Policy - GeoFence

Available in the Policy Editor popup


Geofence will enforce a deny access state on a device if the device software attempts to connect from a restricted IP. Once the device connects from a network that is not restricted it will automatically work again.


For GeoFence to work a live connection to the SafeConsole server is required. To strictly enforce a GeoFence policy it is therefore recommended that devices are either forced to always require a server connection for device unlock using the Device State policy, or only allow devices to unlock inside the Trusted Network using ZoneBuilder.


When the GeoFence becomes enabled it is possible to restrict usage to only named countries and/or IPs.

You can also Allow Only named countries and/or IPs.


The purpose of the feature is to achieve regulatory compliance where data is not allowed outside of specified countries or IPs.


The following configurations are available:

  • Enable Geofencing on devices

    • Prevent device access based on user computer IP Address through Geofence. Geolocation data such as the Country and ISP of the IP Address can also be used to control device access.
  • Geofence message to user textbox
    • Send a custom message to users when their device has been denied access through the Geofence policy.
  • IP addresses textbox - All IP Addresses Allowed as default
    • Separate multiple IP Addresses with commas (198.51.100.1,198.51.100.2). Wildcard and CIRD addresses are supported (198.51.100.* or 198.51.100.0/24)
    • Restriction Mode - radio button
      • Allow Only These IPs (Allow List), for a secure geofence, we recommend allowing approved IP Addresses.
      • Restrict These IPs (Disallow List)
  • Countries textbox - No Countries Blocked as default
    • Restriction Mode - radio button
      • Allow Only These Countries (Allow List)
      • Restrict These IPs (Disallow List)
  • ISPtextbox - No ISP Blocked as default
    • Restriction Mode - radio button
      • Allow Only These ISPs (Allow List)
      • Restrict These ISPs (Disallow List
      • To add ISPs, click Add ISP, enter a known IP associated with the ISP in the popup and perform the lookup by clicking the search-symbol button, then click Add at the bottom of the screen.


Policy device user interactions

The device software will display the configured message if the device is blocked and device enters denied access mode and cannot be unlocked. Once the device connects from an allowed location the device can again be unlocked.