RoamSafe Agents
CyberEdge's RoamSafe Agent offers web filtering and SafeSearch capabilities, enforcing organizational policies whether devices are on or off the network. The agent ensures that real-time access policy updates are implemented, allowing administrators to manage access control centrally. Furthermore, it provides detailed user-based internet usage data, which is transmitted to the CyberEdge for centralized reporting and analysis. This enables comprehensive oversight and management of Internet activities within an organization.
Licensing
RoamSafe Agents are licensed per device and are available as a paid add-on component of the CyberEdge platform. For pricing and licensing information, please contact your CyberEdge business partner.
RoamSafe Agent Access Policies
RoamSafe Agents utilize a distinct Access Policy stack, separate from the Access Policy configurations associated with CyberEdge network zone pairs. RoamSafe Access Policies are applied exclusively to devices with the agent installed and do not impose any controls on the network. To configure RoamSafe Agent Access Policies navigate to:
- RoamSafe > Agent Policies
- Click "Add"
- Create an Access Policy
- Click "Save" and apply changes
A new RoamSafe Agent policy configuration is generated for distribution. If changes are made to an Access Policy or Policies specific to a particular group, only devices with users in that group will receive the configuration update. Where no group or groups are specified, all agents will receive the policy update. Agents check in with CyberEdge approximately every 30 seconds to detect changes in policy configuration. When a change is identified, the agent retrieves and applies the updated configuration from the CyberEdge. This behavior remains consistent whether the device is on or off the network.
RoamSafe Agent On-Network
Some networks require Access Policies to be enforced by the network gateway rather than by the client device when connected to the network. A RoamSafe Agent is considered "On Network" when traffic is detected from a device's network IP within a zone configured on the CyberEdge. By default, Access Policies are always applied directly on the device via the agent. To change this behavior and enforce Access Policies via the gateway when connected to the network, navigate to:
- RoamSafe Agent > macOS Agents > Internal Network Zones
- Specify a network zone
- Click "Save" and apply changes
When configured, an "allow policy" is dynamically inserted that allows all traffic through the agent.
Important note
- For networks using CyberEdge Classroom Control where access controls are enforced at the network gateway, the RoamSafe Agent must be configured to allow all traffic when connected to the network. To configure, go to RoamSafe Agent > macOS Agents > Internal Network Zones and specify the network zone of devices that should not be filtered by the agent when on the network. With this configuration, filtering is delegated to the gateway.
RoamSafe Agent - Off Network
When a RoamSafe Agent is off network, Access Policy enforcement happens locally on the device. The agent will check-in every 30 seconds with the controlling CyberEdge to obtain any Access Policy updates and push usage data for reporting. If communication between the RoamSafe Agent and the CyberEdge cannot be established,the following will occur:
- Communication attempts from the RoamSafe Agent to the controlling CyberEdge will be tried once per 30 seconds
- The RoamSafe Agent will enforce its current Access Policy configuration until it receives a new policy configuration
- Reporting event data will be stored locally in the RoamSafe Agent database. When connectivity is re-established, the RoamSafe Agent will upload the full contents of the database to the CyberEdge. Where devices have been disconnected for extended periods of time, it may take time to upload all event data to the CyberEdge
The RoamSafe Agent operates without relying on VPN tunnels or proxy connections to CyberEdge. Consequently, brief downtimes of CyberEdge during firmware updates or network migrations do not impact the agent's functionality. See "Agent Communication" for more information on the interactions between the RoamSafe Agent and its controlling CyberEdge.
RoamSafe Agent Communication
The following outlines the communication process between the RoamSafe Agent and its controlling CyberEdge.
Type |
Host |
Description |
|---|---|---|
| Communication | [serviceid].slsecure.zone | Communications between the RoamSafe Agent and the controlling CyberEdge will be directed to this domain. It must be accessible and resolve externally for successful communications with agents when off the network. In networks where the CyberEdge is not externally accessible, a reverse proxy or port forward configuration must be configured to allow connectivity. |
Custom domains for communications between the RoamSafe Agent and the CyberEdge is currently not supported.
Type |
Port |
Description |
|---|---|---|
| Communication | 443 | Communications between the RoamSafe Agent and the controlling CyberEdge use port 443. This port is not configurable. |
To verify RoamSafe Agents are successfully communicating with CyberEdge, you can view live RoamSafe Agent logs. To access the logs, navigate to Status > Log Viewer > RoamSafe Agent and view connected devices via Status > Agents.
Viewing Connected Devices
Information on RoamSafe Agents and their connected devices is available to assist System Administrators in managing RoamSafe deployments. This includes details such as Username, Full Name, Group, device IP address, Unique ID, Last Seen, Agent Version, and Client Operating System.
To view information on connected agents, navigate to:
- Status > Agents
Outlined below is a detailed description of the data collected from connected RoamSafe Agents, designed to assist in their effective management:
Type |
Description |
|---|---|
| Username | The username associated with the RoamSafe Agent |
| Full Name | The full name of the user to whom the agent is assigned |
| Groups | The group or groups assigned to the user within the configured directory service provider |
| IP Address | The IP address of the device's source connection to CyberEdge, typically a NAT'd public IP address. Note, this will never be the local IP address of the client device in a private network |
| Unique ID | A unique identifier for each agent, ensuring precise tracking, licensing and management |
| Last Seen | The last time the RoamSafe Agent for a device was able to check in to receive policy updates and upload reporting data |
| Agent Version | The currently installed version of the RoamSafe Agent on a device |
| Client OS | The operating system running on the client device |