In SafeConsole 5.2+ GeoFence can now be set by Policy instead of server-wide. This allows each group of users to have their own GeoFence policy. GeoFence will enforce a deny access state on a device if the device software attempts to connect from a restricted IP. Once the device connects from a network that is not restricted it will automatically work again.




As well as blocking the device from the user the admin will be notified in the Audit Logs.



For GeoFence to work a live connection to the SafeConsole server is required. To strictly enforce a GeoFence policy it is therefore recommended that devices are either forced to always require a server connection for device unlock using the Device State policy or only allow devices to unlock inside the Trusted Network using Zone Builder.

The purpose of the feature is to achieve regulatory compliance where data is not allowed outside of specified countries or IPs.


In the Policy, clicking "Enable Geofencing on devices" brings up the following menu: 



Geofence message to user: This allows you to enter a message to display to the user when they are outside the GeoFence. They will receive the message when attempting to unlock outside the GeoFence.


You can then define the GeoFence by either IP Addresses, Countries, or ISPs. You are able to allow or disallow based on these entries. Country and ISP data are obtained by the user's IP address. If you have issues with the reported IP Address or if you need to edit the location of an IP address please see the following article: Edit GeoLocation Data For On-Prem installs all private IPs will need to be defined to work correctly with GeoFence.


IP Addresses: Can be entered using CIRD subnet masks, such as 192.168.1.0/24, or wildcard octets, such as 192.168.1.*. Both of these will include the 192.168.1.0 - 192.168.1.255 Range. 


Countries: Start typing a country in the text field then select it from the popup.


ISPs: Clicking the textbox will bring up the previous ISPs that have connected to the server. If you would like to enter an ISP that hasn't connected to the server yet, click "Add more ISPs." This will bring up a menu that lets you search for an ISP by IP address. You can then make further changes to this IP address such as its exact location.