entra ID using the Connector for Microsoft Entra ID are independent from this Collector configuration. Ensure that the list of AD fields retrieved by the Data Enricher (classic) and Connector for Microsoft Entra ID is properly configured.

cleartext

User Principal Name (UPN)

Standardized user identifier that usually takes the form of an email address. The UPN allows the system to identify a user across systems uniquely. Nexthink also uses the UPN to enrich user objects with data from third-party services.

cleartext The collector reports the UPN in cleartext.

hashed The collector hashes the UPN before sending it to the backend.

no_import Collector does not collect the UPN at all.

no_import

Focus time

Reports the application focus duration while the application’s windows were in focus.

enable Execution events contain information about how long the application was in focus.

disable Execution events do not contain information about how long the application was in focus.

disable

User activity

Controls the reporting of the time the user was interacting with the mouse, touchpad or keyboard.

enable Collector reports time periods when the user is actively using a device.

disable Collector does not report time periods when the user is actively using a device.

enable

Wi-Fi network

Manages the reporting of the identification details for both the SSID and the BSSID with Wi-FI performance metrics.

enable Collector reports only performance metrics and connection attributes.

disable Collector reports the SSID and BSSID of the connected hotspots in addition to the performance metrics and connection attributes.

enable

Network connections

Manages the reporting of network connection data.

enable Collector reports network connections for all binaries including destination attributes and connection metrics.

disable Collector reports no network connection data.

enable

Domain name

Manages the reporting of the destination’s domain name for network connections.

enable Collector reports the domain name of the destination.

disable Collector reports no domain name for network connections.

disable

Data privacy filter for network connections

Report network connections according to a user-defined ALLOW / BLOCK rules.

Refer to data privacy filter section for more information.

Collector reports all network connections

Changing the default privacy options

There are various configuration options to change the default privacy setting for each data type. Review the different options to find the right method for your environment and situation.

Configuration viaUsed forUser nameUPNFocus timeUser activityWi-Fi networkNetwork connectionsDomain nameData privacy filter

Remote Actions

Existing installations

Windows Collector installer

New installations

Windows registry

Existing installations

macOS Collector installer

New installations

macOS Collector configuration

Existing installations

Remote Actions

Change the Collector configuration parameter for the User name, Wi-Fi Network, and UPN on Windows and macOS operating systems with the Set anonymization features remote action.

Configure Focus time and User activity on Windows and macOS operating systems with the Set Collector configuration remote action.

Configure Network connections, Domain name and Data privacy filter on Microsoft Windows and macOS operating systems with the Set application connectivity configuration remote action.

The remote actions set the appropriate registry keys and configuration fields for you.

Windows Collector installer

Use the following optional parameters to change the default values for each data type:

User name

Parameter name: ANONYMIZE_USERNAME

Parameter values:

  • cleartext

  • hashed

  • no_import

Example: ANONYMIZE_USERNAME=no_import

User Principal Name (UPN)

Parameter name: UPN_PRIVACY

Parameter values:

  • cleartext

  • hashed

  • no_import

Example: UPN_PRIVACY=hashed

Focus time

Parameter name: WINDOW_FOCUS_TIME_MONITORING

Parameter values:

  • enable

  • disable

Example: WINDOW_FOCUS_TIME_MONITORING=enable

User activity

Parameter name: USER_INTERACTION_TIME_MONITORING

Parameter values:

  • enable

  • disable

Example: USER_INTERACTION_TIME_MONITORING=disable

Wi-Fi network

Parameter name: ANONYMIZE_WIFI_NETWORK

Parameter values:

  • enable

  • disable

Example: ANONYMIZE_WIFI_NETWORK=disable

Network connections

Parameter name: CONNECTIONS_REPORTING

Parameter values:

  • enable

  • disable

Example: CONNECTIONS_REPORTING=disable

Domain name

Parameter name: DOMAIN_NAME_REPORTING

Parameter values:

  • enable

  • disable

Example: DOMAIN_NAME_REPORTING=enable

Data privacy filter

Parameter name: DATA_PRIVACY_FILTER

Parameter values: [a comma separated list of ALLOW / BLOCK rules]

Example: DATA_PRIVACY_FILTER="ALLOW *.nexthink.com, ALLOW nexthink.eu.nexthink.cloud, ALLOW 100.64.0.0/16, ALLOW [fe80::1ff:fe23:4567:890a]:8080"

Refer to data privacy filter section for more information.

Windows registry

Use the Windows registry to adjust the default value of the relevant key.

User name

Adjust the UserName value of AnonymizedData key.

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\AnonymizedData

Data type: DWORD (32-bit)

Value name: UserName

Value data:

  • 0 → cleartext

  • 1 → hashed

  • 2 → no_import

User Principal Name (UPN)

Adjust the UpnPrivacy value of the AnonymizedData key.

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\AnonymizedData

Data type: DWORD (32-bit)

Value name: UpnPrivacy

Value data:

  • 0 → no_import

  • 1 → hashed

  • 2 → cleartext

Focus time

Adjust the Enabled value of the WindowFocusTimeMonitoring key.

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\WindowFocusTimeMonitoring

Data type: DWORD (32-bit)

Value name: Enabled

Value data:

  • 0 → disable

  • 1 → enable

User activity

Adjust the Disabled value of the UserInteractionTimeMonitoring key.

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\UserInteractionTimeMonitoring

Data type: DWORD (32-bit)

Value name: Disabled

Value data:

  • 0 → disable

  • 1 → enable

Wi-Fi network

Adjust the WifiNetwork value of the AnonymizedData key.

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\AnonymizedData

Data type: DWORD (32-bit)

Value name: WifiNetwork

Value data:

  • 0 → disable

  • 1 → enable

Network connections

Adjust the ConnectionsReporting value of the AppConnectivity key.

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\AppConnectivity

Data type: DWORD (32-bit)

Value name: ConnectionsReporting

Value data:

  • 0 → disable

  • 1 → enable

Domain name

Adjust the DomainNameReporting value of the AnonymizedData key.

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\AnonymizedData

Data type: DWORD (32-bit)

Value name: DomainNameReporting

Value data:

  • 0 → disable

  • 1 → enable

Data privacy filter

Adjust the DataPrivacyFilter value of the AppConnectivity key.

Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Nexthink\Collector\AppConnectivity

Data type: String (REG_SZ)

Value name: DataPrivacyFilter

Value data example: "ALLOW *.nexthink.com, ALLOW nexthink.eu.nexthink.cloud, ALLOW 100.64.0.0/16, ALLOW [fe80::1ff:fe23:4567:890a]:8080" Refer to data privacy filter section for more information.

For the changes to take effect, follow this sequence:

  1. Stop Collector.

  2. Modify the registry.

  3. Start Collector.

macOS Collector installer

Use the following optional parameters to change the default values for each data type:

User name

Parameter name: anonymize_username

Parameter values:

  • cleartext

  • hashed

  • no_import

Example: anonymize_username=hashed

User Principal Name (UPN)

Parameter name: upn_privacy

Parameter values:

  • cleartext

  • hashed

  • no_import

Example: upn_privacy=hashed

Focus time

Parameter name: windows_focus_time_monitoring

Parameter values:

  • enable

  • disable

Example: windows_focus_time_monitoring=enable

User activity

Parameter name: user_interaction_time_monitoring

Parameter values:

  • false

  • true

Example: user_interaction_time_monitoring=false

Wi-Fi network

Parameter name: anonymize_wifi_network

Parameter values:

  • enable

  • disable

Example: anonymize_wifi_network=disable

Network connections

Parameter name: connections_reporting

Parameter values:

  • false

  • true

Example: connections_reporting=false

Domain name

Parameter name: domain_name_reporting

Parameter values:

  • false

  • true

Example: domain_name_reporting=true

Data privacy filter

Parameter name: data_privacy_filter

Parameter values: [a comma separated list of ALLOW / BLOCK rules]

Example: data_privacy_filter="ALLOW *.nexthink.com, ALLOW nexthink.eu.nexthink.cloud, ALLOW 100.64.0.0/16, ALLOW [fe80::1ff:fe23:4567:890a]:8080"

Refer to data privacy filter section for more information.

macOS Collector configuration

Use the macOS Collector configuration file config.json located in the folder /Library/Application Support/Nexthink to add the following parameters on a new line at the end of the file before the closing curly bracket:

User name

Parameter name: AnonymizeUserName

Parameter values:

  • cleartext

  • hashed

  • no_import

Example of the end of a configuration file:

...
"AnonymizeUserName": "no_import"
}

User Principal Name (UPN)

Parameter name: UpnPrivacy

Parameter values:

  • cleartext

  • hashed

  • no_import

Example of the end of a configuration file:

...
"UpnPrivacy": "cleartext"
}

Focus time

Parameter name: EnableWindowFocusTimeMonitoring

Parameter values:

  • false

  • true

Example of the end of a configuration file:

...
"EnableWindowFocusTimeMonitoring": "true"
}

User activity

Parameter name: DisableUserInteractionTimeMonitoring

Parameter values:

  • false

  • true

Example of the end of a configuration file:

...
"DisableUserInteractionTimeMonitoring": "true"
}

Wi-Fi network

Parameter name: AnonymizeWifiNetwork

Parameter values:

  • false

  • true

Example of the end of a configuration file:

...
"AnonymizeWifiNetwork": "false"
}

Network connections

Parameter name: ConnectionsReporting

Parameter values:

  • false

  • true

Example of the end of a configuration file:

...
"ConnectionsReporting": "false"
}

Domain name

Parameter name:DomainNameReporting

Parameter values:

  • false

  • true

Example of the end of a configuration file:

...
"DomainNameReporting": "true"
}

Data privacy filter

Parameter name: DataPrivacyFilter

Parameter values:[a comma separated list of ALLOW / BLOCK rules]

Example of the end of a configuration file:

...
"DataPrivacyFilter": "ALLOW *.nexthink.com, ALLOW nexthink.eu.nexthink.cloud, ALLOW 100.64.0.0/16, ALLOW [fe80::1ff:fe23:4567:890a]:8080"
}

Refer to data privacy filter section for more information.

For the changes to take effect, follow this sequence:

  1. Stop Collector.

  2. Modify the configuration file.

  3. Start Collector.

Data privacy filter

Configure Collector to report only connections to specific destinations. Refer to the Windows registry and macOS Collector configuration sections for more information.

The DataPrivacyFilter configuration parameter takes a comma-separated list of ALLOW and BLOCK filter rules. Each filter rule takes the following form: ALLOW | BLOCK [PATTERN]

There are four options for the [PATTERN]:

  • A domain name with an optional port number, for example: abc.intra.nexthink.com:443

  • A domain name with a leading wildcard (“*”) and an optional port number, for example: *.nexthink.com:443

  • An IP address (IPv4 or IPv6) with optional port number, for example: 192.0.2.123:443

  • A subnet mask, for example: 192.0.2.0/24

Users must put IPv6 IP addresses into brackets to combine them with a port number, for example: ALLOW [fe80::1ff:fe23:4567:890a]:8080 The brackets are optional for IPv6-base rules without port number.

Domain Name with Wildcard

In domain name based patterns, use a “*” wildcard to match zero, one, or multiple sub-domains.

For example, ALLOW *.nexthink.com matches all these domain names:

  • nexthink.com

  • intra.nexthink.com

  • abc.intra.nexthink.com

The domain name based patterns with a “*” wildcard must start with the “*” wildcard instead of a sub-domain.

  • ALLOW *.nexthink.com -> OK

  • ALLOW intra.*.nexthink.com -> not OK

  • ALLOW nexthink.* -> not OK

  • ALLOW *nexthink.com -> not OK

Default Rules

There are two default rules:

  • System default rule: BLOCK * ("block everything else"). The system automatically adds this rule, if there is at least one user-defined rule.

  • User-defined default rule: ALLOW * ("allow everything else").

The user-defined default rule overwrites the system default rule.

These defaults apply to the following cases:

CaseDefault

The DataPrivacyFilter is not configured or parameter value is empty.

The Collector reports all connections.

The DataPrivacyFilter is configured and there is at least one user-defined rule.

The Collector ALLOW / BLOCK connections reporting based on the user defined rules and blocks everything else.

The Collector reports no connections if you only define BLOCK rules.

Filter Rule Evaluation

Collector evaluates rules in the order from more specific to less specific:

  1. IP address with port number.

  2. IP address without port number.

  3. Domain name with many sub-domains before domain names with fewer sub-domains.

  4. Domain name with port before domain name without port.

  5. Domain name without wildcard (*) before domain name with a wildcard.

  6. Subnet mask.

  7. User-defined default rule (ALLOW *) before system default rule (BLOCK *).

Considerations

  1. You can configure up to 1,000 filter rules. The system only evaluates the first 1,000 if there are more filter rules.

  2. Rules based on domain names do not apply to connections without a domain name.

  3. In case of a connection with multiple domain names and conflicting matching rules (ALLOW / BLOCK), the ALLOW rule overrules the BLOCK pattern.

  4. Collector does not support IPv4 addresses in IPv6 format. An IPv4 filter rule in IPv6 format does not match connections with the corresponding IPv4 address.

Last updated

#451: 2024.8-Overview of integration DOC

Change request updated