Policy - Trusted Network
Available in the Policy Editor popup
The Trusted Network is a way for admins to create a Trusted Zone in which other policies can use to either restrict or provide extra convenience or features depending if an endpoint is unlocked inside or outside the Trusted Zone.
By default, all live connections to the SafeConsole Server are considered to be in the Trusted Network and thus the Trusted Zone.
The Trusted Network is created by providing an allowed list of IP addresses, Countries, or ISPs. Once configured a device will need to be connected to a computer that can reach the SafeConsole server through an IP address that is allowed to be considered inside the Trusted Network and thus the Trusted Zone. Another way to be inside the Trusted Zone is with ZoneBuilder Trusted Certificates.
- When used with the Write-Protection policy, you can ensure that devices only unlock in read-only mode if connecting from an untrusted network.
- When used with the ZoneBuilder policy, you can block devices from auto-unlocking or prevent access if the device is connecting from an unknown network. Note that you may use ZoneBuilder certificates to securely trust computers that are outside your trusted network.
For Trusted Network to work a live connection to the SafeConsole server is required. To strictly enforce a trusted network it is therefore recommended that devices are either forced to always require a server connection for device unlock using the Device State policy, or only allow devices to unlock inside the Trusted Network using ZoneBuilder.
The following configurations are available:
Enable Trusted Network
- Trusted Network is a way for admins to create a Trusted Zone which other policies can use to either restrict or provide extra convenience, or features, depending on if a device is unlocked inside or outside the Trusted Zone. If the Trusted Network policy is not configured, then all live connections to the SafeConsole Server are considered to be in the Trusted Network and thus the Trusted Zone.
- To register a device, the user will need to make a connection to SafeConsole from inside the Trusted Network
- IP addresses field
- Separate multiple IP Addresses with commas (198.51.100.1,198.51.100.2). Wildcard and CIDR addresses are supported (198.51.100.* or 198.51.100.0/24)
- Restriction Mode - radio button
- Allow Only These IPs (Allow) Allowing approved IP Addresses is highly recommended
- Restrict These IPs (Disallow)
- Countries field- All Countries Allowed as default
- Enter countries to allow only these countries (Allow list)
- ISP field - All ISPs Allowed as default
- Enter ISPs to allow only these ISPs (Allow list)
- To add ISPs, click Add ISP, enter a known IP associated with the ISP in the popup and perform the lookup by clicking the search-symbol button, then click Add at the bottom of the screen.
Policy device user interactions
The user is alerted when trying to register a device when outside the Trusted Network. Other policies can also change how they interact with the user based on if the user is inside the Trusted Network. An example would be the Write Protection policy, which can be configured to disable writing to the device when outside the Trusted Zone. In this case, the user will be notified they the drive is write-protected when unlocked outside the Trusted Zone.