Scan Outside Profile

In this section:

Scan configuration

Configure Reports

Audits

Scan Monitoring Dashboard

The scan enables you to discover data outside of the user’s profile and so determine whether that data should be synchronized with the File Director server.

Introduced 2020.3, the scan is performed using a configuration which includes parameters that administrators can set. The scan identifies files that match these parameters. Reports are generated to show an administrator which files have been found on a user’s endpoint outside the profile, and the administrator can then decide whether or not these files require managing using File Director.

By default, the scan is restricted to fixed (non-removable) media. However, in some circumstances USB drives may identify themselves to the OS as fixed and so will be included in the scan.

Scan configuration

Parameters are set within the scan configuration to determine the scope of the scan - that is, where the scan searches, and which files to identify of interest. Parameters comprise a set of exclusions that can be modified by administrators. The configuration includes some default exclusions which can also be overridden.

Expressions syntax

The scan parameters use the same expression syntax as other File Director sync rules. This enables you to specify various attributes of exclusions such as path, file size, file type etc. to provide precise control over file discovery. For further information refer to Exclusions and Electives.

Owner Rule

The file owner rule is specific to the scan feature and allows you to match an expression against the file owner. The file owner can be specified using a Regex which may contain environment variables, or a SID:

Regex example: Owner == /LD\\john.smith/ or Owner == /LD\\.*/

SID example: Owner == S-1-5-21-3930722610-2437293652-3849561480-96868

Environment variable example: Owner == /%userdomain%\\%username%/

Note that the rule may require an internal lookup of the account name and an AD query if the account is not known locally.

Default exclusions

By default, the scan is excluded from the following folders (including any child folders and files):

%ProgramFiles%

%ProgramFiles(x86)%

%ProgramData%

%SystemRoot%

%SystemDrive%\Users

Recycle Bin

The configuration of the scan also allows defaults and exclusions to be overridden

Configuration keys

The configuration for the scan is held under the following registry key and sub-keys:

HKLM\Software\AppSense\DataNow\ScanPolicy

<HKEY root>\Software\AppSense\DataNow\ScanPolicy\ScanExclusions

Note, any rule specified in the ScanExclusions sub-key is added to the default excludes (as logical OR).

<HKEY root>\Software\AppSense\DataNow\ScanPolicy\ScanExclusionOverrides

The ScanExclusionOverrides sub-key can be used to override any excludes, either default or specified.

Scan Exclusion Overrides

In addition to overriding default exclusions, overrides can be used to specify folders or sub-folders that already form part of the scan exclusion.

For example, the folders within %PROGRAMFILES%\mysoftware are excluded by default. By specifying an exclusion, the administrator can include a specific subfolder relating to specific software but otherwise keep the default exclude in place.

Examples

Note, the default exclusion expression is highlighted in bold font:

ScanExclusions

ScanExclusionOverrides

Logical results of scan

Beneath == “%ProgramFiles%”   The default exclusion has no override, so the scan excludes all files and folders beneath "%ProgramFiles%”
Beneath == “%ProgramFiles%” Beneath == “%ProgramFiles%” The default exclusion has a corresponding override, so the scan includes all files and folders beneath "%ProgramFiles%”
Beneath == “%ProgramFiles%” OR Beneath == “%ProgramFiles%\mysoftware” Beneath == “%ProgramFiles%”

Default exclusion has been modified to also apply to a specified sub-folder (\mysoftware).

The override has been added to negate the default exclusion, so the scan includes all files and folders beneath "%ProgramFiles%” but it excludes files and folders in "%ProgramFiles%\mysoftware"

Hard Exclusions

Recursive scans of deep and complex folder structures can result in performance issues and to prevent this, by default, certain exclusions cannot be overridden.

The scan will not search the following folders even if override rules are present:-

%SystemRoot%

%SystemDrive%\Users

Enable the scan

By default the scan is disabled. The scan is enabled using the following registry DWORD key:

<HKEY root>\Software\AppSense\DataNow\OutsideCacheScanEnabled

Once enabled, the scan will run immediately after the logon sync has completed.

Configure Reports

When the scan completes it sends a default summary report to the File Director server. The summary includes how long the scan took, how many files were found, and their total size. The summary report enables administrators to review scan results and identify any areas requiring further investigation.

Optionally, the scan can also generate and send a detailed report on files found. This enables administrators to modify the scan configuration parameters and focus on identifying files of interest.

Enable detailed report

To enable detailed report to be sent use the following key:

HKLM\Software\AppSense\DataNow\ScanPolicy\ScanDetailReportEnabled

Audits

The following scan events are audited:

The summary details are audited once the scan completes (9834)

Any failure when parsing the scan rules (9833)

For further information refer to Client-side auditing.

Scan Monitoring Dashboard

Key metrics from the scan data are visualized in a new dashboard available from the Ivanti Marketplace free for your use.

In the example illustrated, the top two graphs present data from the scan summary report:

The number of files discovered outside of profile

The size of files discovered.

The bottom two graphs present data from the scan details report:

The types of files discovered

The top 20 discovered paths per user.

Monitoring of your syslog audit stream enables you to manage your File Director appliances and ensure performance is optimal. Free tools including a number of ready-made dashboards are available for you to download.

Refer to File Director Dashboards for further information.

Related topics

File sync controls

Exclusions and Electives

Sync status