E10.2.100.x - Telemetry - Collects Data and Sends to Epicor

e10

(Haso Keric) #1

In E10.2.100.x I noticed a popup show up in the Admin Consoles which stated that telemetry is enabled by default and you can opt-out by reading the Admin Consols Help, which did not mention telemetry at all.
2018-04-14_1530

The checkbox is located in the Companies Properties
2018-04-14_1432

Does anyone know how much Data Epicor Collects int more detail? Upon further Inspection the Telemetry DLL exists also on the Client side as well (not just Server). Does it send each time you click a ToolClick or Open/Close any form?

2018-04-14_1426

I am certain this data is used for good so Epicor can make better decisions based on analytics what to focus on. However, if you would like to opt-out do you opt-out of it all or is certain information still sent?

As a Publicly Traded company with Defense Contracts, always under the microscope of auditors. It would be very important to us to see a list about detailed data that is collected. If anyone runs into one - please share.


Ability to Send Telemetry Insights to Our Azure
After E10.1.400.22 to E10.2.300.2 upgrade, client hangs for 2 minutes after each program (window) is opened
Would you / How would you want to get contacted because of Telelmetry issues?
(Bart Elia) #2

I’ll track that down. I thought we had a doc on that. The data I have seen is which forms and tabs have been clicked on client side. Perf numbers on server side. It should be doc’d somewhere. I’ll alert the correct folks and you are VERY welcome to ask support.


(Chris Conn) #3

image


(Mark Wonsil) #4

It might be useful to have an Opt-In model that gives users control of what is being sent:

Opt In:
:white_check_mark: Server Performance Data
:white_check_mark: Server Error Events
:white_check_mark: Client Error Events
:x: Financial Information
:white_check_mark: Copy Me on Telemetry Data

There might be more participation.

A special THANK YOU users who do send telemetry data. Everyone who sells something rarely knows how customers use products. That information is incredibly useful to making a better product and identifying where things get broken. It also lets companies know where either more training should be done or re-evaluate development priorities.

Mark W.


(Bruce Ordway) #5

The data includes… IP addresses
collected information is… non-identifiable
Can both be true?


(Mark Damen) #6

Yeah I guess they can. Server IP address is 172.16.0.100, client 1 address 172.16.0.5, client 2 address 172.16.0.10. That internal network could be any company in the world. J


(Bruce Ordway) #7

Yes, makes sense if the IP’s are like those you’d find in E10 logs.

What I was wondering about is if an origination IP could also included somehow.
Not the IP addresses of log data lines… but a header IP address of site where the log was sent from?


(Mitesh Choksi) #8

We could also do with last 2 octates of the IPv4 address or interface ID of IPv6 used to send and nothing more.


(Bart Elia) #9

OK, rallied the appropriate folks internally.
First, there was an overview video done on this so I wanted to post that to set some context…

Next, knowing this audience being a little more tech savvy than most, I assume you will want some examples. We are documenting that so will have something in regular docs and a KB article as soon as possible (If you want a jump start, open Fiddler and peek at the Telemetry Message Header to get an idea what we are collecting).

Lastly, I continue to hope for the day that when opted in, we will get an exception logged in house that generates a customer ticket and you get an email stating which patch the fix is in.

Additionally, we are looking at the navigation folks are doing through the UI - form open, tab click, toolbar click, to see the ‘normal’ flows users take in their day to day jump to ease data entry issues folks have complained about for years. We don’t care about what data is in what fields and don’t track that - just the navigation to speed that for users going forward. Some prelim analysis I saw last month was pretty enlightening and wonderful to leverage in design discussions.

I want to make sure this is above board so appreciate the poke - regulatory concerns are critical. I have no issue trying to dig out the details to alleviate concerns.


(Jose C Gomez) #10

Thanks @Bart_Elia and @hasokeric moving to Expert’s Corner


(Israel Valdez) #11

IP addresses are stripped out of the collected data: https://blogs.msdn.microsoft.com/applicationinsights-status/2018/02/01/all-octets-of-ip-address-will-be-set-to-zero/


(Haso Keric) #12

Epicor 10.2 automatically enables telemetry to collect system data in order to improve the quality of Products & Services, Analyze Trends and Troubleshoot Issues. It does that by collecting Licensing Info, Product Usage and Non-Personal Data. You have the option to Opt-Out.


As you upgrade from 10.1 to 10.2 you may be greeted with the following message during your Application Server Deployment.

2018-04-14_1530

If your Company locality in the Admin Console is set to China or Russia, you unfortunately will not be able to participate.

Where Does The Data Go?

Epicor uses Azure Application Insights. System Admins you might notice frequent pings to dc.services.visualstudio.com or dc.applicationinsights.microsoft.com


What Data is Collected?

For each telemetry event Epicor collects Event Time, Event Name, Device Type, Company ID, User ID (Hashed non-identifiable), Session ID, License, Client IP Address, City, State, Country, Operating System, Computer Name (Cloud Instance) and Epicor Version .

NOTE: The IP Address may no longer be included, there are posts about Azure stripping the IP Address in order to comply with GDPR. I assume the GeoLocation Data such as City, County came from the IP Address - Epicor is not transmitting it

Complete JSON REST Call may look like this

Company, License ID and Enabled Modules

Collects the data about companies, purchased licenses and modules.

Started Client Session

Collects the data about started session.
5

Server Exceptions

Collects the data about errors on the server side. This includes Failed Methods and Stack Traces.

Server Requests

Collects the data for any server request sent from client and server.

Forms

Collects the data about recently opened and closed programs.

7
8

Clicked Action Menu or Toolbar Item

Collects the data for Action Menu or Toolbar Item.
9
10

Activated Tabs or Sheets (Pages)

Collects the data about recently opened tabs and page views.


12

Active Home Page Usage

Collects data about Active Home Page usage.


15

Epicor Data Discovery Usage

Collects data about Epicor Data Discovery usage such as Open EDD Views and Time spent on EDD Views.

Why is Epicor Collecting Data?

It has nothing to do with spying on you, it is merely performance data in order to better understand how to prioritize their resources and support.

Rest assured your keystrokes and data is not being transferred.

How to Opt-Out?

Before you make the decision to opt-out know that sending telemetry data is merely diagnostics information and Epicor can make better investments based on the analytics they receive. Everyone benefits at the end You, Community, Partners and Epicor by sending telemetry data they can look for bottlenecks in Business Object / REST Calls and let’s them know that something should be done, since data doesn’t lie.

In addition, they can see which Forms and Reports are used the most and prioritize their backlog.

Rest assured your keystrokes and data is not being monitored. Application Insights / Telemetry is not just used by Epicor! It is wide-spread and probably even the device you are reading this on is sending some kind of metadata to its developer.

x1

If you or your company still feel uncomfortable sending telemetry data, here is how you opt-out:

You can opt-out by using the Admin Console and navigating to the Application Instance’s Companies Section. Epicor will continue to send telemetry for each client that has an active session, once you restart for example your Epicor Client, the Client will no longer send telemetry data. There is no IIS Restart required.

optout

Your Own Research?

If you would like to do your own research, you can download Fiddler and monitor your HTTPS traffic.


(Haso Keric) #13

Thanks @Bart_Elia for the Fiddler heads-up, no more Wireshark for me. Fiddler makes it so easy to decrypt the HTTPS Traffic. Definitely a new tool in my toolbelt. Heard about it in the past when it was still new, newer used it then, always used Wireshark, WinPCAP or EtherDetect.


(Jose C Gomez) #14

Oh yeah fiddler has been around for years. On my favorite tools for working with REST too