Policy Settings
Policy Settings define the severity of a violation, the automated response action taken on the endpoint, and the secondary actions for incident management and data collection.
Severity and Risk Scoring
When setting up a policy, you can set the Severity depending on the criticality and impact of the policy violation. Each severity rating has an associated value which is used to calculate the risk score for user risk analysis.
| Severity Rating | Value |
|---|---|
| Critical | 8 |
| High | 4 |
| Medium | 2 |
| Low | 1 |
| Informational | 0 |
Response Actions and Behavior
Cyberhaven Sensors provide real-time response capabilities to warn or block users from carrying out particular actions on data.
| Response Action | User Action Outcome | Incident Creation |
|---|---|---|
| Monitor | The user is allowed to proceed with their actions. | Customizable; incident creation can be disabled for this action. |
| Warn | The user is allowed to carry out the action but is warned of the violation. | Mandatory; the option is enabled automatically. |
| Block | Prevents data movement to the destination. | Mandatory; the option is enabled automatically. |
Response Throttling and Skipped Responses
Blocking-related messages presented to the end-user device are throttled to once per 5 seconds (by default).
Subsequent violations that occur within this window are still captured in the Cyberhaven console and are displayed with a "Response skipped: throttled" status in the User Reaction column on the Incidents page.
Self-Service Overrides and Exceptions
If you wish to allow a user to directly override a blocking action, you can configure that option under the "Setup response message" settings.
By default, the override duration is one minute (60 seconds).
If a user creates a self-service exception, it is applied to the dataset, policy, username, event type, and sensor that triggered the block. Policy violations outside of this scope will continue to generate incidents.
End-User Response Message Configuration
When choosing to Warn or Block, you can customize a response message presented on the endpoint, educating end users on the policy violation. Feedback from the user can also be captured at the endpoint.
The following message preferences can be configured:
| Option | Description |
|---|---|
| Show the dialog title | Display the message title to the right of the logo. |
| Require the user to provide a justification | Require an entry in the free-form text box. |
| Require the user to acknowledge the warning | Forces the user to click an acknowledgment button (for Warn actions). |
| Allow the user to request a policy review | Captures feedback from the user if they believe the action should be permitted; "Requested review" will appear under Incidents. |
| Allow user to override blocking | Permits the user to carry out the action after granting themself an exception (for Block actions). |
| Redirect user to website after closing the popup | Automatically redirects the user to a specified URL (such as a policy education page) after the pop-up is closed. This occurs silently without requiring a link click. By default, the same URL will not trigger a redirect more than once every 24 hours. This interval can be adjusted by Cyberhaven Support. |
| Limitation: User warnings are not yet supported for user actions performed in SaaS applications. |
Secondary Action: Record Screenshots (EA)
The Record screenshots option relies on Cyberhaven's Content Capture feature and is available for both warning and blocking policy response actions. These capabilities aid in the investigation and prevention of data loss incidents.
Windows Endpoint Sensor Behavior
The Windows Endpoint Sensor continuously captures screenshots of the user's screen at a specific time interval, taking one screenshot per monitor per second by default.
If a policy is violated, screenshots from the last 30 seconds are attached to the incident details.
The Sensor only retains screenshots captured during the last 30 seconds in memory and discards older screenshots.
If the machine is in DirectX mode and there is no new user activity, then screenshots are not taken. If the machine is in GDI mode, screenshots are taken even when the screen is idle.
macOS Endpoint Sensor Behavior (Early Access)
This feature is in Early Access (EA) for macOS Sensors and is disabled by default.
Cyberhaven Support must enable the feature through a remote configuration setting (ask_user).
Due to Apple's restrictions, the end user must grant permission for screen recording via System Settings > Privacy & Security > Screen Recording.
The macOS Endpoint Sensor does not record screenshots continuously. When an incident occurs, the Sensor captures two screenshots: one before the incident and one when the user dismisses the pop-up.
The Sensor retains up to 120 screenshots in memory.
General Screenshot Settings and Limitations
Screenshots are captured in 1080p resolution and stored in .jpeg format. Resolution and time interval can only be customized through the backend by contacting support.
If the user has configured multiple monitors, the Endpoint Sensor takes a screenshot of each monitor.
The screenshot does not show the position of the cursor.
The Sensor pauses screenshots when a warning message is displayed, waiting for the user to dismiss the pop-up. This is done to capture the final state of the pop-up, which may contain user justification.
If the user's machine is offline at the time of an incident, then screenshots taken during the incident are lost, as the sensor does not store them locally.
Screenshot recording on macOS devices can interfere with system notifications.
Secondary Action: Email Notifications
Cyberhaven can send email notifications when policy violations occur, with customized recipients for each policy.
To set up, toggle the "Send email notifications" button within the policy editor and enter a list of email addresses, one per line.
Note Ensure that you allow list the Cyberhaven domain cyberhaven.info to receive email notifications.
Branding (Logo)
You may upload a custom logo for your end-user notification messages. This option is available on the Preferences > Logo Settings page.
Submitting Feedback to Apple
Due to Apple's current privacy restrictions, system administrators cannot remotely enable screenshot recording permissions on macOS devices. Cyberhaven encourages customers impacted by these limitations to provide feedback directly to Apple.
To submit feedback to Apple:
- Log in to Apple Feedback Assistant using a Managed Apple ID (ensuring feedback is logged as enterprise feedback).
- Categorize your feedback under Enterprise & Education > MDM.