Overview of Endpoint Data Discovery configuration

Set the EDD rules

EDD rules define which types of information to detect. The files on a device's hard drive are scanned for information based on the rules set for the policy. You can update the rule selection at any time to scan for different information. You can select one, some, or all of the following rules:

Set the scan schedule

Set the day and time to scan each device, based on the defined rules.

You can configure two types of scans:

Scan type	Description
Full scan	Opens and scans the files on a device's hard drive, according to the scan configurations Full scans can occur on a monthly or quarterly basis. Depending on the number of devices, the number of files on each device's hard drive, and the size of those files, a full scan may take between a few hours and a few days to complete.
Delta scan	Opens and scans the files on a device's hard drive that were added or edited since the last full scan Delta scans can occur on a daily or a weekly basis.

Scan type

Description

Full scan

Opens and scans the files on a device's hard drive, according to the scan configurations

Full scans can occur on a monthly or quarterly basis. Depending on the number of devices, the number of files on each device's hard drive, and the size of those files, a full scan may take between a few hours and a few days to complete.

Delta scan

Opens and scans the files on a device's hard drive that were added or edited since the last full scan

Delta scans can occur on a daily or a weekly basis.

Best practice is to set a schedule that uses a combination of full and delta scans. For example, you may want to use one of the following scan schedules:

Monthly full scans and twice weekly delta scans
Quarterly full scans and weekly delta scans

The system retains data from the last two full scans and all subsequent delta scans. All prior data is discarded. You may want to take this into consideration when you set the full scan schedule. For example, if you set the full scan frequency to Quarterly, you can view up to six months of historical data on a device's EDD History page in Device Details, but if you set it to monthly, you can view only two months of data.

Set the battery power setting

Specify whether you want a device's available battery power to determine when an EDD scan runs.

You can select one of the following options:

Option	Description
Scan at any battery level	The EDD scan runs regardless of the level of available battery power on a device This is the default option.
Scan while battery level is above the following percentage	The EDD scan runs only when the device's available battery power is above a specified level After you select this option, click the percentage field and enter the minimum battery power level for an EDD scan to run. The default value is 50% but any value between 1% and 99% is valid. If the battery power falls below the specified level while an EDD scan is running, the scan is paused until the device is reconnected to an external power source.
Never scan while on battery power	The EDD scan runs only when the device is connected to an external power source If a device is unplugged while an EDD scan is running, the scan is paused until the device is reconnected to an external power source.

Option

Description

Scan at any battery level

The EDD scan runs regardless of the level of available battery power on a device

This is the default option.

Scan while battery level is above the following percentage

The EDD scan runs only when the device's available battery power is above a specified level

After you select this option, click the percentage field and enter the minimum battery power level for an EDD scan to run. The default value is 50% but any value between 1% and 99% is valid.

If the battery power falls below the specified level while an EDD scan is running, the scan is paused until the device is reconnected to an external power source.

Never scan while on battery power

The EDD scan runs only when the device is connected to an external power source

If a device is unplugged while an EDD scan is running, the scan is paused until the device is reconnected to an external power source.

Set the scan level

The Scan Level defines which file types and file locations to scan for confidential or at-risk content.

Scan levels

You can select one of the following levels:

Scan Level	Description
Targeted (default)	This level is associated with the narrowest scan scope. When this option is selected, the following Internet Media Type Similar to a MIME type, an Internet Media Type is a standard identifier to indicate the type of content contained in a file on the Internet. The format of the identifier is type name/subtype name (for example, application/zip or text/plain).s are scanned, if they are stored on a device in a directory typically used to store user data. Directories that are typically used to store program files and system files are not scanned. Windows application/msword application/pdf application/vnd.lotus-wordpro application/vnd.ms-excel application/vnd.ms-office application/vnd.ms-powerpoint application/vnd.ms-rms-encrypted application/vnd.ms-pfile application/vnd.oasis.opendocument.presentation application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text application/CDFV2-encrypted application/x-7z-compressed application/x-epoc-sheet application/x-epoc-word application/x-gzip application/x-rar application/x-tar application/x-xz application/xml application/zip text/html text/plain text/rtf Due to the narrow scope, Targeted scans tend to take less time to complete than the other options. They may also generate fewer false positives A result on an EDD-related report or page in which a match is detected in a file, but upon further investigation, you do not consider the matched content to be at-risk data..
Moderate	This level is associated with a broader scan scope than a Targeted scan. When this option is selected, most Internet Media Types are scanned, if they are stored on a device in a directory typically used to store user data. Directories that are typically used to store program files and system files are not scanned. File types scanned
Extended	This level is associated with the broadest scan scope. When this option is selected, virtually all Internet Media Types are scanned in all directories, with a few exceptions (some system directories are excluded). On Mac devices, .sparsebundle folders and .sparseimage files are not scanned. Due to the broad scope, Extended scans tend to take more time and resources (CPU, power, and memory) to complete than the other options, and they may significantly increase the number of false positives.

Scan Level

Description

Targeted

(default)

This level is associated with the narrowest scan scope. When this option is selected, the following Internet Media Type Similar to a MIME type, an Internet Media Type is a standard identifier to indicate the type of content contained in a file on the Internet. The format of the identifier is type name/subtype name (for example, application/zip or text/plain).s are scanned, if they are stored on a device in a directory typically used to store user data. Directories that are typically used to store program files and system files are not scanned.

Windows

application/msword
application/pdf
application/vnd.lotus-wordpro
application/vnd.ms-excel
application/vnd.ms-office
application/vnd.ms-powerpoint
application/vnd.ms-rms-encrypted
application/vnd.ms-pfile
application/vnd.oasis.opendocument.presentation
application/vnd.oasis.opendocument.spreadsheet
application/vnd.oasis.opendocument.text
application/CDFV2-encrypted
application/x-7z-compressed
application/x-epoc-sheet
application/x-epoc-word
application/x-gzip
application/x-rar
application/x-tar
application/x-xz
application/xml
application/zip
text/html
text/plain
text/rtf

Due to the narrow scope, Targeted scans tend to take less time to complete than the other options. They may also generate fewer false positives A result on an EDD-related report or page in which a match is detected in a file, but upon further investigation, you do not consider the matched content to be at-risk data..

Moderate

This level is associated with a broader scan scope than a Targeted scan. When this option is selected, most Internet Media Types are scanned, if they are stored on a device in a directory typically used to store user data. Directories that are typically used to store program files and system files are not scanned.

File types scanned

Extended

This level is associated with the broadest scan scope. When this option is selected, virtually all Internet Media Types are scanned in all directories, with a few exceptions (some system directories are excluded). On Mac devices, .sparsebundle folders and .sparseimage files are not scanned.

Due to the broad scope, Extended scans tend to take more time and resources (CPU, power, and memory) to complete than the other options, and they may significantly increase the number of false positives.