Opendium Documentation - User contributions [en-gb]

PSI Secure Browser

2025-12-11T12:58:50Z

Chris: /* Configuration */ Adding information about the PSI Secure Browser override.Chris

== Status ==
We cannot guarantee that PSI Secure Browser will work through an Opendium system. When a school reports problems using this software, we are usually able to work with them to adjust their configuration to allow it to work, but in our experience it is very likely to stop working again in the future.

== Configuration ==
Exams this year for the Psi Browser have changed again to the following:

psiexams.com

ably.io

ably-realtime.com

main.realtime.ably.net

We have created an override to use so you don't have to add these sites to a site wide override of Disable HTTPS Decryption.

To apply the override, go to:

UTM -> Web -> Overrides and Walled Garden -> Select the group you want to apply the override to.

Click Add Override, and select App: Psi Secure Browser say OK.

Then Click Save Configuration.

You will also need to set the Twilio Video rule bundle to allow on the Egress tab under the Firewall for the users/subnets that are wanting to use the psi browser.

Client configuration to consider: The user must be able to run the psi browser as administrator and be able to have access to a webcam and microphone.

== Detail ==
PSI Secure Browser is a piece of software used by exam boards such as [https://abrsm.org ABRSM], to provide exams to students. Unfortunately, schools are provided with very little information regarding firewalling and filtering changes that they need to make to allow PSI Secure Browser to work on their networks.

Although there is a [https://helpdesk.psionline.com/hc/en-gb/articles/360055813952-RPNow-List-of-Websites-to-Whitelist-on-your-Anti-Virus-Applications whitelist available], this is not comprehensive and PSI Secure Browser appears to require access to a number of other hosts which are not listed on that website. The whitelist also recommends whitelisting ''all'' content which is hosted through Amazon AWS. As Amazon AWS hosts an enormous amount of content for all manner of organisations, including content which is unsafe, we believe that a school would be negligent were they to follow these recommendations.

Whilst a network test service is available, this does not appear to comprehensively test all of the requirements for the exams, and we therefore have numerous cases of schools believing that everything is set up to work and then only discovering that it doesn't work when the exam starts. There does not seem to be a way to comprehensively test that PSI Secure Browser will work for an exam until the exam is actually in progress.

We have also identified bugs in PSI Secure Browser which result in it being left in a broken non-functional state if challenged for authentication by the proxy.

Without comprehensive information regarding PSI Secure Browser's technical requirements, we have to reverse engineer it by examining its network traffic in order to create a configuration which will work. Unfortunately, we have seen that its technical requirements frequently change, and therefore a configuration which works now will likely not work in the future.

In order to produce a stable configuration that would allow this software to work, we would require a more comprehensive list of its technical requirements. However, our attempts to open a dialogue with [https://www.psionline.com PSI] and to report the bugs in their software have been completely ignored.

Whilst we recognise that schools have little choice but to use whatever software the exam boards dictate, we feel that schools should be feeding back these problems to the exam boards so that they can put pressure on the software vendors to behave responsibly.

== Vendor Contact Log ==
The following log summarises discussions with PSI regarding the problems listed above.

{{Contact Log Link|date=2022-03-24|summary=Reported to PSI}}
{{Contact Log Link|date=2022-05-25|summary=Reported to ABRSM}}

[[Category:Third Party Software Compatibility]]

Android Configuration

2025-05-08T08:34:31Z

Chris: Added anonymous field must be blank.

==Important note: compatibility with safeguarding obligations==
In July 2016, Google [https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html announced] that Android applications would no longer trust any certificates which are installed by the user. This limitation cannot be overridden by the user, nor by the administrator of devices that are managed through an MDM. This limitation does not ''currently'' affect web browsing from Android devices, but does make it impossible for most other apps to be appropriately filtered or monitored, beyond simply allowing or blocking the entire app. This also introduces a significant administrative overhead, as it forces administrators to make a decision over which apps to allow through unfiltered, and to maintain lists of the services that must therefore not be decrypted.

Despite numerous attempts by filtering suppliers and schools to open a dialogue with Google, Google has stated that this is the intended behaviour and that it will not be fixed.

We firmly believe that schools cannot meet their statutory safeguarding obligations, to appropriately filter and monitor the children who are under their care, if they are not able to use HTTPS decryption technologies. Through their hostility towards these important online safety technologies, Google are unnecessarily endangering children and creating significant liabilities for schools. Unfortunately, we feel that '''we cannot recommend that schools purchase Android devices''', and that they should instead opt for Apple or Microsoft.

We do acknowledge that, where Bring Your Own Device networks are concerned, schools do not have a choice over which devices are used. We will always endeavour to provide the best possible support for all types of devices, no matter what the supplier's position is regarding online safety technologies.

==One-to-one devices==
This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding [[Android Configuration#Shared devices|shared devices]].

*If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking a network access controller to the Opendium system|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''Single User Devices''.
*If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials, make sure the anonymous field is blank (you may have to delete the word anonymous if it is pre-populated).
*If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. Some devices can automatically log in to the captive portal using the WISPr protocol whenever the device reconnects to the network. Unfortunately WISPr has been patented by Apple and is therefore not supported by most Android devices.

If the network's [[Web: Permissions & Limits#HTTPS decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate, either through an MDM or:

*Ensure that a lock screen PIN is configured on the Android device
*Launch Chrome and browse to https://''<your Opendium host name>''/opendium.crt or scan the QR code that is displayed on the [[Web]] tab.
*Once downloaded you will get a pop up message saying: "Install CA certificates in Settings - This certificate from null must be installed in Settings. Only install CA certificates from organisations that you trust" Select close
*Open Settings -> Security -> Encryption & Credentials -> Install a certificate.
*Select CA certificate: a message appears saying "Your data won't be private....snip....data is encrypted" select Install anyway
*Enter your pin or biometrics to install and locate the opendium.crt file you saved above, tap this and you should a message flash up saying "CA certificate installed"
*Tap back, and confirm the certificate is installed by clicking "Trusted credentials" then select User and you should see the opendium.crt there.
*The certificate should now be installed in the system and browsing to https pages no longer give you an insecure warning.

Note that once the decryption certificate is installed, the device will always show a notification that states "Network may be monitored by an unknown third party".

==Shared devices==
This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.

*Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking a network access controller to the Opendium system|send RADIUS accounting data]] to the Opendium system.
*Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''RADIUS''.
*Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-tablet". This user must exist on the Opendium system.
*The user must use the captive portal to authenticate.
*When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's [[Web: Permissions & Limits#HTTPS decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. This is usually done through your MDM system.

Shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable [[Web: Permissions & Limits#User identification|User Identification]].
[[Category:Client Configuration]]

Chrome OS Configuration

2024-11-07T12:42:40Z

Chris: I have added a new page for adding the https decryption certificate to chrome OS

==One-to-one devices==
This section covers devices which are not managed by the school through an MDM and are standalone or BYOD devices information on shared devices will be updated at a later date in the [[Chrome OS Configuration#Shared Devices|Shared Devices]] section.
*If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''Single User Devices''.
*If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
*If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate.
If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:

* Open and login to the Chromebook
* Open chrome web browser and navigate to the certificate location <UTM/Webgateway>/opendium.crt
* This will download the certificate to your chromebook, click show in folder to confirm the certificate has downloaded and where it is saved. by default this will be the downloads folder:

[[File:3 Cert in downloads folder.png|alt=Certificate in downloads folder.|border|center|Certificate in downloads folder.]]

* In the URI bar go to chrome://settings or click the three dots top right and click settings:

[[File:4 chrome settings.png|border|center]]

* Navigate to: Privacy and Security -> Security -> Advanced -> Manage Certificates

[[File:Privacy and Security.png|border|center]]
[[File:Manage Certificate.png|border|center]]

* Select the Authorities tab

[[File:Certificate Authorities.png|border|center]]

* Click Import and select opendium.crt if it isn't visible navigate to the location you downloaded the certificate to above.

[[File:Certificate in downloads.png|border|center]]

* Select at least "Trust this certificate for identifying websites" and click OK

[[File:Trust certificate.png|border|center]]

* Check the opendium certificate is in the authorities list by scrolling down the list.

[[File:Check cert.png|border|center]]

You should now be able to browse HTTPS sites without getting a security warning.

==Shared Devices==
Coming Soon.

File:Check cert.png

2024-11-07T12:40:56Z

Chris:

Check the certificate i in the authorities list

File:Trust certificate.png

2024-11-07T12:39:55Z

Chris:

The trust certificate

File:Certificate in downloads.png

2024-11-07T12:38:16Z

Chris:

Locate the downloaded certificate from above.

File:Certificate Authorities.png

2024-11-07T11:25:34Z

Chris:

Chrome OS Certificate Authorities settings page.

File:Manage Certificate.png

2024-11-07T11:15:37Z

Chris: Chris uploaded a new version of File:Manage Certificate.png

ChromeOS settings - Manage certificates page.

File:Manage Certificate.png

2024-11-07T11:01:15Z

Chris:

ChromeOS settings - Manage certificates page.

File:Privacy and Security.png

2024-11-07T10:59:09Z

Chris:

Privacy and Security settings screen in ChromsOs

PSI Secure Browser

2024-07-29T11:08:55Z

Chris: /* Configuration */

== Status ==
We cannot guarantee that PSI Secure Browser will work through an Opendium system. When a school reports problems using this software, we are usually able to work with them to adjust their configuration to allow it to work, but in our experience it is very likely to stop working again in the future.

== Configuration ==
Exams this year for the Psi Browser seem to need the following uri's in the Disable HTTPS Decryption override:

psiexams.com

ably.io

ably-realtime.com

You will also need to set the Twilio Video rule bundle to allow on the Egress tab under the Firewall for the users/subnets that are wanting to use the psi browser.

Client configuration to consider: The user must be able to run the psi browser as administrator and be able to have access to a webcam and microphone.

== Detail ==
PSI Secure Browser is a piece of software used by exam boards such as [https://abrsm.org ABRSM], to provide exams to students. Unfortunately, schools are provided with very little information regarding firewalling and filtering changes that they need to make to allow PSI Secure Browser to work on their networks.

Although there is a [https://helpdesk.psionline.com/hc/en-gb/articles/360055813952-RPNow-List-of-Websites-to-Whitelist-on-your-Anti-Virus-Applications whitelist available], this is not comprehensive and PSI Secure Browser appears to require access to a number of other hosts which are not listed on that website. The whitelist also recommends whitelisting ''all'' content which is hosted through Amazon AWS. As Amazon AWS hosts an enormous amount of content for all manner of organisations, including content which is unsafe, we believe that a school would be negligent were they to follow these recommendations.

Whilst a network test service is available, this does not appear to comprehensively test all of the requirements for the exams, and we therefore have numerous cases of schools believing that everything is set up to work and then only discovering that it doesn't work when the exam starts. There does not seem to be a way to comprehensively test that PSI Secure Browser will work for an exam until the exam is actually in progress.

We have also identified bugs in PSI Secure Browser which result in it being left in a broken non-functional state if challenged for authentication by the proxy.

Without comprehensive information regarding PSI Secure Browser's technical requirements, we have to reverse engineer it by examining its network traffic in order to create a configuration which will work. Unfortunately, we have seen that its technical requirements frequently change, and therefore a configuration which works now will likely not work in the future.

In order to produce a stable configuration that would allow this software to work, we would require a more comprehensive list of its technical requirements. However, our attempts to open a dialogue with [https://www.psionline.com PSI] and to report the bugs in their software have been completely ignored.

Whilst we recognise that schools have little choice but to use whatever software the exam boards dictate, we feel that schools should be feeding back these problems to the exam boards so that they can put pressure on the software vendors to behave responsibly.

== Vendor Contact Log ==
The following log summarises discussions with PSI regarding the problems listed above.

{{Contact Log Link|date=2022-03-24|summary=Reported to PSI}}
{{Contact Log Link|date=2022-05-25|summary=Reported to ABRSM}}

[[Category:Third Party Software Compatibility]]

File:4 chrome settings.png

2024-07-18T11:15:15Z

Chris:

Navigate to chrome settings

File:3 Cert in downloads folder.png

2024-07-18T11:09:44Z

Chris:

default certificate location.

Apple iOS Configuration

2024-04-02T13:50:53Z

Chris: I have the instructions for installing the decryption certificate on the latest apple Ios.

== One-to-one devices ==
This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding [[Apple iOS Configuration#Shared devices|shared devices]].

* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''Single User Devices''.
* If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
* If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. iOS devices can automatically log in to the captive portal using the WISPr protocol whenever the device reconnects to the network.

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate, either through an MDM or:

* Launch Safari and browse to https://''<your Opendium host name>''/opendium.crt or scan the QR code that is displayed on the [[Web]] tab.
* A message pops up and asks if you want to allow the profile, click Allow.
* A message comes up that says you will need to install this profile through settings''.''
* Navigate to settings and there should be a Profile Downloaded section click this, this will disappear after 8 minutes and be deleted if not used, only 1 profile can be accessed in this way at a time(it will always be the most recent profile downloaded).
* Click the install option in the top right corner of the profile and follow the install wizard for the profile.
* On iOS 10.3 and above, go to Settings > General > About > Certificate Trust Settings and enable full trust for the Opendium certificate. This step is not required for earlier versions of iOS.

== Shared Devices ==
This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.

* Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system.
* Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''.
* Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-tablet". This user must exist on the Opendium system.
* The user must use the captive portal to authenticate.
* When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. This is usually done through your MDM system.

Shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable [[Web: Permissions & Limits#User%20identification|User Identification]].
[[Category:Client Configuration]]

Android Configuration

2024-02-27T16:09:36Z

Chris: I have amended how to install a CA certificate for a stand alone android device.

==Important note: compatibility with safeguarding obligations==
In July 2016, Google [https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html announced] that Android applications would no longer trust any certificates which are installed by the user. This limitation cannot be overridden by the user, nor by the administrator of devices that are managed through an MDM. This limitation does not ''currently'' affect web browsing from Android devices, but does make it impossible for most other apps to be appropriately filtered or monitored, beyond simply allowing or blocking the entire app. This also introduces a significant administrative overhead, as it forces administrators to make a decision over which apps to allow through unfiltered, and to maintain lists of the services that must therefore not be decrypted.

Despite numerous attempts by filtering suppliers and schools to open a dialogue with Google, Google has stated that this is the intended behaviour and that it will not be fixed.

We firmly believe that schools cannot meet their statutory safeguarding obligations, to appropriately filter and monitor the children who are under their care, if they are not able to use HTTPS decryption technologies. Through their hostility towards these important online safety technologies, Google are unnecessarily endangering children and creating significant liabilities for schools. Unfortunately, we feel that '''we cannot recommend that schools purchase Android devices''', and that they should instead opt for Apple or Microsoft.

We do acknowledge that, where Bring Your Own Device networks are concerned, schools do not have a choice over which devices are used. We will always endeavour to provide the best possible support for all types of devices, no matter what the supplier's position is regarding online safety technologies.

==One-to-one devices==
This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding [[Android Configuration#Shared devices|shared devices]].

*If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking a network access controller to the Opendium system|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''Single User Devices''.
*If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
*If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. Some devices can automatically log in to the captive portal using the WISPr protocol whenever the device reconnects to the network. Unfortunately WISPr has been patented by Apple and is therefore not supported by most Android devices.

If the network's [[Web: Permissions & Limits#HTTPS decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate, either through an MDM or:

*Ensure that a lock screen PIN is configured on the Android device
*Launch Chrome and browse to https://''<your Opendium host name>''/opendium.crt or scan the QR code that is displayed on the [[Web]] tab.
*Once downloaded you will get a pop up message saying: "Install CA certificates in Settings - This certificate from null must be installed in Settings. Only install CA certificates from organisations that you trust" Select close
*Open Settings -> Security -> Encryption & Credentials -> Install a certificate.
*Select CA certificate: a message appears saying "Your data won't be private....snip....data is encrypted" select Install anyway
*Enter your pin or biometrics to install and locate the opendium.crt file you saved above, tap this and you should a message flash up saying "CA certificate installed"
*Tap back, and confirm the certificate is installed by clicking "Trusted credentials" then select User and you should see the opendium.crt there.
*The certificate should now be installed in the system and browsing to https pages no longer give you an insecure warning.

Note that once the decryption certificate is installed, the device will always show a notification that states "Network may be monitored by an unknown third party".

==Shared devices==
This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.

*Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking a network access controller to the Opendium system|send RADIUS accounting data]] to the Opendium system.
*Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''RADIUS''.
*Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-tablet". This user must exist on the Opendium system.
*The user must use the captive portal to authenticate.
*When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's [[Web: Permissions & Limits#HTTPS decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. This is usually done through your MDM system.

Shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable [[Web: Permissions & Limits#User identification|User Identification]].
[[Category:Client Configuration]]

Apple iOS Configuration

2024-02-26T11:21:10Z

Chris: Removed "Ensure that a lock screen PIN is configured on the Android device" from Apple iOS Configuration page.

== One-to-one devices ==
This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding [[Apple iOS Configuration#Shared devices|shared devices]].

* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''Single User Devices''.
* If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
* If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. iOS devices can automatically log in to the captive portal using the WISPr protocol whenever the device reconnects to the network.

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate, either through an MDM or:

* Launch Safari and browse to https://''<your Opendium host name>''/opendium.crt or scan the QR code that is displayed on the [[Web]] tab.
* Tap ''Install'' and enter the device's passcode.
* A warning will be shown that the certificate will be added to the list of trusted certificates. Tap ''Install.''
* A confirmation will be shown indicating that the certificate was installed. Tap ''Done.''
* On iOS 10.3 and above, go to Settings > General > About > Certificate Trust Settings and enable full trust for the Opendium certificate. This step is not required for earlier versions of iOS.

== Shared Devices ==
This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.

* Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system.
* Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''.
* Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-tablet". This user must exist on the Opendium system.
* The user must use the captive portal to authenticate.
* When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. This is usually done through your MDM system.

Shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable [[Web: Permissions & Limits#User%20identification|User Identification]].
[[Category:Client Configuration]]

GoToAssist

2023-05-26T13:59:19Z

Chris: Created page with "== Status == GoTo Assist Remote access and screen Share(logmeinrescue): Fully working. Goto Webinar: Fully Working. GoTo Meeting: Fully working with additional configuration. == Configuration == * Enable STUN on Egress to Everywhere, but this should be done on a subgroup of users/IPs not the whole site. * Ensure that the Disable HTTPS Decryption Override is enabled(required for all GoTo products listed above). Note: we recommend that this override is always enabled (thi..."

== Status ==
GoTo Assist Remote access and screen Share(logmeinrescue): Fully working.
Goto Webinar: Fully Working.
GoTo Meeting: Fully working with additional configuration.

== Configuration ==
* Enable STUN on Egress to Everywhere, but this should be done on a subgroup of users/IPs not the whole site.
* Ensure that the Disable HTTPS Decryption Override is enabled(required for all GoTo products listed above). Note: we recommend that this override is always enabled (this is the default).
== Detail ==
Goto Meeting uses STUN on a peer to peer basis and so to get this working you need to allow STUN out to everywhere, this is more appropriate for specific subgroups as this protocol can be abused by VPN software.

==Vendor Contact Log==
* 2023-04-18 Testing Carried out with GoTo customer support, all products tested and findings as above.

[[Category:Third Party Software Compatibility]]