Actifile Frequently asked questions

1. Log into your partner portal at https://app.actifile.com.
Note: If you don’t have a partner account you can contact your local Actifile distributor (or drop us a line).

2. Create a demo Actifile account in Actifile. The account will be an NFR account with up to 5 free licenses. Select the relevant policies and compliance frameworks that are relevant to your customer base.
Note:  It is recommended to select all the compliance frameworks and classification policies that are relevant to your customers. You can then decide to show or hide policies using the “sensitive” slider button. 

3. Select up to 5 (demo or production) machines to install Actifile. Copy the demo data from https://1drv.ms/u/s!AnGFvQ5rPFi4gegbjqjl5zH6d3XF0A?e=uyFpxh to the documents folder in those machines.
Note: It is recommended to copy the folder structure so that they are easy to remove later if so desired.

4. Install the latest Actifile agent (from https://app.actifile.com/Home/DownloadAgentMsi) using the RMM, deployment tools or manually. Remember to use the correct Installkey associated with the demo customer account. Let the system run for a 30 minutes or so until the files are found and classified.

5. To generate Application risk events:
Note: Check that the App WebApp analytics is turned on for the account (under Settings Tab -> General Settings).

Create events:
a. Open the classified documents using local applications
b. Upload files to external applications like whatsapp
c. Upload files to EFSS like OneDrive or to portals (like Google Docs).
d. Generate a few sample reports in the Reports tab.
e. Generate a few sample reports in the Reports tab.
Note: Use files that were detected by the system. Other files in the demo folders may have data that is not relevant to the policies you selected and will therefore not show up in the sensitive column

6. Generate a few sample reports in the Reports tab.

Yes.

SWITCHING AGENTS BETWEEN TENANTS

The correct procedure to switch agents between tenants is to:

Remove the agents from the devices and the previous tenant:

1. Login to the Actifile portal (for the tenant which has the devices prior to removal). Make sure to disable an encryption policies from the device. Use the device risk tool to disable any encryption from the devices to be removed. Copy the agent uninstall key from the deployment tab.

2. Uninstall the agents from the devices using the previous tenant’s uninstall key.

3. In the previous tenant’s portal (as in step 1) select the Deployment Tab -> Installed Devices. Select the uninstalled devices and click delete to remove them from the previous tenant’s reports.

Installation of the devices to the new tenant:

1. Login to the Actifile portal (for the new tenant). Copy the agent install/tenant key from the Deployment tab.

2. Install the agents on the devices with the new tenant’s install/tenant key. answer to this item.

The objective of the tamper-resistance offered by the uninstall key is to minimize the chances that a user will deactivate their agent when encryption policies are in effect (doing so will prevent them from being able to open encrypted files).

The protection is provided by the system only when the services are active with the agent running and executing policies. When active, trying to uninstall the agent will require the use of the uninstall key. However, if the agent isn’t running (e.g. a failed install, failed to connect to a tenant, failed user registration, in case of an error,  etc.) the agent may be removed without a key.

Note: While the functionality delivers some tamper resistance, the Actifile agent isn’t registered as a malware tool with Microsoft and therefore isn’t designed to be tamper proof. For tamper proofing, we believe that the use of a monitoring system that alerts the admin when an agent is tampered with is best.

Data-in-use monitoring enables the application risk visibility and enables automatic decryption to function. It installs a driver that intercepts file reads and writes and can therefore associate an application and a user to file activity.

Prior to enabling Data-in-Use monitoring it is important to ensure that the AV/EDR are set to ignore the Actifile agent. Click link for more details. 

To enable Data-in-Use for all devices

Login to Actifile Management Portal. Note: Partners should select the customer for which the Data-in-use functionality is required.

Click on the Settings tab.  
Click on the General Setting menu item.  
The General Setting Page will be displayed.
Set Enable Data-in-Use Monitoring to ON

It will take the system up to 5 minutes to propagate the new setting to online agents.

To enable Data-in-Use for individual device(s)

Login to Actifile Management Portal. Note: Partners should select the customer for which the Data-in-use functionality is required.

Click on the Deployment tab.  
Select the Installed Devices tool.
Click on the device for which you want to enable data-in-use monitoring.  
The Device Details Page will be displayed.
Set Enable Data-in-Use Monitoring to ON.

It will take the system up to 5 minutes to propagate the new setting to online agents.

Description 

Actifile’s OneDrive / SharePoint and Teams agent is a “Sidecar” type scanner. It is deployed on a VM in the cloud and is run periodically to discover data in files stored in OneDrive, SharePoint sites and Teams shares. 

It uses an Oauth token to authenticate to the repositories.

It appears as an additional device. 

Prerequisites 

In order to run the “sidecar” scanner you will need the following:

• Azure account with the ability to schedule and run VMs.
• Business OneDrive/Sharepoint accounts
• Two service accounts:
  • OneDrive/Sharepoint Service account with Read access to the business OneDrive accounts and Sharepoint sites.
  • Azure Service account authorized to create and run said VMs.
• Powershell console with the Azure Az Powershell module installed (see: Install the Azure Az PowerShell module | Microsoft Learn)

Deploy VM with OneDrive Agent via PowerShell AZ 

Download scripts/onedrive-scanner.ps1 from OneDrive Scanner

From the Actifile portal create a new Actifile config file:
Settings → General Settings → push Login OneDrive Request
You will see a Oauth 2.0 authentication page for the logged in OneDrive / Sharepoint sites. The Actifile scanner will use the token to access OneDrive and Sharepoint.

Important: Choose a user that has access to all the sites you wish to scan.

The Actifile_OneDrive.Conf is an encrypted file that contains the tenant identification as well as the token information. Save it to an accessible location – we chose our CONFPATH share.

Open PowerShell console and run
./onedrive-scanner.ps1 -Command Deploy -ActifileConfigFile CONFPATH/actifile_onedrive.conf
Answer for questions

Note: The script is signed using Actifile’s EV code signing certificate, but it was edited by a trusted user you may get the message saying “.ps1 is not digitally signed. The script will not execute on the system.” In that case you may opt to run
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
This command sets the execution policy to bypass for only the current PowerShell session after the window is closed, the next PowerShell session will open running with the default execution policy. “Bypass” means nothing is blocked and no warnings, prompts, or messages will be displayed

Script commands:

.\onedrive-scanner.ps1  -Command Statuswill show status, logs(could be long enough) and current IP address, if you want to connect using ssh

.\onedrive-scanner.ps1  -Command Stop– will stop VM

.\onedrive-scanner.ps1  -Command Start– will start VM

.\onedrive-scanner.ps1  -Command Remove– will remove VM and associated SSH keys

Get-Help

Print brief help message
Get-Help .\onedrive-scanner.ps1

Print full help message

Get-Help .\onedrive-scanner.ps1 -Full

Print examples

Get-Help .\onedrive-scanner.ps1 -Examples

Print parameter description

Get-Help .\onedrive-scanner.ps1 -Parameter Command

Print all parameters description

Get-Help .\onedrive-scanner.ps1 -Parameter *

Script Parameters

• VmName – virtual machine name. Default : OneDriveScanner
• UserName – username in new virtual machine. Default: azureuser
• ActifileConfigFile – config file downloaded from https://app.actifile.com/Tenant/Default/#/GeneralSettings [Login OneDrive Request]. Default actifile_onedrive.conf
• Command – Deploy  Remove  Start   Status  Stop
  • Deploy – deploy new VM in cloud, install docker and lunch scanning
  • Stop – stop and deallocate VM
  • Start – start VM, update docker image and start scanner
  • Remove – completely remove VM and associated SSH keys
  • Status – print current VM status and if it is started print log
• ResourceGroupName – resource group name in which VM is located
• SelectContext – open browser to choose Azure account.
• Force – do not ask user prompt