Deployment script and command reference for the insider risk agent

Updated

Overview

When you create a deployment policy in the Incydr console, the process generates user-detection scripts and agent install command arguments. This article provides details about the scripts for Windows, Mac, and Linux devices. 

Use the correct scripts!
Use the scripts for the agents in your Incydr environment. If you use the wrong script, agent deployment will fail.

This article applies to devices where only the insider risk agent is being deployed. If you are also deploying the backup agent, see Deployment script and command reference for the backup agent.

Need help?
For assistance, contact your Customer Success Manager (CSM) to engage the Incydr Professional Services team. If you don't know who your CSM is, contact our Technical Support Engineers.

Considerations

This article assumes you understand the introduction to deployment provided by the article Deploy agents.

  • To use these deployment tools, you need to sign in to your Incydr console as a user with the Security Administrator role.
  • In the Incydr federal environment, app installations must be deployed with a deployment policy to ensure the use of FIPS encryption in the agent. Users cannot download the installation package from the Incydr console.

Deployment is a secure process:

  • During installation, device-server communications are encrypted.
  • Devices can use a proxy to reach the Incydr cloud. See the PROXY_URL parameter.
  • Deployment can run silently, with no intervention from users at devices.

The detection scripts below apply to insider risk agent version 1.9.0 and later, which uses the logPath value Code42-AAT/logs. Version 1.8.x and earlier used the path Code42-AAT/Data/logs.

About user detection scripts

Deployment relies on usernames having an email format, for instance, firstname.lastname@example.com. A user detection script detects the usernames in another system, such as a directory service, and transforms them to a username format that Incydr can use. When you create a user detection script, you must customize it for the system where you need to detect usernames.

To make it easier to create a user detection script that's right for your situation, we provide example scripts for Windows and Mac systems. You can use these examples as a starting place when creating your own user detection script.

Requirements for multiple agents
Deploying both the insider risk and backup agents to a single device requires: Two code42.deployment.properties files (the deployment policy contains separate properties for each agent type). A single user detection script. Only use the user detection script for the backup agent; it also detects the user for the insider risk agent. If you use the detection script for the insider risk agent, the backup agent will not be able to register.

Windows

For insider risk agents on Windows devices, a deployment policy provides:

  • A user detection script to provide the insider risk agent with a username for the device. The script can also optionally specify the user's organization.
  • Installation properties to serve as the arguments string to a insider risk agent install command.
  • A code42.deployment.properties file to distribute along with the insider risk agent installer package.

Before insider risk agent installers run
Before insider risk agent installers can run properly, the code42.deployment.properties file must be in placed in the management tool or the device's file system.

Windows user detection script

When you create a deployment policy, you must also create a custom user detection script. A user detection script examines the host device and provides the insider risk agent with a username. The script resides in the Incydr cloud. The insider risk agent retrieves it during the install process.

The Incydr cloud requires a custom script
Because user names in the Incydr cloud must be email addresses, deployments for connection to the Incydr cloud always require a customized user detection script. 

You need to create a custom script because usernames must be email addresses. If you need help, contact your Customer Success Manager (CSM) to engage the Professional Services team. 

How the Windows script works

The user detection script for Windows uses the device's operating system to determine the most recent logged-on username. The user detection script then reports this value to a standard output.

Tips to create a custom Windows script

Create a custom script and paste your script into your deployment policy. If you need help, contact your Customer Success Manager (CSM) for enterprise support.

When creating your custom script, be aware of the following:

  • Every script must end by echoing the value for the username variable.

    echo C42_USERNAME=<value>

  • In the Code42 cloud, usernames must be email addresses.

    echo C42_USERNAME=%current_user%@example.com

  • Optionally, you can also specify the the organization for the user. Use the registration key for the organization. If the organization is not defined, the user registers to the organization specified in the deployment policy.

    echo C42_ORG_REG_KEY=<value>
  • You must provide values. Null values and empty strings will not work.
  • The values cannot include either single (') or double (") quotation marks.

Windows command and arguments

Deployment policy command arguments need to be imported into your software management tool. To install a insider risk agent for all users of a device, sign in to an account with administrative rights and issue a command like the following:

<install-exe-name>.exe DEPLOYMENT_URL=<your deployment URL here> DEPLOYMENT_POLICY_TOKEN=<your token here> DEPLOYMENT_SECRET=<your secret here> /quiet /install /norestart

Windows deployment properties file

The code42.deployment.properties file uses values from your deployment policy and typically contains the following properties:

DEPLOYMENT_URL=<your deployment URL here>
DEPLOYMENT_POLICY_TOKEN=<your token here>
DEPLOYMENT_SECRET=<your secret here>

The file can also optionally contain a PROVIDED_USERNAME parameter that bypasses the user detection script altogether and simply registers with the provided username.

To deploy the properties file, see our instructions for deploying to devices

Example Windows user detection scripts

Following are example user detection scripts for the Windows platform. For help with these scripts, contact your Customer Success Manager (CSM) to engage the Professional Services team. 

General usage:

  • Add the known domains that are used by the company in the "IncludedDomains" list in the format of '*@domain.com'; include all domains that are used by user's emails in the company.
  • Add users you want to exclude from processing to the denylist in each script (look for "ExcludedUsers" or "Excluded Users"). This helps IT teams ensure that the Incydr installation is set up for the correct end users, and not the support staff setting up the Windows computers for the first time.
  • Check if the script has additional variables for controlling how it outputs. For example, some scripts need 'UseDomain' filled with the standard domain used by the company for appending.

Domain-joined username detection

Professional Services filename: win_in_domain_joined_device_user_detection_script.bat

This script detects users running explorer.exe and determines their email addresses from the directory. This script is the default Windows user detection script used by the Incydr Professional Services team. For Azure, the script looks at the registry keys in IdentityStore Name2Sid. If no valid email is found, it then tries ADSI lookup. If no ADSI is not found then is looks for HKLM:\SOFTWARE\Microsoft\Enrollments\* for the Microsoft Enrollments RegKey. This script requires an active connection to a Windows domain and requires Powershell v.4.0 or later. 

    #win_in_domain_joined_device_user_detection_script.bat
#for Incydr Agents
#last updated 2025-07-03

#Add Domains to this list that Code42 can register with; must start with *@
$IncludedDomains = @(
	'*@domain.com'
	'*@domain2.com'
)

#Add users and domains to this list that Code42 should not register; using * as wildcard
$ExcludedUsersAndDomains = @(
	'*@domain.com'
	'user1'
	'defaultuser0*'
	'Localadmin'
	'admin'
	'Administrator'
	'admin-*'
	'adm*'
)

function Find-User {
	#################################################
	$global:emailfound=$false
	$excludedusersanddomainscount=$ExcludedUsersAndDomains.count
	Write-Log "---"
	Write-Log "-----------------------------------User Detection Run Start-----------------------------------"
	Write-Log "---"
	Write-Log "Running user detection script: win_in_domain_joined_device_user_detection_script.bat"
	Write-Log "Starting user detection...version 2025-07-03"
	$hostname = $env:computername
	$OsInfo = (Get-CimInstance -ClassName CIM_OperatingSystem | Select-Object Caption, Version, OSArchitecture, BuildNumber)
	Write-Log "Machine hostname: ($hostname)"
	Write-Log "$OsInfo".replace("@{Caption=","{")
	$username = (Get-Process -IncludeUserName -Name explorer | Select-Object -ExpandProperty UserName).Split('\')[1]
	$AgentUUID = (Get-ItemProperty HKLM:\Software\Code42-AAT | Select-Object -ExpandProperty AgentUUID)
	$InstallUUID = (Get-ItemProperty HKLM:\Software\Code42-AAT | Select-Object -ExpandProperty InstallUUID)
	Write-Log "AgentUUID is ($AgentUUID)"
	Write-Log "InstallUUID is ($InstallUUID)"
	Write-Log "Local explorer OS username found ($username)"
	Write-Log "ExcludedUsers List is length ($excludedusersanddomainscount)"
	Get-childItem C:\Users | forEach $path { 
        $userlist = $userlist + ( $_ | Select-Object -ExpandProperty Name) + ", "
	}
	Write-Log "UserList: ($userlist)"
	$C42_USERNAME = ""
	$C42_USERNAME = "@ Local User is ($username)"
	
	#Start of Hybrid Azure Reg Key Logic
	Write-Log "~"
	Write-Log "~"
	Write-Log "Trying to find from hybrid Azure/EntraID reg key..."
	$LastLoggedOnUser = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI | Select-Object -ExpandProperty LastLoggedOnUser).Split('\')[-1].Split('@')[0]
	$displayname = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI | Select-Object -ExpandProperty LastLoggedOnDisplayName)
	Write-Log "LastLoggedOnUser name found: ($LastLoggedOnUser)"
	Write-Log "LastLoggedOnDisplayName name found: ($displayname)"
	if (!(Check-Exclusion-List $LastLoggedOnUser)) {
		$azureregkeys = (Get-ItemProperty HKLM:SOFTWARE\Microsoft\IdentityStore\LogonCache\*\Name2Sid\* | Where-Object {$_.DisplayName -eq $displayname} | Select-Object -Unique -ExpandProperty identityName)
		Write-Log "Azure/EntraID Reg Key(s) returned: ($azureregkeys)"
		#Using first email that matches domain
		if (!([string]::IsNullOrEmpty($azureregkeys))) {
			$azurekeyarray = $azureregkeys.split(" ")
			Write-Log "Found Email(s) in Azure Reg Key(s)"
			foreach ($email in $azurekeyarray) {
				Write-Log "Checking ($email)"
				if (Check-Exclusion-List $email) {
					Write-Log "Email in Azure/EntraID Reg Key is on excluded user list : ($email)"
					$C42_USERNAME = "Azure/EntraID Email Exclusion ($email)@"
					continue
				}
				if (Check-Domain-List $email) {
					Write-Log "An Email in Azure/EntraID Reg Key has matched domain list : ($email)"
					if ($global:emailfound) { 
						Write-Log "Could also have used Azure/EntraID Reg Key: ($email)" 
					}
					else {
						$C42_USERNAME = $email
						$global:emailfound=$true
						Write-Log "**********************************"
						Write-Log "**********************************"
						Write-Log "****** Email found via Azure/EntraID Reg Key lookup: ($C42_USERNAME)"
						Write-Log "****** Attempting to register Code42 Agent with this Email"
						Write-Log "**********************************"
						Write-Log "**********************************"
					}
					continue
				}
				else {
					Write-Log "Entra Email address failed validation checks on domain($email)"
					if (!($global:emailfound)) {
						$C42_USERNAME = "Email Domain validation Fail ($email)@"
					}
				}
			}
		}
		else { 
			Write-Log "No Emails found in Azure Regkey ($azureregkeys)"
			$C42_USERNAME = "No Emails found in Azure/EntraID Regkey @"
		}
	}
	else {
		Write-Log "The LastLoggedOnUser is on the Exclusion List ($LastLoggedOnUser)"
		$C42_USERNAME = "Excluded LastLoggedOnUser ($LastLoggedOnUser)@"
	}
	
	#Start of AD ADSI Searcher Logic	
	Write-Log "~"
	Write-Log "~"
	Write-Log "Trying to Query ADSI domain search..."
	$explorerusername = (Get-Process -IncludeUserName -Name explorer | Select-Object -ExpandProperty UserName).Split('\')[1]
	Write-log "Using explorer user: ($explorerusername)"
	if (!(Check-Exclusion-List $explorerusername)) {
		$searcher = [adsisearcher]"(samaccountname=$explorerusername)"
		$userupn = ($searcher.FindOne().Properties.userprincipalname)
		if ([string]::IsNullOrEmpty($userupn)) {
			Write-Log "ADSI domain search returned null for UPN check if domain record exists for user"
			Write-Log "ADSI domain search returned null for UPN check if machine is domain bound"
			if (!($global:emailfound)) { 
				$C42_USERNAME = "Azure/EntraID and ADSI search returned null @ ($explorerusername)"
			}
		}
		else {
			$usermail = ($searcher.FindOne().Properties.mail)
			$userdisplayname = ($searcher.FindOne().Properties.name)
			$usercreate = ($searcher.FindOne().Properties.whencreated)
			Write-Log "User ($explorerusername) has a domain record of mail ($usermail)"
			Write-Log "User ($explorerusername) has a domain record of userprincipalname ($userupn)"
			Write-Log "User ($explorerusername) has a domain record of name ($userdisplayname)"
			Write-Log "User ($explorerusername) has a domain record of whencreated ($usercreate)"
			if (Check-Domain-List $usermail) {
				if ($global:emailfound) { 
					Write-Log "Could also have used ADSI domain search: ($usermail)" 
				}
				else {
					if ([string]::IsNullOrEmpty($usermail)) {
						Write-Log "usermail is empty trying: ($userupn)" 
						if (Check-Domain-List $userupn) {
							$C42_USERNAME = "$userupn"
						}
					}
					else {
						$C42_USERNAME = "$usermail"
					}
					$global:emailfound=$true
					Write-Log "**********************************"
					Write-Log "**********************************"
					Write-Log "****** Email found via ADSI domain search: ($C42_USERNAME)"
					Write-Log "****** Attempting to register Code42 Agent with this Email"
					Write-Log "**********************************"
					Write-Log "**********************************"
				}
			}
			else {
				Write-Log "ADSI Email address failed validation checks on domain($usermail)"
				if (!($global:emailfound)) {
					$C42_USERNAME = "ADSI Email Domain validation Fail ($usermail)@"
				}
			}
		}
	}
	else {
		Write-Log "The explorerusername is on the Exclusion List ($explorerusername)"
		if (!($global:emailfound)) { 
			$C42_USERNAME = "Explorer Exclusion User ($explorerusername) @"
		}
	}
	
	#Start of Microsoft Enrollments RegKey Logic	
	Write-Log "~"
	Write-Log "~"
	Write-Log "Trying to Query Microsoft Enrollments RegKey..."
	$explorerusername = (Get-Process -IncludeUserName -Name explorer | Select-Object -ExpandProperty UserName).Split('\')[1]
	Write-log "Using explorer user: ($explorerusername)"
	if (!(Check-Exclusion-List $explorerusername)) {
		$enrollemntsregkeys = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Enrollments\* | Select-Object -ExpandProperty UPN)
		Write-Log "O365 Enrollment Reg Key(s) returned: ($enrollemntsregkeys)"
		#Using first email that matches domain
		if (!([string]::IsNullOrEmpty($enrollemntsregkeys))) {
			$enrollemntsarray = $enrollemntsregkeys.split(" ")
			Write-Log "Found Email(s) in Enrollment Reg Key(s)"
			foreach ($email in $enrollemntsarray) {
				Write-Log "Checking ($email)"
				if ([string]::IsNullOrEmpty($email)) {
					Write-Log "Microsoft Enrollments RegKey returned null for UPN"
					if (!($global:emailfound)) { 
						$C42_USERNAME = "Microsoft Enrollments RegKey returned null @ ($explorerusername)"
					}
				}
				else {
					if (Check-Exclusion-List $email) {
						Write-Log "Email in Microsoft Enrollments RegKey is on excluded user list : ($email)"
						$C42_USERNAME = "Microsoft Enrollments RegKey Exclusion ($email)@"
						continue
					}
					if (Check-Domain-List $email) {
						Write-Log "Email in Microsoft Enrollments RegKey has matched domain list : ($email)"
						if ($global:emailfound) { 
							Write-Log "Could also have used Microsoft Enrollments RegKey:($email)" 
						}
						else {
							$C42_USERNAME = "$email"
							$global:emailfound=$true
							Write-Log "**********************************"
							Write-Log "**********************************"
							Write-Log "****** Email found via Microsoft Enrollments RegKey: ($C42_USERNAME)"
							Write-Log "****** Attempting to register Code42 Agent with this Email"
							Write-Log "**********************************"
							Write-Log "**********************************"
						}
						continue
					}
					else {
						Write-Log "Email address failed validation checks on domain($email)"
						if (!($global:emailfound)) {
							$C42_USERNAME = "Email Domain validation Fail ($email)@"
						}
					}
				}
			}
		}
	}
	else {
		Write-Log "The explorerusername is on the Exclusion List ($explorerusername)"
		if (!($global:emailfound)) { 
			$C42_USERNAME = "Explorer Exclusion User ($explorerusername) @"
		}
	}
	
	Write-Log "~"
	Write-Log "~"
	$C42_USERNAME = $C42_USERNAME.ToLower()
	Write-Log "Returning C42_USERNAME: $C42_USERNAME"
	if (!($global:emailfound)) {
		Write-log "Will retry user detection again in few minutes, or when next service restart or device reboot occurs."
	}
	Write-Host C42_USERNAME=$C42_USERNAME
}

$Scriptpath = Get-Location
if ("$Scriptpath" -eq "C:\WINDOWS\system32") {
	$PROC_LOG = "$env:HOMEDRIVE\ProgramData\Code42-AAT\logs\incydr_user_detection_result.log"
}
		
function Check-Exclusion-List {
 [CmdletBinding()]
	Param
	(
		[Parameter(Mandatory=$true, Position=0)]
		[AllowNull()]
		[AllowEmptyString()]
		[string]$checkvalue
	)
	$checkvalue=$checkvalue.ToLower()
	$ExcludedUsersAndDomains | ForEach-Object { 
		if (($checkvalue -like $_.ToLower()) -or ([string]::IsNullOrEmpty($checkvalue))) {
			return $true
		}
	}
	return $false
}

function Check-Domain-List {
 [CmdletBinding()]
	Param
	(
		[Parameter(Mandatory=$true, Position=0)]
		[AllowNull()]
		[AllowEmptyString()]
		[string]$email
	)
	$email=$email.ToLower()
	$IncludedDomains | ForEach-Object { 
		if ($email -like $_.ToLower()) {
			return $true
		}
	}
	return $false
}
		
function Write-Log {
	[CmdletBinding()]
	Param
	(
		[Parameter(Mandatory=$true, Position=0)]
		[string]$LogMessage
	)
	write-output $LogMessage
	Add-Content -Path $PROC_LOG -Value (Write-Output ("{0} - {1}" -f (Get-Date), $LogMessage))
}

Find-User


Google Credential Provider for Windows script

Professional Services filename: win_in_google_regkey_user_detection_script.bat

The following script looks at the registry keys in Google\GCPW\Users RegKey.
Regkey HKLM:SOFTWARE\Google\GCPW\Users\*
This script requires an active connection to a Windows domain and requires Powershell v.4.0 or later. 

#win_in_google_regkey_user_detection_script.bat
#for Incydr Agents
#last updated 2025-04-02

#Add Domains to this list that Incydr can register with; must start with *@
$IncludedDomains = @(
	'*@domain.com'
	'*@domain2.com'
)

#Add users and domains to this list that Incydr should not register; using * as wildcard
$ExcludedUsersAndDomains = @(
	'*@yahoo.com'
	'*@gmail.com'
	'*@outlook.com'
	'*@domain.com'
	'user1'
	'admin'
	'Administrator'
	'admin-*'
)

#Domain to be used
$companydomain="domain.com"

function Find-User {
	#################################################
	$global:emailfound=$false
	$excludedusersanddomainscount=$ExcludedUsersAndDomains.count
	Write-Log "---"
	Write-Log "-----------------------------------User Detection Run Start-----------------------------------"
	Write-Log "---"
	Write-Log "Running user detection script: win_in_google_regkey_user_detection_script.bat"
	Write-Log "Starting user detection...version 2025-04-02"
	$hostname = $env:computername
	Write-Log "Machine hostname: ($hostname)"
	$username = (Get-Process -IncludeUserName -Name explorer | Select-Object -ExpandProperty UserName).Split('\')[1]
	#Find the Google Credential Provider for Windows (GCPW)
	$googleregkey = (Get-ItemProperty HKLM:SOFTWARE\Google\GCPW\Users\* | Where-Object {$_.user_name -eq $username} | Select-Object -Unique -ExpandProperty email)		
	Write-Log "Local explorer OS username found ($username)"
	Write-Log "Google RegKey found ($googleregkey)"
	Write-Log "ExcludedUsers List is length ($excludedusersanddomainscount)"
	Get-childItem C:\Users | forEach $path { 
        $userlist = $userlist + ( $_ | Select-Object -ExpandProperty Name) + ", "
	}
        Write-Log "UserList: ($userlist)"
	$C42_USERNAME = ""
	$C42_USERNAME = "@ Local User is ($username)"

	#Start of Username @ Domain Logic if using make sure to update the domain value
	Write-Log "~"
	Write-Log "~"
	$LastLoggedOnUser = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI | Select-Object -ExpandProperty LastLoggedOnUser).Split('\')[-1].Split('@')[0]
	Write-log "Explorer User: ($username)"
	Write-Log "LastLoggedOnUser Username found ($LastLoggedOnUser)"
	$tempusername = $googleregkey
	#Change attribute to $username from $LastLoggedOnUser if needed
	if ($tempusername -like "*@*") {
		$tempemail= $tempusername
		Write-log "tempusername is ($tempusername)"
	}
	else {
		$tempusername = $tempusername.replace(" ","")
		$tempusername = $tempusername.replace("''","")
		$tempusername = $tempusername.replace("~","")
		Write-log "tempusername is ($tempusername)"
		$tempemail= $tempusername + '@' + $companydomain
	}
	if (Check-Exclusion-List $username) {
		Write-Log "User failed excluded validation checks ($username)"
		$C42_USERNAME = "@ Excluded User is ($username)"
	}
	elseif (Check-Exclusion-List $tempusername) {
	    Write-Log "Excluded or Null Regkey validation fail ($tempusername)"
		$C42_USERNAME = "@ Excluded or Null Google Regkey for ($username)"
	
	}
	elseif (Check-Domain-List $tempemail) {
		if ($global:emailfound) { 
			Write-Log "Could also have used Username+Domain: ($tempemail)" 
		}
		else {
			$C42_USERNAME = $tempemail
			$global:emailfound=$true
			Write-Log "**********************************"
			Write-Log "**********************************"
			Write-Log "****** Email found via Google RegKey: ($C42_USERNAME)"
			Write-Log "****** Attempting to register Code42 Agent with this Email"
			Write-Log "**********************************"
			Write-Log "**********************************"
		}
	}
	else {
		Write-Log "Email address failed validation checks ($tempemail)"
	}
	
	Write-Log "~"
	Write-Log "~"
	$C42_USERNAME = $C42_USERNAME.ToLower()
	Write-Log "Returning C42_USERNAME: $C42_USERNAME"
	if (!($global:emailfound)) {
		Write-log "Will retry user detection again in few minutes, or when next service restart or device reboot occurs."
	}
	Write-Host C42_USERNAME=$C42_USERNAME
}


$Scriptpath = Get-Location
if ("$Scriptpath" -eq "C:\WINDOWS\system32") {
	$PROC_LOG = "$env:HOMEDRIVE\ProgramData\Code42-AAT\logs\incydr_user_detection_result.log"
}
		
function Check-Exclusion-List {
 [CmdletBinding()]
	Param
	(
		[Parameter(Mandatory=$true, Position=0)]
		[AllowNull()]
		[AllowEmptyString()]
		[string]$checkvalue
	)
	$checkvalue=$checkvalue.ToLower()
	$ExcludedUsersAndDomains | ForEach-Object { 
		if (($checkvalue -like $_.ToLower()) -or ([string]::IsNullOrEmpty($checkvalue))) {
			return $true
		}
	}
	return $false
}

function Check-Domain-List {
 [CmdletBinding()]
	Param
	(
		[Parameter(Mandatory=$true, Position=0)]
		[AllowNull()]
		[AllowEmptyString()]
		[string]$email
	)
	$email=$email.ToLower()
	$IncludedDomains | ForEach-Object { 
		if ($email -like $_.ToLower()) {
			return $true
		}
	}
	return $false
}
		
function Write-Log {
	[CmdletBinding()]
	Param
	(
		[Parameter(Mandatory=$true, Position=0)]
		[string]$LogMessage
	)
	write-output $LogMessage
	Add-Content -Path $PROC_LOG -Value (Write-Output ("{0} - {1}" -f (Get-Date), $LogMessage))
}

Find-User

Mac

For insider risk agents on Mac devices, a deployment policy provides:

  • A detection script to provide the insider risk agent with a username for the device. The script can also optionally specify the user's organization.
  • A code42.deployment.properties file to distribute along with the insider risk agent installer package.
Before insider risk agent installers run
Before insider risk agent installers can run properly, the code42.deployment.properties file must be in placed in the management tool or the device's file system.

 

Mac user detection script

When you create a deployment policy, you must also create a custom user detection script. A user detection script examines the host device and provides the insider risk agent with a username. The script resides in the Incydr cloud. The insider risk agent retrieves it during the install process.

You need to create a custom script because usernames must be email addresses. If you need help, contact your Customer Success Manager (CSM) for enterprise support.

How the Mac script works

The user detection script for Mac uses the device's operating system to determine the most recent logged-on username. The detection script then reports the value to a standard output.

Python scripting language runtime is deprecated in macOS

According to the macOS Catalina 10.15 Release Notes, Apple deprecated bundling scripting language runtimes, including Python, in the Catalina release of macOS. This means that any Mac user detection script using Python may break in a future macOS.

To prevent this problem, if your user detection script uses Python, replace this:

/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'

with this:

echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }'

Removing Python calls from your user detection script in this way ensures proper functioning of the script in future macOS versions.

Tips to create a custom Mac script

Create a custom script and paste your script into your deployment policy. If you need help, contact your Customer Success Manager (CSM) for enterprise support.

When creating your custom script, be aware of the following:

  • Every script must end by echoing the value for the username variable:

    echo "C42_USERNAME=<value>"

  • In the Incydr cloud, usernames must be email addresses.

    echo "C42_USERNAME=${user}@example.com"

  • Optionally, you can also specify the the organization for the user. Use the registration key for the organization. If the organization is not defined, the user registers to the organization specified in the deployment policy.

    echo C42_ORG_REG_KEY=<value>
  • You must provide values. Null values and empty strings will not work.
  • The values cannot include either single (') or double (") quotation marks.

Mac commands

Deployment policy command arguments need to be imported into your software management tool. Commands and arguments are detailed here in case you need to modify them for some reason, or to help you deploy without a device management tool.

To install a insider risk agent for all users of a device, sign in to an account with administrative rights and issue a command like the following: 

hdiutil attach Code42-aat_n.n.n_Mac.dmg
installer -package "/Volumes/Code42-AAT/Install Code42-AAT.pkg"  
-target LocalSystem
hdiutil detach /Volumes/Code42-AAT

Individual parts of the commands are as follows:

Element Description
hdiutil attach Code42-aat_n.n.n_Mac.dmg

Mount the insider risk agent disk image. You must update the name of the installer file to match the exact name and version number being deployed.

installer -package
"/Volumes/Code42-AAT/Install Code42-AAT.pkg"

Run the install program.

-target LocalSystem

Install the insider risk agent for all users of the device.
hdiutil detach /Volumes/Code42-AAT

Unmount the insider risk agent disk image.

Mac deployment properties file

The code42.deployment.properties file uses values from your deployment policy and typically contains the following properties:

DEPLOYMENT_URL=<your deployment URL here>
DEPLOYMENT_POLICY_TOKEN=<your token here>
DEPLOYMENT_SECRET=<your secret here>

The file can also optionally contain a PROVIDED_USERNAME parameter that bypasses the user detection script altogether and simply registers with the provided username.

To deploy the properties file, see our instructions for deploying to devices

To write the deployment properties to a local machine, you can use a script. For example:

#!/bin/bash
echo "DEPLOYMENT_URL=<your deployment URL here>
DEPLOYMENT_POLICY_TOKEN=<your token here>
DEPLOYMENT_SECRET=<your secret here>" > /tmp/code42.deployment.properties

Example Mac user detection scripts

Following are example user detection scripts for the Mac platform. For help with these scripts, contact your Customer Success Manager (CSM) to engage the Professional Services team.

General usage:

  • Replace "domain.com" with your domain name.
  • Add users you want to exclude from processing to the denylist in each script (look for "admin1|admin2|admin3"). This helps IT teams ensure that the Incydr installation is set up for the correct users, and not the support staff setting up the Mac computers for the first time.
  • Depending on your environment, some scripts may require you to set additional flags.

MacOS plist script

Professional Services filename: macos_in_plist_user_detection_script.sh

The following script is helpful if you use main MacOS MDM's for device management. The script reads a plist on the local machine that is populated with the email associated with the device from the MDM.  It checks for JAMF Connect Plist, Kandji Global Variable Plist (Kandji Global Variable), Okta Network User Plist, or the Code42 Plist (additional setup in Jamf)

#!/bin/bash
#macos_in_plist_user_detection_script.sh
#for Incydr Agents
#last updated 2025-04-10
function main () {
    extensionslist="$(systemextensionsctl list | grep -i "com.code42.agent.extension")"
    userrealname=$(id -P $(stat -f%Su /dev/console) | cut -d : -f 8)
    loggedinuser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }')
    jamfplistuser=$(/usr/libexec/PlistBuddy -c "Print:DisplayName" /Users/$loggedinuser/Library/Preferences/com.jamf.connect.state.plist)
    code42plistuser=$(defaults read /Library/Managed\ Preferences/com.code42.email.plist code42ActivationEmail)
    kandjiplistuser=$(/usr/libexec/PlistBuddy -c ‘print :EMAIL’ /Library/Managed\ Preferences/io.kandji.globalvariables.plist)
    kandjiplist2user=$(defaults read /Library/Managed\ Preferences/io.kandji.globalvariables.plist EMAIL)
    oktanetworkuser=$(dscl . -read /Users/$last_user dsAttrTypeStandard:NetworkUser 2/dev/null | awk -F ': ' '{print $2}')
    dLocalHostName=$(scutil --get LocalHostName)
    currentdate=$(date)
    C42_USERNAME=""
    C42_USERNAME="@logged in user ($loggedinuser)"
    writeLog "---"
    writeLog "-----------------------------------User Detection Run Start-----------------------------------"
    writeLog "---"
    writeLog "Running user detection script: macos_in_plist_user_detection_script.sh"
    writeLog "Starting user detection...version 2025-04-10"
    writeLog "$currentdate"
    writeLog "LocalHostName found ($dLocalHostName)"
    writeLog "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    writeLog "extensionslist:"
    writeLog "$extensionslist"
    writeLog "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    writeLog "userrealname: ($userrealname)"
    writeLog "loggedinuser: ($loggedinuser)"
    writeLog "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    writeLog "jamfplistuser: ($jamfplistuser)"
    writeLog "kandjiplistuser: ($kandjiplistuser)"
    writeLog "kandjiplist2user: ($kandjiplist2user)"
    writeLog "oktanetworkuser: ($oktanetworkuser)"
    writeLog "code42plistuser: ($code42plistuser)"
    writeLog "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    if [[ ! $jamfplistuser =~ "@" ]] || [[ $jamfplistuser =~ "com.jamf.connect.state.plist" ]]; then 
    	jamfplistuser="" 
    fi
    if [[ ! $kandjiplistuser =~ "@"  ]] || [[ $jamfplistuser =~ "io.kandji.globalvariables.plist" ]]; then 
    	kandjiplistuser="" 
    fi
    if [[ ! $kandjiplist2user =~ "@"  ]] || [[ $jamfplistuser =~ "io.kandji.globalvariables.plist" ]]; then 
    	kandjiplist2user="" 
    fi
    if [[ ! $oktanetworkuser =~ "@"  ]] || [[ $jamfplistuser =~ "doesn't exist" ]]; then 
    	oktanetworkuser="" 
    fi
    if [[ ! $code42plistuser =~ "@"  ]] || [[ $jamfplistuser =~ "doesn't exist" ]]; then 
    	code42plistuser="" 
    fi
    for user in /Users/*; do
        writeLog "Users: ($user)"
    done
    #Start of Plist Logic
    writeLog "~"
    if [[ "$loggedinuser" =~ ^(admin1|admin2|admin|root|jamfadmin|_mbsetupuser)$ ]] || [[ -z "$user" ]]; then
        writeLog "User failed excluded validation checks ($loggedinuser)"
        C42_USERNAME="@Excluded User ($loggedinuser)"
    else
      	if [[ -n "$jamfplistuser" ]]; then
      		writeLog "Using JAMF Config Profile PLIST ($jamfplistuser)"
      		C42_USERNAME="$jamfplistuser"
      	elif [[ -n "$kandjiplistuser" ]]; then
      		writeLog "Using Kandji Config Profile PLIST ($kandjiplistuser)"
      		C42_USERNAME="$kandjiplistuser"
      	elif [[ -n "$kandjiplist2user" ]]; then
      		writeLog "Using Kandji Config Profile PLIST ($kandjiplist2user)"
      		C42_USERNAME="$kandjiplist2user"
      	elif [[ -n "$oktanetworkuser" ]]; then
      		writeLog "Using Okta Config Profile PLIST ($oktanetworkuser)"
      		C42_USERNAME="$oktanetworkuser"
      	elif [[ -n "$code42plistuser" ]]; then
      	    writeLog "Using JAMF Connect PLIST ($code42plistuser)"
      	    C42_USERNAME="$code42plistuser"
      	elif [[ -z "$jamfplistuser" ]] && [[ -z "$code42plistuser" ]]; then
    		writeLog "Known PLISTs empty $code42plistuser($code42plistuser) $jamfplistuser($jamfplistuser)"
    		if [[ -z "$kandjiplistuser" ]] && [[ -z "$oktanetworkuser" ]]; then
    			writeLog "Known PLISTs empty $kandjiplistuser($kandjiplistuser) $oktanetworkuser($oktanetworkuser)"
    		fi
      	    C42_USERNAME="@PLIST(s) are empty"
        fi
        writeLog "Returning C42_USERNAME=$C42_USERNAME"
        echo "C42_USERNAME=$C42_USERNAME"
    fi
}
SCRIPT_PATH=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
if [[ "$SCRIPT_PATH" == "/" ]]; then
  logPath="/Library/Application Support/Code42-AAT/logs/incydr_user_detection_result.log"
fi
function writeLog () {
    echo "$(date) - $@" >> $logPath
}
main "$@"

The following script is helpful if you use Jamf for device management. The script places a plist on the local machine that is populated with the username associated with the device from Jamf.
To use this script with JAMF if not Using JAMFConnect:

  1. Place the script into your deployment policy.
    You may need to update the script depending on your Jamf version and configuration. Earlier versions of Jamf put the plist in ~/Library/Preferences/, but later versions put it in /Library/Managed Preferences/.
  2. In Jamf, go to Computers, then Configuration Profiles, and create a New configuration profile.
  3. Go Application & Custom Settings, in the left scroll menu, click on the Upload sub-option
  4. Click "+ Add" in the top right
  5. In the Preference Domain type com.code42.email when pushed by JAMF the .plist file extension will be appended
  6. Copy and paste the following script into the "Property List" field
    1. This is a sample plist file. If you prefer, you can create your own, as long as the EMAIL variable is present as a key that matches what the deployment policy is set up to read.
​​​​<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>code42ActivationEmail</key>
    <string>$EMAIL</string>
</dict>
</plist>
  1. Scope the Privacy Preferences Policy Control (PPPC) to the users.
    Use appropriate scoping. Whether you scope to users or machines depends on your environment. JAMF must have an email on file for whatever you scope the profile to.
  2. Save and Deploy as normal.

Scutil Username Append Domain script

Professional Services filename: macos_in_username_append_domain_user_detection_script.sh

The following script uses the system configuration utility (scutil) to detect the logged-in user. Enter your email domain in the usedomain variable to generate a valid email username.

#!/bin/bash
#macos_in_username_append_domain_user_detection_script.sh
#for Incydr Agents
#last updated 2025-04-08
function main () {
    companydomain="domain.com"
    extensionslist="$(systemextensionsctl list | grep -i "com.code42.agent.extension")"
    userrealname=$(id -P $(stat -f%Su /dev/console) | cut -d : -f 8)
    loggedinuser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }')
    dLocalHostName=$(scutil --get LocalHostName)
    currentdate=$(date)
    C42_USERNAME=""
    C42_USERNAME="@ logged in user is (loggedinuser)"
    writeLog "---"
    writeLog "-----------------------------------User Detection Run Start-----------------------------------"
    writeLog "---"
    writeLog "Running user detection script: macos_in_username_append_domain_user_detection_script.sh"
    writeLog "Starting user detection...version 2025-04-08"
    writeLog "$currentdate"
    writeLog "LocalHostName found ($dLocalHostName)"
    writeLog "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    writeLog "extensionslist:"
    writeLog "$extensionslist"
    writeLog "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    writeLog "userrealname: ($userrealname)"
    writeLog "loggedinuser: ($loggedinuser)"
    writeLog "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    for user in /Users/*; do
        writeLog "Users: ($user)"
    done
    #Start of Username Append Domain Logic
    writeLog "~"
    if [[ "$loggedinuser" =~ ^(admin1|admin2|admin|root|jamfadmin|_mbsetupuser)$ ]] || [[ -z "$user" ]]; then
        writeLog "User failed excluded validation checks ($loggedinuser)"
    else
    	if [[ $loggedinuser =~ "@" ]]; then
        	C42_USERNAME="$loggedinuser"
        	writeLog "loggedinuser already has domain ($C42_USERNAME)"
        else
        	C42_USERNAME="$loggedinuser@$companydomain"
        	writeLog "Email assembled by appending domain ($C42_USERNAME)"
        fi
        writeLog "Returning C42_USERNAME=$C42_USERNAME"
        echo "C42_USERNAME=$C42_USERNAME"
    fi
}
SCRIPT_PATH=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
if [[ "$SCRIPT_PATH" == "/" ]]; then
    logPath="/Library/Application Support/Code42-AAT/logs/incydr_user_detection_result.log"
fi
function writeLog () {
    echo "$(date) - $@" >> $logPath
}
main "$@"

 

Local logged-in user first and last name script

Professional Services filename: macos_in_firstname_lastname_append_domain_user_detection_script.sh

The following script detects the locally logged-in user's first and last names (based on the macOS string variable realname) and edits the string to create a username. This script handles both firstname lastname and lastname, firstname formats. By default, the script uses first and last names in the format firstname.lastname. To change the default format, update the script parameters below:

  • To use only the first letter of the user's first name instead of the full name, change usefirstinitial=false to usefirstinitial=true
  • To remove the period between the first name or initial and the last name, change noperiodinbetween=false to noperiodinbetween=true
  • To remove special characters, change removeapostrophes, removehyphen, or removetildefrom false to true as needed.  
#!/bin/bash
#macos_in_firstname_lastname_append_domain_user_detection_script.sh
#for Incydr Agents
#last updated 2024-09-20

function main () {
    #set the domain the company uses for emails
    companydomain="domain.com"
    #Set the style for firstname
    usefirstinitial=false
    noperiodinbetween=false
    #useusernamedigits is for when the email address needs numbers at the end that are in the OS user's username
    #i.e. realname is "John Smith" username is "Jsmith06" need email of "john.smith06@domain.com"
    useusernamedigits=false
    #check for special Chars
    removeapostrophes=false
    removehyphen=false
    removetilde=false
    
    extensionslist="$(systemextensionsctl list | grep -i "com.code42.agent.extension")"
    userrealname=$(id -P $(stat -f%Su /dev/console) | cut -d : -f 8)
    loggedinuser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }')
    dLocalHostName=$(scutil --get LocalHostName)
    currentdate=$(date)
    C42_USERNAME=""
    writeLog "---"
    writeLog "-----------------------------------User Detection Run Start-----------------------------------"
    writeLog "---"
    writeLog "Running user detection script: macos_in_firstname_lastname_append_domain_user_detection_script.sh"
    writeLog "Starting user detection...version 2024-09-20"
    writeLog "$currentdate"
    writeLog "LocalHostName found ($dLocalHostName)"
    writeLog "extensionslist:"
    writeLog "$extensionslist"
    writeLog "userrealname: ($userrealname)"
    writeLog "loggedinuser: ($loggedinuser)"
    for user in /Users/*; do
        writeLog "Users: ($user)"
    done
    
    #Start of Username Append Domain Logic
    writeLog "~"
    if [[ "$loggedinuser" =~ ^(admin1|jamfadmin|root)$ ]] || [[ -z "$loggedinuser" ]]; then
        writeLog "User failed excluded validation checks ($loggedinuser)"
    else
        #fix realname
        realname="$(dscl . -read /Users/$loggedinuser RealName | cut -d: -f2)"
        realname="$(echo $realname | sed ':a;N;$!ba;s/\n//g' )"
        writeLog "dscl returned realname of ($realname)"
        if [[ ($realname =~ 'dsRecTypeStandard') ]]; then
            realname="$(id -F $loggedinuser)"
            realname="$(echo $realname | sed ':a;N;$!ba; s/\n//g' )"
            writeLog "ip -P  returned realname of ($realname)"
        fi
        writeLog "Realname user field of $loggedinuser is ($realname)"
        if [[ "$removeapostrophes" == "true" ]]; then 
            realname="$(echo $realname | sed "s/\'//g")"
            writeLog "Realname user field checked for apostrophes updated to ($realname)" 
        fi
        if [[ "$removehyphen" == "true" ]]; then 
            realname="$(echo $realname | sed "s/-//g")"
            writeLog "Realname user field checked for hyphens updated to ($realname)" 
        fi
        if [[ "$removetilde" == "true" ]]; then
            realname="$(echo $realname | sed "s/~//g")" 
            writeLog "Realname user field checked for tildes updated to ($realname)"
        fi
        if [[ ($realname =~ ',') ]]; then
            writeLog "Real name contains a comma, assuming 'last, first' format."
            if [[ "$usefirstinitial" == "true" ]]; then
                writeLog "usefirstinitial is set to ($usefirstinitial)"
                realname="$(echo $realname | sed -e 's/[[:space:]]*//g' |  grep -v "^$" | tr '[:upper:]' '[:lower:]' | awk -F , '{print substr($2,1,1) "." $1}')"
            else
                realname="$(echo $realname | sed -e 's/[[:space:]]*//g' |  grep -v "^$" | tr '[:upper:]' '[:lower:]' | awk -F , '{print $2 "." $1}')"
            fi
        else
            if [[ "$usefirstinitial" == "true" ]]; then
                writeLog "usefirstinitial is set to ($usefirstinitial)" 
                realname="$(echo $realname | sed 's/^[[:space:]]*//; s/[[:space:]]*$//; s/ /./; s/[[:space:]]*//g' | grep -v "^$" | tr '[:upper:]' '[:lower:]' | awk -F . '{print substr($1,1,1) "." $2}')"
            else
                realname="$(echo $realname | sed 's/^[[:space:]]*//; s/[[:space:]]*$//; s/ /./; s/[[:space:]]*//g' | grep -v "^$" | tr '[:upper:]' '[:lower:]')"
            fi
        fi
        writeLog "Realname user field converted to ($realname)"
        if [[ "$noperiodinbetween" == "true" ]]; then
            realname="$(echo $realname | sed "s/\.//g")" 
            writeLog "email user set to no period inbetween names ($realname)"
        fi
        if [[ "$useusernamedigits" == "true" ]]; then
            if [[ "$loggedinuser" =~ [[:digit:]] ]]; then
                numhold="$(echo $loggedinuser | sed 's/[^0-9]*//g')"
                realname="$realname$numhold" 
                writeLog "useusernamedigits set to true updated to ($realname)"
            else 
                writeLog "There are no numbers in the username ($loggedinuser) left output as ($realname)"
            fi
        fi
        writeLog "companydomain set to ($companydomain)"
        local C42_USERNAME="$realname@$companydomain"
        writeLog "Email assembled from realname: $C42_USERNAME"
        writeLog "Returning C42_USERNAME=$C42_USERNAME"
        echo "C42_USERNAME=$C42_USERNAME"
    fi
}

SCRIPT_PATH=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
if [[ "$SCRIPT_PATH" == "/" ]]; then
  logPath="/Library/Application Support/Code42-AAT/logs/incydr_user_detection_result.log"
fi

function writeLog () {
    echo "$(date) - $@" >> $logPath
}
main "$@"

Text file script

Professional Services filename: macos_in_textfile_read_in_user_detection_script..sh

The following script reads the username from a text file (located by default at /tmp/code42_email.txt). Use when no other logical way of finding the username can be determined and no user interaction is desired. 

#!/bin/bash
#macos_in_textfile_read_in_user_detection_script.sh
#for Incydr Agents
#last updated 2024-09-20
function main () {
    textfileemail=$(cat /tmp/Code42_Email.txt)
    extensionslist="$(systemextensionsctl list | grep -i "com.code42.agent.extension")"
    userrealname=$(id -P $(stat -f%Su /dev/console) | cut -d : -f 8)
    loggedinuser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }')
    dLocalHostName=$(scutil --get LocalHostName)
    currentdate=$(date)
    C42_USERNAME=""
    writeLog "---"
    writeLog "-----------------------------------User Detection Run Start-----------------------------------"
    writeLog "---"
    writeLog "Running user detection script: macos_in_textfile_read_in_user_detection_script.sh"
    writeLog "Starting user detection...version 2024-09-20"
    writeLog "$currentdate"
    writeLog "LocalHostName found ($dLocalHostName)"
    writeLog "extensionslist:"
    writeLog "$extensionslist"
    writeLog "userrealname: ($userrealname)"
    writeLog "loggedinuser: ($loggedinuser)"
    for user in /Users/*; do
        writeLog "Users: ($user)"
    done
    #Start of Textfile read in Logic
    writeLog "~"
    if [[ "$loggedinuser" =~ ^(admin1|jamfadmin|root)$ ]] || [[ -z "$user" ]]; then
        writeLog "User failed excluded validation checks ($loggedinuser)"
    else
        C42_USERNAME="$textfileemail"
        writeLog "Email read from Text File at /tmp/code42_email.txt ($C42_USERNAME)"
        writeLog "Returning C42_USERNAME=$C42_USERNAME"
        echo "C42_USERNAME=$C42_USERNAME"
    fi
}
SCRIPT_PATH=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
if [[ "$SCRIPT_PATH" == "/" ]]; then
  logPath="/Library/Application Support/Code42-AAT/logs/incydr_user_detection_result.log"
fi
function writeLog () {
    echo "$(date) - $@" >> $logPath
}
main "$@"

 

Linux

For insider risk agents on Linux devices, a deployment policy provides:

  • A custom-written detection script to provide the insider risk agent with a username. The script can also optionally specify the user's organization.
  • Installation properties to serve as the arguments string to a insider risk agent install command.

Linux user detection script

A user detection script examines the host device and provides the insider risk agent with a username. The script resides in the Incydr cloud. The insider risk agent retrieves it during the install process.

Tips to create a custom Linux script

Create a custom script and paste your script into your deployment policy. If you need help, contact your Customer Success Manager (CSM) for enterprise support.

When creating your custom script, be aware of the following:

  • Every script must end by echoing the value for the username variable:

    echo C42_USERNAME=<value>;
  • In the Incydr cloud, usernames must be email addresses.

  • Optionally, you can also specify the the organization for the user. Use the registration key for the organization. If the organization is not defined, the user registers to the organization specified in the deployment policy.

    echo C42_ORG_REG_KEY=<value>
  • You must provide values. Null values and empty strings will not work.
  • The values cannot include either single (') or double (") quotation marks.

Linux commands and arguments

Deployment policy command arguments need to be imported into your software management tool. Commands and arguments are detailed here in case you need to modify them for some reason, or to help you deploy without a device management tool.

To install a insider risk agent for all users of a device, sign in to an account with root access and issue a command like the following:

  • Ubuntu
sudo apt install /path/to/<installer file>.deb
  • Red Hat
sudo yum install /path/to/<installer file>.rpm

Linux deployment properties file

The code42.deployment.properties file uses values from your deployment policy and typically contains the following properties:

DEPLOYMENT_URL=<your deployment URL here>
DEPLOYMENT_POLICY_TOKEN=<your token here>
DEPLOYMENT_SECRET=<your secret here>

The file can also optionally contain a PROVIDED_USERNAME parameter that bypasses the user detection script altogether and simply registers with the provided username.

To deploy the properties file, see our instructions for deploying to devices

To write the deployment properties to a local machine, you can use a script. For example:

#!/bin/bash
echo "DEPLOYMENT_URL=<your deployment URL here>
DEPLOYMENT_POLICY_TOKEN=<your token here>
DEPLOYMENT_SECRET=<your secret here>" > /tmp/code42.deployment.properties

Example Ubuntu user detection script

The following script detects which user last logged in using the last -p now command for logins, then appends the domain of the company to make an email address. A single user needs to be logged into the device to pass the user check. This script requires the device is owned and used by a single user. The script does not support multi-user workstations.

#!/bin/sh
#ubuntu_in_username_append_domain_user_detection_script.sh
#for Incydr Agents
#last updated 2025-04-03
function main () {
    writeLog "---"
    writeLog "-----------------------------------User Detection Run Start-----------------------------------"
    writeLog "---"
    writeLog "Running user detection script: ubuntu_in_username_append_domain_user_detection_script.sh"
    writeLog "Starting user detection...version 2025-04-03"
    writeLog "Date: $(date)"
    local companydomain="domain.com"
    #local userent=$(eval getent passwd {$(awk '/^UID_MIN/ {print $2}' /etc/login.defs)..$(awk '/^UID_MAX/ {print $2}' /etc/login.defs)} | cut -d: -f1)
    local userwho=$(whoami)
    local userwholist=$(who)
    local userlastlist=$(last -p now | grep -i "logged in")
    local userlastshort=$(last -p now | grep -m 1 -i "logged in" | cut -d " " -f 1-1)
    local userlastlong=$(who | grep -m 1 -i $userlastshort | cut -d " " -f 1-1)
    local userhostname=$(hostname)
    C42_USERNAME=""
    C42_USERNAME="@Username is ($userlastlong)"
    #Update all lines to use the variable required for the enviorment: Default is $userlastlong
    writeLog "Hostname found via hostname ($userhostname)"
    #writeLog "Username found via getent ($userent)"
    writeLog "Usernames found via userwholist ($userwholist)"
    writeLog "Username found via userwho ($userwho)"
    writeLog "Usernames currently logged in ($userlastlist)"
    #Grabs the first currently logged in user
    writeLog "Username found via lastshort -p now ($userlastshort)"
    writeLog "Username found via lastlong -p now ($userlastlong)"
    #Leave as is if changing variable
    if [[ "$userlastlong" =~ ^(root|admin|reboot|shutdown|local|user1)$ ]] || [[ -z "$userlastlong" ]]; then
        writeLog "Excluded or null username detected ($userlastlong). Will retry user detection in few minutes, or when servie reboot occurs."
        C42_USERNAME="@Excluded User ($userlastlong)"
    elif [[ "$userlastshort" =~ $'\n' ]] || [[ -z "$userlastlist" ]]; then
        writeLog "Mulitple Logged on Users found: $userlastlist. Will retry user detection in few minutes, or when service reboot occurs."
        C42_USERNAME="@Mulitple User ($userlastlist)"
    else
        writeLog "Username ($userlastlong) passed Excluded Username Check"
        userlastlong="$(echo $userlastlong | sed -e 's/[[:space:]]//g' | tr '[:upper:]' '[:lower:]')"
        if [[ $userlastlong =~ "@" ]]; then
        	C42_USERNAME="$userlastlong"
        	writeLog "userlastlong already has domain ($C42_USERNAME)"
        else
        	C42_USERNAME="$userlastlong@$companydomain"
        	writeLog "Email assembled by appending domain ($C42_USERNAME)"
        fi
    fi
    writeLog "Returning C42_USERNAME=$C42_USERNAME"
    echo "C42_USERNAME=$C42_USERNAME"
}
SCRIPT_PATH=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
if [[ "$SCRIPT_PATH" == "/opt/code42-aat" ]]; then
  logPath="/var/opt/code42-aat/logs/incydr_user_detection_result.log"
fi
function writeLog () {
    echo "$(date) - $@" >> $logPath
}
main "$@"

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.