GEODI can discover data from many sources without any agents. However, in the following or similar cases, GDE (GEODI Desktop Explorer) agent is required.

Network shares are not available or Agentless access is not preferred
EndPoint Discovery/Search is required
EndPoint Remediation (Secure Delete, Quarantine, Classification, Masking ...) is required

1 GDE Deployment
- 1.1 1. Create Feed Source (GDE) & Token
- 1.2 2. Architecture & Scaling
- 1.3 3. Deployment, Permissions & Network
- 1.4 4. Monitoring & Updates
- 1.5 Quick Validation
2 GDE configuration settings
3 Troubleshooting
4 FAQ
5 GDE API
6 Installing GDE as a Windows Service
7 MSI Parameters for SCCM and Similar Deployment Tools

GDE Deployment

1. Create Feed Source (GDE) & Token

Open the Project Wizard, create a Feed Source, and select the GDE model. A dialog will automatically provide the MSI installation parameters.

A GEODI user with Feed permissions is required to generate the connection token used by GDE agents.

Use a dedicated and stable service account. This user should not be changed, disabled, or deleted. If this user is changed, Tokens are invalidated and GDE agents will stop working

The GDE settings file defines the local folder, port, remote content scope (directories and file types), and other parameters. These can be customized before or after deployment using identifiers such as IP address, IP range, Computer Name, or User Name.

2. Architecture & Scaling

Decide the architecture at the beginning. For large environments (high endpoint count or data volume), use multiple GEODI servers and/or NLB.

GEODI provides a built-in NLB mechanism for GDE to distribute endpoint load across servers:
GDE Multi-Server Load Distribution Configuration

3. Deployment, Permissions & Network

Deployment must be performed with a user that has local administrator rights on endpoints.

For remediation actions (delete, quarantine, classify, etc.), the configured account must have write/delete permissions on target data locations.

Ensure bidirectional connectivity between endpoints and the GEODI Server, and that port 1982 (configurable) is open.

Additional recommendations:

Configure AV/EDR exclusions for GDE processes and working directories (see related page for exclusion list)
Start with a pilot deployment before full rollout

4. Monitoring & Updates

Deployment status and agent health can be monitored via the Agent Management Panel:
Agent Management Panel

Agent updates are handled centrally; endpoints typically receive updates automatically (restart may be required).

As the discovery continues , discovery content counts can be monitored for the m-panel or queried or reported as well. In this page a few query exampğle is given.

Quick Validation

Agents are installed, running, and visible in the Agent Management Panel
Endpoints can reach GEODI Server and port 1982 is open
Discovery is running and expected data is visible
Remote content scope is correctly configured
Remediation actions work (if enabled)
No blocking from AV/EDR tools
Pilot deployment completed successfully

Supported Platforms → Windows, Linux, MacOS ve Pardus

Agent Software Updates → Automatic for Windows Clients

MSI Link → <geodi_url>/GUI/Agents/GDE/GEODI.DesktopExplorer.MSI → For Windows clients, GDE agents are automatically updated. This link is automatically populated during GEODI Discovery module setup. Windows agents regularly check this location and self-update when a new version is available.

Service Installation → On Windows file servers, the GDE agent can be installed as a Windows Service, enabling continuous background operation for server-side discovery and actions.

Agent Monitoring → Active agents, GDE and Classifier, monitored and managed via the Agent Management Panel:

GDE configuration settings

You start by modifying default settings. You can clone each setting and customize. Customization depends on naming, and you may use the following rules. Changes become effective in about 10minutes.

<ClientIP> → It is possible to use Ip or IP blocks
- 192.168.1.1,
- 192.168.*
<ClientUserName>
<ClientMachineName>

{
  "FolderList": ["%UserProfile%"],// "*" scan all directory //
  "ExplorerPort": 1982,
  "IgnoreFiles":["*.MP4","*.MOV","*.MP3"],
  "MetaData": {
	"LDAPDN":"=d.CurrentUser!=null?d.CurrentUser.DistinguishedName:null",
	"IP":"=d.ClientIP",
	"ComputerName":"=d.ClientMachineName",
	"UserName":"=d.ClientUserName"
	}
}

Setting Name	Type	Description

Setting Name	Type	Description
FolderList	string[]*	Used to specify the folders to be scanned. Folders can be identified by separating them with ",".Windows, MacOS, and Linux client folders can be used interchangeably. The default directory is `%UserProfile%` ,`\\Users`, `\\Home`(includes documents, downloads, desktops, etc.). Values are case-sensitive. Subdirectories can also be defined as `%UserProfile%\\Desktop`. You can use ["*"] to scan all disks.
ExplorerPort	int	The default is 1982. Alternatively, you may set the port value to 0. Discovery and search will be fine, but GEODI can not open the local files in this case.
EnableLDAP	bool	If a true value is given, LDAP authorizations of the files are also indexed. Default value: false
IgnoreFolders	string[]	List of folders to ignore. * is accepted. Used in combination with the settings under Geodi Settings/IgnoreFolders. Example: `[":\\data","C:\User"]` Default value: null GEODI central file/folder ignore rules always take precedence. The restrictions specified within the settings are applied additionally. By default, to safeguard the network resource, only the name and date of files larger than 100MB are indexed. This limit is set to 500MB for compressed file contents. These values can be modified on the GEODI server.
IgnoreFiles	string[]	List of folders to ignore. * is accepted and used with the settings under Geodi Settings/IgnoreFileTypes. Default value:`[".MP4",".MOV","*.MP3"]` GEODI central file/folder ignore rules always take precedence. The restrictions specified within the settings are applied additionally. By default, to safeguard the network resource, only the name and date of files larger than 100MB are indexed. This limit is set to 500MB for compressed file contents. These values can be modified on the GEODI server.
Metadata		You can define metadata for parsing files from clients. These metadata are specified in the settings file. The values used in the default settings can be seen in the example file. Searching with metadata is done with <metaname>:<value> Example `IP:192.168.1.1` The defined metadata and values will be visible in the GEODI search interface.

Troubleshooting

Check if the client has access to the GEODI Server. GEODI should be accessible through a browser on the client. Enter the GEODI address in a browser on the client; there should be access.
The GEODI server should be accessible from the client's GDE. Using a browser on the client, enter <ClientIP>:<1982>/DEW?op=GetLastError. If everything is fine, it should return null. The ExplorerPort specified in GDE rules, e.g., ExplorerPort=1982 (or the chosen port), should be open.
Inspect the Firewall, Antivirus, or any similar tool to ensure there is no blocking mechanism preventing communication.
Check if the client machine is operational. GDE should be installed and running (Geodi.Desktopexplorer.exe should be in the task list).
Verify the status of the received TOKEN: <GEODI_URL>/API/token_parser.html.
Examine the Agent Management Panel; if the endpoint's status looks good, waiting for a while may resolve the issue. The GEODI Server queues incoming data, so the files at the endpoint might not be due yet.
If everything seems correct but data is still not coming through, check the FolderList and IgnoreFolders values in the GDE rules.
If you are not receiving the expected file type, ensure that the extension is not listed in the IgnoreFiles value in the GDE rules.

The default settings block some large files, like videos. Files larger than 100 MB or compressed files larger than 500MB are blocked. You may change the settings. The settings will be effective in about an hour.

Install the GDE as usual. The endpoint will be treated as new. The old data is preserved.

You can change 1982 to anything available. Please be careful about not assigning ports that have already been used.
You may set the GDE port to 0, but GEODI can not open the remote files in this case. The search and discovery are unaffected.

GEODI Server uses a queue for content coming from all EndPoints and process files depending on Discovery Speed Settings. The total unstructured data comsuption should be no less that 500GB-1.5TB/day if the server has recommended values.
Check Firewall or Virus Check software which might intervene even file. Exclude GEODI from this checks.
Check DLP software which also interfene every file. Exclude GEODI from this check. You can change 1982 to anything available. Please be careful about not assigning ports that have already been used.
Check Network Speed and take action to increase that.
Check I OCR is open, OCR requires more CPU time to process.

FAQ

It is no different than the other. Add layer:GDE <machinename> into query.

layer:GDE <machinename> will query the files.
layer:GDE <machinename> doc:*.pdf will list the PDF files.
layer:GDE <machinename> doc:*.pdf contract will list the PDF files with the word contract.

The GEODI legacy data classification tool classifies remote files if you have the classification agent installed on the same endpoint.

Yes, GEODI remediation tools cover remote files as well. The only requirement is that the user should have delete/update permission on the remote machines. This way, GEODI deletes, makes, or encrypts remote files like the local ones.

Search is unaffected, but you can not open/view or remediate the files.

No, GDE does not copy the local files. But if you need to backup local files, check the “backup content" in the GEODI source dialog. You may activate or deactivate this setting at any time.

Sistem Admins see all files.
Other users' permissions depend on Enable LDAP settings. If LDAP is enabled, then local permissions are used.
It is possible to set each user to see their PC files. Please ask the DECE team how to do that.

Install the GDE as usual. The endpoint will be treated as new. The old data is preserved.

GDE API

You may use a browser to make these calls.

<ClientIP>:<1982>/DEW?op=GetStatus	Gets the status of GDE Agent `{"StatusText":"","RequestCount":0,"FileCount":0,"SendCount":0,"IgnoreCount":0,"Server":"<GEODI_URL>"}` Default port = 1982, may be different

<ClientIP>:<1982>/DEW?op=GetStatus

Gets the status of GDE Agent

{"StatusText":"","RequestCount":0,"FileCount":0,"SendCount":0,"IgnoreCount":0,"Server":"<GEODI_URL>"}

Default port = 1982, may be different

<ClientIP>:<1982>/DEW?op=GetLastError

Gets the GDE agent errors.

If no error, retuns null. Else

{"Server":"<GEODI_URL>", "LastErrorTime": {}, "LastError" : "", "TotalErrorCount": n}

Installing GDE as a Windows Service

This option is used to index/discover FileServers with GDE.

Requirements for Installation

In addition to the Windows MSI requirements:

The Windows Service user must have read-only access to the FileServer directories.
A separate configuration file must be created under the GEODI Server for each File Server to define the directories to be indexed and other rules. Details are provided on the main page..

After installing GDE on Windows, it can be turned into a service using the WindowsServiceInstall.bat file located in the same directory.

The service mode can be removed using the WindowsServiceUninstall.bat file.
When running in service mode, no logged-in user is required for the service to function.

GDE runs under the Local System account in default service installations. No special authorization is required for remediation/data improvement operations performed through GEODI Workflows. If you wish, you can assign a user other than Local System for the GDE service account. In that case, the operations will be carried out with the assigned user's permissions.

MSI Parameters for SCCM and Similar Deployment Tools

When deploying the GDE agent using ManageEngine, SCCM, or similar tools, you’ll need to provide specific MSI installation parameters.

💡 Good news:
The GDE interface automatically generates these parameters based on your project and feed settings. Copy and paste the generated command line into your deployment tool.

This includes:

GEODI server address
Connection token
Desired scan directories
Optional custom port or labels

✅ Just run the MSI with the generated line—no manual editing needed.

Parameters	Description

Parameters

Description

GEODI_URL=

When configuring GDE agents, you must provide the GEODI server address.

🔐 Best Practice:
Use a secure (HTTPS) address with proper DNS and SSL configuration to ensure encrypted communication and trust between endpoints and the GEODI server.

Requirements:

The address should be publicly resolvable if endpoints are outside the network
An SSL certificate should be installed on the GEODI server
Avoid using IP addresses or unsecured HTTP links in production environments

GEODI_WSNAME=

Workspace Name to Feed

GEODI_TOKEN=

The MSI installation parameters for GDE are automatically generated, including a connection token linked to the GEODI user who created it.

⚠️ Important:
The password of the user who generated the token must not change.
If it changes:

The token becomes invalid
A new token must be generated
All previously installed agents may need to be reinstalled or reconfigured

✅ To avoid disruptions:

Use a dedicated service account for token generation
Keep the password secure and unchanged

The following commands can be used for deployment with a tool such as PDQ, ManageEngine, SCCM.

Process	Commands	Notes

Process

Commands

Notes

Install

"GEODI.Classifier.msi" /quiet GEODI_URL="https://icdemo.dece.com.tr/" GEODI_WSNAME="PII" GEODI_TOKEN="EAAAAL%%2FcQ9RvjWM…"

All params are auto-generated by GEODI. We suggest using those params.

Uninstall

msiexec.exe /x "GEODI.DesktopExplorer.msi" /qn /norestart

You do not need the MSI package to uninstall. Check the PowerShell documentation.

EndPoint Discovery Agent - GEODI Desktop Explorer(GDE)