Console Reference Docs

Web page classification analyzes the domain, URL, and most importantly, the words and phrases on every page load to tally a numerical score in one or more Categories for that page load.

The filter Action configuration (Allow/Block/Ignore) for the top-scoring Category is then used to handle that particular page request.

Traffic Visibility Prerequisites

Webpage word and phrase analysis is only possible with full SSL/TLS decryption (sslbump), which is the default action for most¹ web requests on TCP ports 80 (HTTP) and 443 (HTTPS).

And, for this to work without browser security errors, all endpoint devices connecting through the DrawBridge must have the DrawBridge Certificate Authority certificate installed. See the page SSL Certs under the Devices module for more information.

¹Note: for security reasons, banking and financial-related websites are not TLS-decrypted. It is assumed that these sites are safe from inappropriate content. You can verify a site is Not being TLS-decrypted by clicking the shield or padlock in your browser address bar and viewing the certificate. If the certicate is issued by a public Certificate Authority (and not your DrawBridge), you can know that the DrawBridge is Not intercepting the connection.

Also Note: Certain web traffic (for example some cloud backup services and application traffic) that is not specification-compliant or is otherwise incompatible with content filtering are exempted at a firewall level from the traffic inspection on TCP ports 80 and 443.

Example

Visiting https://www.cabelas.com is most likely to score the most points in the Category Hunting and Fishing.

If the Action assigned to Hunting and Fishing is Allow, the Cabelas page will load as if nothing happened.
If the Action assigned to Hunting and Fishing is Block, a DrawBridge block page is loaded to inform the user that the request was blocked due to filter settings.
If the Action assigned to Hunting and Fishing is Ignore, the next-to-top scoring Category action is selected to handle the page load.

The option to `Ignore` is strongly discouraged except for special situations. If you decide to specify custom Actions for Categories, please only use `Allow` or `Block` to ensure most reliable filtering.

Important Notes

1. About changing default Category Allow/Block settings

The DrawBridge comes with a preset Action for each included (Built-in) Category. When you assign an Action (Allow/Block) to a Category, you're simply applying a change that gets higher priority than the default setting.

2. Default Category settings are Business-focused

The default settings for the Built-in Categories are tightly scoped to business-usage needs. Depending on your usage expectations, you may want to set more categories to Allow in your Company Preferences Access Policy, or in a custom Access Policy.

For more information on Built-In Categories, including how to view default Actions, see Content Filter: Categories: Built-In Categories

FAQ: Is TLS inspection "bad" or "breaking encryption" or "weakening security"?

In a word, no (if implemented correctly)

Despite much negative press, blog posts by both Cloudflare and US-CERT acknowledge that legitimate use-cases (and secure methods) of TLS inspection exist.

Some of the concerns raised in the two articles linked above are very valid. However, the DrawBridge filter engine is designed to follow industry best-practices to ensure that it doesn't downgrade security or mask upstream security flaws.

Much of this debate boils down to two things:

Intention: Why is the TLS traffic being inspected? (legitimate or malicious?)
Privacy: Are the end-users aware of the inspection? (visible/policy or invisible/spycraft?)

For #1: The DrawBridge employs TLS inspection to ensure content filtering properly classifies page content

For #2: Yes: DrawBridge account holders need to purchase the content filter service and need to install a Certificate Authority for the service to work correctly. (It is the responsibility of account holders to inform any user of the service of the content monitoring and inspection.)

This discussion leads to an even deeper question: Who owns this device? If you truly own a computer, for example, you should have the authority to decide what Certificate Authorities it will be allowed to trust, and with whom it will communicate. Thankfully, most platforms accomodate adding additional Certificate Authorities, enabling you to know and control the network traffic of your device.

The notable exception is Android, because of an alleged "security" decision by Google. While there were threats they were able to prevent by taking a scorched-earth no-user-CA-trust position¹, this implementation also conveniently prevents auditing of the traffic of third-party apps and bundled Google apps.

¹Exception: browser apps on Android will trust user-installed Certificate Authorities.

Essential Concepts

Record Model - Tenancy and Hierarchy

Record Tenancy

The DrawBridge records are multi-tenanted.

Tenancy is established by associating a record (such as Device Group, Access Policy, or Report) to a given tenant (see Types, below), and ensuring that other tenants cannot see those records.

Four types of tenants are supported:

Tenancy Type	Visibility	Permissions
Company	Just that Company	Contacts assigned to this Company, contacts of the Accountability Policy associated with this Company
Accountability Policy	All Member Companies	Contacts of the Accountability Policy
Appliance	All Companies on that DrawBridge	Contacts of the Main Company
Universal	All Companies on all DrawBridges	System Administrators

In other words, the Tenancy Type of a record can be determined by looking at the association relationship(s):

A record assigned to a Company belongs to that company
A record assigned to an Accountability Policy is available to all Member companies
A record assigned to a System/Appliance applies to all tenant companies
A record with none of the above relationships is available to all companies everywhere.

The Main Company

All Companies on a DrawBridge are tenants, however, for proper record and configuration ownership, it is essential that one Company be the Main Company of a DrawBridge.

The Main Company is the Owner of the DrawBridge, or the owner of the premise on which it is located.

The Contacts on the Main Company are the only ones who can control System-wide settings, such as QoS, Firewall settings, DNS, and so forth.

Record Hierarchy

Certain types of records can have have a "Parent"/"Child" designation:

Accountability Policy: An Accountability Policy can be a "Child" of another Accountability Policy, enabling the automatic inheritance of configuration settings at the "Parent" level, such as Report Presets.
Category: Built-in Categories are members of "Parent" categories for easy classification into genres.

For example, Parent Category Automotive contains the following child categories:
- Automotive and Trucks
- Automotive - Objectionable
- Metals / Welding
- Powersports

Essential Concepts

Permissions and Relationships

Permissions

Permission Groups in the DrawBridge Console are analagous to User Groups in typical operating systems.¹

Permissions Groups are a way of assigning a particular Role to a Person: Adding a Person record to the Accountability permission group gives them the access and controls exclusive to Accountability and higher level permission groups.

Person records are given the permissions by being added as a member of a particular Permissions Group.

Permission Groups in the DrawBridge Console:

Permission Group	Required Relationship	About
`Company Owner`	Company Owner	The owner of a Company
`Appstore Access`	Company or Accountability Policy	Allows Person to Enable App Store Access on a Company record
`Can Submit Autofix Requests`	Company	Allows use of the Autofix reclassification function
`Can Submit Sites for Human Review`	Company	Allows submission of a Classification Review support ticket
`Media Viewer`	Company	Allows classification of a video in the Media Room
`Company Media Room Admin`	Company	Allows administration of a company Media Room
`Report Viewer`	Company or Accountability Policy	Allows viewing of web activity Reports
`System Owner`	Company Owner	Allows visibility and control of all Tenant Companies on that DrawBridge
`ACL Pumpkineer`	Accountability Policy or Compass Foundation Staff	Allows creation and modification of ACLs
`Accountablity`	Accountability Policy	Allows visibility and control of member Company configurations and reports
`Device Detector Admin`	(?)	(?)
`Realtime Log Viewer`	Company Owner of Main Company	Allows access to the system-wide Realtime Log Viewer
`Reseller`	(?)	Allows visibility and control of all Tenant Companies on that DrawBridge
`Sysadmin`	(?)	(?)

¹For further advanced reading, see the POSIX specification documentation by The Open Group and IEEE.

Relationships

Records in the DrawBridge console, particularly Person records, can have one or more relationship associations.

For an analogy, consider how individual people in real life have different relationships to others, depending on their role: Parent-Parent, Parent-Child, Brother-Sister, and so forth.

Relationships in the Console

A Person can have the following relationships to Companies:

Owner
Associate
Tech Support
General Contact

A Person can have the following relationships to an Acountability Policy:

Accountability Contact

A Company can have the following relationship to an Accountability Policy:

Member

Examples

Person fred_smith owns Company Eastwood Trading Co. He therefore is assigned a Company Owner Relationship, and added to the Company Owner Permissions Group.

Company Eastwood Trading Co. has an on-premises DrawBridge, so fred_smith is also added to the System Owner Permissions Group.

Person jack_miller is on the IT staff for Eastwood Trading Co. He is assigned a Tech Support Relationship, and added to the Sysadmin Permissions Group.

Essential Concepts

Accountability

The DrawBridge supports an Accountability model to facilitate voluntary, centrally-administered, usage report sharing and content filter configuration of Member Companies by specified administrators in a community context.

An Accountabilility Policy provides:

Central administration of Accountability-associated Report Presets and Access Policies for all Member Companies
- All Report Presets of a Policy automatically propagate to all Member Companies.
- Access Policies associated with an Accountability policy are made available to all Member Companies as a Policy Group that can be easily joined by Member Companies. Changes to that particular Access Policy (Group) automatically propagate to all Member Companies that are part of the Access Policy.
Accountability Contacts associated to that Accountability Policy can access report information and view filter policy configuration for that Company (see Accountability Policy Roles below).
Community Accountability-level Preference configurations to override Company-level Preference configurations (see Preferences page for more information).

Record Relationships

The following records can be associated with an Accountability Policy Record:

Record Type	About
Person	Accountability Contact: view reports and set configurations on Member Companies
Company	Accountability Member Company: enable features detailed below

Policy Roles

An Accountability Policy can be either type of Role:

Role	About
Reviewer	Accountability Contacts have read-only access to member Company settings
Administrator	Accountability Contacts have read-write access to member Company settings and diagnostic functions

Role Features

Administrator

Designed for Accountability Policies who have members on the Policy with capable IT skills, understand the DrawBridge Console, and commit to remaining up-to-date with ongoing DrawBridge releases.

Reviewer

Designed for Accountability Policies who are primarily responsible for reviewing reports and Access Policies to confirm that settings are as expected.

Company Opt-in

A Company Owner assigned to an Accountability Policy with the Reviewer Role may want his Accountability Contacts to have the Administrator Role on his company. If so, he can add them as Company Staff to grant the Administrator Role.

Examples

Administrator Role

The people in the Golden Sands Christian Fellowship community want to have a uniform content filter policy across their brotherhood, as well as have specific individuals responsible to administer the policy and review all their web usage.

To answer this need, the Golden Sands Christian Fellowship Accountability Policy is created with Administrator role, and several people are associated with it as Accountability Contacts (see Relationships page for more information).

This Accountability Policy has several associations:

The people that are designated as Accountability Contacts.
A Church Preferences Access Policy that sets the Action on a number of Categories to Allow.
A Summary Report configured that displays the genres of information being accessed by each Company, to be sent to the designated Accountability Contacts.

Those Companies using DrawBridge filtering in this context add the Golden Sands Christian Fellowship policy to their Company record. This performs the following:

Enables the specified Accountability Contacts to view the report data and filter configurations of all Member Companies in the DrawBridge Console.
Makes the centrally-administered Church Preferences Access Policy available to them to apply to their Company.
- Each Company Owner then applies the Church Preferences Access Policy by assigning it to his alldevices Device Group.
Automatically configures the Summary report to the member Company, with delivery to the Accountability Contacts.

Reviewer Role

The people in the Salem Christian Fellowship community want to have a uniform content filter policy across their brotherhood. Either outside IT provider or Compass Foundation will administrate the settings and provide technical support.

The Salem Christian Fellowship policy is created with the Reviewer role. They will have Read-Only access to review Reports and Access Policy settings. Any required changes will be channeled by the Company to IT Provider or Compass Foundation.

Essential Concepts

Preferences

Preferences enable you to:

configure minimum Permission Groups required to perform a specific action (see Permissions and Relationships page for more information), and,
configure other feature thresholds and behaviors

Preference Tenancy

Preference record tenancy association is available to both Companies and Accountability Policies. Each Preference Record has a field indicating the associated Company or Policy, thus communicating the tenancy association.

If a Preference detailed here is not present on your DrawBridge, simply create it with the + button in the upper right corner of the list view for that Section. Then you can assign the Records to that Preference as desired.

Preferences associated with an Accountablity Policy override any conflicting preferences associated with a Member Company.

Priority	Relationship	Override lower priority configuration
1	Accountability Policy	Yes
2	Company Owner	(NA)

To clarify: if there is no Accountability Policy associated with a Company, the notes about Accountability Policy override do not apply.

Preference Record Sections

Heirarchy:

Section
- Preference
  - Record

As implemented:

Filter Console (Section)
- Access Valve Permissions (Preference)
  - Widen Access Privileges (Record) and so forth
- App Store Settings
- Safe Search Settings
Media Room
- Viewability
- Channels
Block Page Overrides
- AutoFix Settings
- Human Review Settings

Preferences, in detail

Filter Console

Access Valve Permissions

Record Name	Value	About
Widen Access Privileges	`Company Owner` / `Accountability Contact` / `Accountability or Filter Admin`	Set minimum Permission Group required to set a Category to Allow
Restrict Access Privileges	`Company Owner` / `Accountability Contact` / `Accountability or Filter Admin`	Set minimum Permission Group required to set a Category to Block

App Store Settings

Record Name	Value	About
Permission Group	`Company Owner` / `Accountability Contact` / `Accountability or Filter Admin`	Set minimum Permission Group required to "open" an App Store

Safe Search Settings

Record Name	Value	About
Name of Service eg. Bing, YouTube, etc	`Yes` / `No`	Enable the platform-provided Adult content blocking

Media Room

Viewability

Record Name	Value	Contents	About
Category Actions	`Always Block Categories` / `Always Allow Categories`	List of Categories	Configure the Media Room action for specified Categories
Viewability Status	`Allowed Categories Only` / `Allowed Category or Unclassified` / `Viewing Classified Media Disabled`	(N/A)	Configure the "permissiveness" of the Media Room

In detail:

Category Actions: The Media Room will Allow or Block a video from playing based on the top-scoring category it scores/classifies as. The Category Actions records here allow you to set a list of Categories that will Always or Never play when a video has a top score in the category(ies) you specify.
Viewability Status: Set the behavior of the Media Room:
- Allowed Categories Only: Only videos which have a top score in a Category set to Allow will play. Videos with a top score in a Category set to Ignore or Block will not play.
- Allowed Category or Unclassified: In addition to the videos matching Allowed Categories, above, if a classification can not be automatically made, the video will still be allowed to play. This is the most permissive setting.
- Viewing Classified Media Disabled: The Media Room will not allow any videos to play, regardless of the classification.

Channels

Record Name	Value	About
Permission Group	`Media Admin` / `Accountability Contact` / `Accountability or Filter Admin`	Set minimum Permission Group required to add a Channel for automatic classification

Block Page Overrides

AutoFix Settings

Record Name	Value	Contents	About
Category Actions	`Always Allow Categories` / `Always Block Categories`	List of Categories	Always Allow or Block the AutoFix request for specified categories
Level 1 Enabled	`Yes` / `No`	(N/A)	Enable AutoFix Level 1 behavior
Level 2 Enabled	`Yes` / `No`	(N/A)	Enable AutoFix Level 2 behavior
Level 3 Enabled	`Yes` / `No`	(N/A)	Enable AutoFix Level 3 behavior
Skip Owner Confirmation	`Yes` / `No`	(N/A)	Specify whether Company Owner contact confirmation is required for an Autofix request.

If Owner Confirmation is required, an AutoFix request will email the Company Owner contact, who will need to sign-in and approve the request before it can proceed.

Human Review Settings

Record Name	Value	Contents	About
Category Actions	`Always Allow Categories` / `Always Block Categories`	List of Categories	Always Allow or Block the Human Review request for specified categories
Skip Owner Confirmation	`Yes` / `No`	(N/A)	Specify whether Company Owner contact confirmation is required for an Human Review request.

If Owner Confirmation is required, a Human Review request will email the Company Owner contact, who will need to sign-in and approve the request before it can proceed.

Preference Record View

Create a preference record by clicking the + button in the upper right of the list view in any of the Sections above.

Edit a Preference record by clicking the green pencil Edit button on the relevant line.

View a Preference record by clicking on the blue navigate-symbol View Preference button on the relevant line.

Each Preference record will display:

Parameter	About
Company/Policy	The tenancy association (Company or Accountability Policy) of the record
Canonical ID	The globally-unique identifier for the record
Preference Setting	What the record does

Records which contain Category List views have these options:

Add a Category with the + Add button above the list area
Remove a Category with the red trashcan Delete button on the relevant Category line

Accounts

People

A person entity is required to sign-in and use the DrawBridge web portal.

Additionally, Person records are associated with Companies, and, optionally, Accountability Policies.

View the Active People list by clicking Accounts, then People in the left menu bar. Click the Name of a Person in the list to view the Record for that person.

Person Record View

A Person record contains the following parameters:

Parameter	About
Name	Display Name
Email	Email address
Mobile	(Optional) Mobile phone number
Canonical ID	The global unique identifier
Last Active	Timestamp of last sign-in activity; see Sessions informational tab, below

Person Record header buttons:

Add a new Person record with the blue + Create Person button
Edit this Person record with the green pencil Update Person button
Delete this Person record with the red trashcan Delete Person button
Impersonate User (take on the identity and permissions of this user in the DrawBridge; used for troubleshooting)
Merge Person records with the blue picture-frame "Merge other Person records into this one" button
Hamburger menu:
- Set Console Password: set a DrawBridge Console password for this Person
- Create Tabula account: see Additional Services: Tabula for more information
- Add Group Membership: add this Remote Device User to a Console Permission Group (see Informational Tabs: Permissions, below)
- View Realtime Log Lines: jump to the Realtime Log Viewer, with the data view limited to this device
- Today's Log Lines: jump to the the Reports module with the device pre-selected in data views
- Record Activity Stream: view the changelog for this Device record
Bookmark this record with the ribbon Bookmark button
Sync Menu (chain-link icon)
- Sync Mode (default is 2 Way - Push / Pull from Server); click record sync information
- Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server
- Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server
- Mark to Resync: flag this record in the background to be included in the next sync run

Informational Tabs

Data associated with this Person:

Bookmarks: List view of any console shortcuts
- Add a bookmark by clicking the Ribbon button on any record in the Console
- Delete a bookmark with the red trashcan Delete button on the relevant Bookmark line here
Companies: List view of any associated Company relationships
- Add a Company relationship with the Add Company Staff Relationship button
- Edit a Company relationship with the green pencil Update button on the relevent line
- Delete a Company relationship with the red trashcan Delete button on the relevant line
- View Company Relationship history log with the blue Record Activity Stream button on the relevant line
Policies: List view of any associated Accountability Policy relationships
- Add an Accountability Policy relationship with the Add Accountability Policy Relationship button
- Edit an Accountability Policy relationship with the green pencil Update button on the relevent line
- Delete an Accountability Policy relationship with the red trashcan Delete button on the relevant line
- View an Accountability Policy relationship history log with the blue Record Activity Stream button on the relevant line
Devices: List view of any associated Devices
- Add a Remote Device relationship with the Add Remote Device button
- Edit a Remote Device relationship with the green pencil Update button on the relavant line
- Delete a Remote Device relationship with the red trashcan Delete button on the relevant line
- View a Remote Deice relationship history log with the blue Record Activity Stream button on the relevant line
Permissions: List view of any associated Permission Groups and Proxy User Groups
- Add a Permission Group membership relationship with the Add Permission button
- Add a Proxy User Group membership relationship with the Add to Proxy Users Group button
- Edit a Group relationship with the green pencil Update button on the relevant line
- Delete a Group relationship with the red trashcan Delete button on the relevant line
- View a Group relationship history log with the blue Record Activity Stream button on the relevant line
Sessions: List view of all active/signed-in Console sessions this User has on this DrawBridge. Fields:
- Last Updated: timestamp of last activity
- IP: IP Address of last activity
- Client: the User-Agent reported by the last activity

Unrelated People

Unrelated People are People records that have no Company or Accountability Policy relationship assigned. This list should generally be empty.

Inactive Relationships

This is a list of Person - Company or Person - Accountability Policy Relationships that have been set to Inactive. This list should generally be empty.

Accounts

Companies

A Company record is essential to using the DrawBridge: all People records and Device records must be associated with a Company record (or an Accountability Policy) to enable full use of their functionality.

If your Company is the only company present on your DrawBridge, clicking on Accounts: Companies will jump directly to your Company record view.

If more than one Company is present on a DrawBridge, and your sign-in credentials are part of a System Owner permissions group or higher, a list view of the Company records will be displayed when Companies is clicked in the left menu bar. Click the Name of the company to view the Company Record. See Essential Concepts: Record Model - Tenancy and Hierarchy for further information about multi-tenancy.

The Company record view is your headquarters for viewing important data on your account, and also for jumping to other places in the DrawBridge to make configuration changes for your Company.

Record View

Name of Company

Parameter	About
Status	This record is `Active` / `Inactive`
Main	`Yes`/`No`: indicates whether this Company record is designated as the Main Company for this DrawBridge.
Log Server Account	Optional: Account number on the Log Server; see Reports: Log Processing for more information
Canonical ID	The globally-unique identifier for this record

Link: Log Batches -- jumps you to the list of Log Batches configured for this Company. See Reports: Log Processing for more information. Link: Sync Settings -- jumps you to the Appliance Companies record. See System: Configuration: Appliance Companies for more information.

Company Record header buttons:

Add a new Company record with the blue + Add Company button
Edit this Company record with the green pencil Update Company button
Delete this Company record with the red trashcan Delete Company button
Hamburger menu:
- Today's Log Lines: jump to Reports: Browse by Loglines -- view web activity access logged today
- Report History: jump to Report Archives
- Record Activity Stream: view the changelog for this record
Bookmark this page with the ribbon Bookmark button
Sync Menu (chain-link icon)
- Sync Mode (default is 2 Way - Push / Pull from Server); click record sync information
- Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server
- Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server
- Mark to Resync: flag this record in the background to be included in the next sync run

Informational Tabs

Local Devices

List of Local Device records on this DrawBridge. See Devices: Local Devices for more information.

Create a new Local Device record with the New Local Device button.

Manipulate existing Local Device records in the list view by clicking the desired button on the relevant line:

Edit a record with the green pencil Update Record button
Delete a record with the red trashcan Delete button
View the record changelog with the blue Record Activity Stream button

Remote Devices

List of Remote Devices records on this DrawBridge. See Devices: Remote Devices for more information.

Create a new Remote Device record with the New Local Device button.

Manipulate existing Remote Device records in the list view by clicking the desired button on the relevant line:

Edit a record with the green pencil Update Record button
Delete a record with the red trashcan Delete Record button
View the record changelog with the blue Record Activity Stream button

Contacts

List of Person records with a Relationship to the Company. See Accounts: People for more information.

Add a new Person--Company relationship with the Add Company Staff Relationship button.

Manipulate existing Relationship records in the list view by clicking the desired button on the relevant line:

Edit a record with the green pencil Update Record button
Delete a record with the red trashcan Delete Record button
View the record changelog with the blue Record Activity Stream button

Reports

List of configured Reports associated with this Company. See Reports: Scheduled Reports for more information.

Add a Report with the Schedule New Report button.

Manipulate existing Scheduled Report records in the list view by clicking the desired button on the relevant line:

Edit a record with the green pencil Update Record button
Delete a record with the red trashcan Delete Record button
View the record changelog with the blue Record Activity Stream button

Appliances

Displays the Appliance record associated with this Company. See System: Configuration: Appliance Companies for more information.

Dashboard buttons

Access Policies -- Access Policy Dashboard

Jump to the Access Policy Dashboard for this Company, which displays all the Access Policies which apply to the devices of this Company. See Content Filter: Web Page Access for more information.

Activity Viewers -- Loglines & Reports

Jump to Report Activity Viewers. See Reports: Activitity Viewers for more information.

Preferences -- Preferences Dashboard

Jump to any Preferences associated with this Company. See Essential Concepts: Preferences for more information.

Accountability Policy -- ("Policy Name" or "None")

Jump to associated Accountability Policy (if applicable).

If this Company is a Member of an Accountability Policy, the name will be displayed. If the Company is not a Member of any Accountability Policy, it will display "None". See Essential Concepts: Accountability and Accounts: Accountability Policies for more information.

Inactive Companies

Inactive Companies are Company Records which have had the Status changed from Active to Inactive.

Accounts

Accountability Policies

As noted on the Accountability page under the Essential Concepts chapter:

The DrawBridge supports an Accountability model to facilitate voluntary, centrally-administered, information sharing and content filter configuration of Member Companies by specified administrators in a community context.

An Accountability Policy consists of the Accountability Policy name and contains Member Companies.

Also, an Accountability Policy contains Preferences (specific controls over member companies) and configures Report Presets (default report settings and recipients) for member companies.

Record view

Link: Assigned Companies -- list view of Companies associated with this Accountability Policy

Parameter	Setting or Data	About
Parent	`<Policy Name>`	The higher-on-the-heirarchy Policy, where applicable
Include Parent Contacts	`Yes` / `No`	Include Parent-policy Contacts by default in this policy, where applicable (see Parent, above)
Role	`Reviewer` / `Administrative`	The default scope of control associated Contacts have over member companies. See Essential Concepts for more info
Appstore	`Company Owner` / `Accountability Contact` / `Accountabilty or Filter Admin`	The minimum permission level Preference assigned to the Policy permitted to open the App Store
Send Logs	`Yes` / `No`	Send member-company traffic web usage data to the Log Server specified in Reports / Log Processing / Log Servers.
Canonical ID	`<auto-assigned hash value>`	The globally-unique identifer for this record.

Accountability Policy Record header buttons:

Add a new Accountability Policy record with the blue + Create Accountability Policy button
Edit this Accountability Policy record with the green pencil Update Accountability Policy button
Delete this Accountability Policy record with the red trashcan Delete Accountabilty Policy button
View the changelog for this Accountability Policy with the blue Record Activity Stream button
Bookmark this page with the ribbon Bookmark button
Sync Menu
- Create on Sync Publisher (push this record to the Sync Server)

Informational Tabs

Contacts: List view of Contacts associated to this Policy
- Add an Accountability Contact association with the Add Accountability Policy Relationship button
- Edit the Relationship and Report Delivery options for that Contact with the green pencil Update button on the specific contact line in the list view
- Remove an Accountability Contact with the red trashcan Delete button on the specific contact line in the list view
- View the changelog for a particular Contact--Accountability Policy association with the View Record Activity Stream button on the specific contact line in the list view
Report Presets: List view of Reports associated with this Policy (these Reports automatically apply to all Member Companies).
- Add a Report Preset with the New Report Preset button.
- Remove a Report Preset association by visiting the record page for that Report Preset and editing the Policy association there.
Policy Groups: List view of Access Policy Groups associated with this Policy (these Access Policies are made available for all Member Companies to join).
- Add an Access Policy relationship with the New Access Policy Group button.
- Remove an Access Policy relationship by visiting the record page for the Access Policy and editing the Policy association there.

Dashboard Buttons

Preferences Dashboard

Preferences configured on an Accountability Policy level override any Preferences specified on Member Companies. See Essential Concepts: Preferences for more information.

Accountability Contacts

List view of Person - Accountability Contact relationships.

Record View

An Accountability Contact Record has the following information:

Parameter	About
Name	Name of the associated Person record
Email	Email of the associated Person record
Policy	Name of the associated Accountability Policy record
Canonical ID	Globally-unique identifier of this `Person - Accountability Contact` relationship
Contact CID	Globally-unique identifier of the associated Person record
Last Active	Timestamp of the last recorded login

Accountability Contact Record header buttons:

Add a new Accountability Contact record with the blue + button
Edit this Accountability Contact record with the green pencil Update Record button
Delete this Accountability Contact record with the red trashcan Delete Record button
Hamburger menu:
- Update Personal Details (edit the details on the associated Person record)
- Set Console Password
- Add Group Membership
Impersonate User (take on the identity and permissions of this user in the DrawBridge; used for troubleshooting)
Bookmark this page with the ribbon Bookmark button
Sync Menu (chain-link icon)
- Sync Mode (default is 2 Way - Push / Pull from Server); click record sync information
- Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server
- Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server
- Mark to Resync: flag this record in the background to be included in the next sync run

Informational tabs

Companies: List view of the associated Companies
- Add a Company relationship with the Add Company Staff Relationship button
- Edit a Company relationship with the green pencil Update button on the specific company line in the list view
- Remove a Company relationship with the red trashcan Delete button on the specific company line in the list view
- View the changelog for a particular Company association with the View Record Activity Stream button on the specific company line in the list view
Policies: List view of associated Accountability Policies
- Add an Accountability Policy relationship with the Add Accountability Policy Relationship button
- Edit an Accountability Policy relationship with the green pencil Update button on the specific Accountability Policy line in the list view
- Remove an Accountability Policy relationship with the red trashcan Delete button on the specific Accountability Policy line in the list view
- View the changelog for a particular Accountability Policy association with the View Record Activity Stream button on the specific accountability policy line in the list view
Permissions: List view of Permission Group membership
- Add Permission Group membership with the Add Permission button
- Add to a Proxy User Group with the Add to Proxy Users Group button
- Remove a Permission Group membership with the red trashcan Delete Record button on the specific Permission Group line
- View the changelog for a particular Permission Group Membership with the View Record Activity Stream button

Accounts

Groups

Permission Groups

The DrawBridge console uses the model of Permission Groups: a Person record can be a member of a particular Permission Group, and thus gain the abilities allowed by that Permission Group.

For more information, see Essential Concepts: Permissions and Relationships.

People Groups

Proxy User Groups

A Proxy User Group is a group of People (similar to Device Groups being groups of Devices).

People in the Proxy User Group are users on the local network which are authenticated to the DrawBridge via the DrawBridge Agent software installed on the endpoint.

A Proxy User Group can have two origins:

Created either by manually adding People records to a "standalone" Proxy User Group, or,
An existing Directory Group designated as a Proxy User Group.

Create a standalone Proxy User Group by clicking the + button in the upper right corner of the list view. Give the group a name, specify the minimum permissions required to add People to the group, select any Parent Group if applicable, and ensure that Proxy Users is toggled to Yes.

Note that the list view in Proxy User Groups displays both "standalone" Proxy User Groups, as well as all Directory Groups that have been specified as a Proxy User Group; see below.

Directory Groups

A Directory Group is a group of People that has been synchronized from another server, for example, an Active Directory server.

A Directory Group can be designated a Proxy User Group by Editing the Directory Group record and toggling the Proxy Users setting to Yes.

The advantage of designating a particular Directory Group as a Proxy Users Group is that the (Person) members of that group can be managed on the AD Server; no ongoing people membership maintenance is needed in the DrawBridge.

Changes in Directory Group membership made on the AD server are automatically synchronized via the regular AD--DrawBridge sync job.

Implementation Concept Diagram

This diagram illustrates how People Groups can be assigned to an Access Policy via association with a Device Group.

See How To Guides: Assign a Proxy User Group to an Access Policy for further instructions.

Accounts

Authentication Integration

The DrawBridge supports connection to an external user database for User and Group synchronization using the following database types:

Active Directory
OpenLDAP

Purpose

These features are intended to be used in conjunction with the DrawBridge Agent software (Windows computers only) to link the actual User signed-in on a Local Device to a specific Access Policy.

See Accounts: Groups for further information on People Groups.

See Content Filter: Web Page Access for further information on configuring Access Policies.

See How To Guides: Assign a Proxy User Group to an Access Policy for further implementation details.

Technical specifics

The DrawBridge connects to external user databases either using plain-text LDAP communication on port 389, or using TLS (LDAPS) on port 636.

A scheduled job perfomrs a background sychnronization with the database server four times a day.

A username and password to access the user database must be provided to the DrawBridge. The only permissions that are needed for the user are read access to the user and group information on the server.

Security Notes:

The security-by-least-privilege principle dictates that the credentials provided to the DrawBridge to access the user database should not have any permissions beyond read-only access.
When using LDAPS: The DrawBridge accepts any certificate presented by the server -- it does not perform verification/validity checks.

Record View

Both Active Directory and OpenLDAP server records have the following parameters:

Parameter	About
Name	User-assigned display name of the server
Host	Address of the server, eg. `192.168.250.66:636` (Active Directory) or `ldap://127.0.0.1:636` (OpenLDAP)
Server Type	`Active Directory` or `OpenLDAP`
Username Format	`Active Directory` or `OpenLDAP`
Status	This record is `Active` or `Inactive`
Search Base	Examples: `dc=local` or `ou=Accounts,dc=eastwoodtc,dc=lan`
User Object Class	Examples: `person` (Active Directory) or `exinetOrgPerson` (OpenLDAP)
Group Object Class	Examples: `group` (Active Directory) or `posixGroup` (OpenLDAP)
Device Object Class	Example: `computer` (Active Directory)

Edit the Directory Server settings with the green pencil Update Directory Server button
Delete the Directory Server record with the red trashcan Delete Directory Server button
Hamburger menu:
- Verify Connection settings: test the provided authentication credentials. An alert will display the results of this test within seconds.
- Sync Directory Servers: trigger a manual sync job to run immediately. (Note: this routine does not provide any status information.)
Bookmark this page with the ribbon Bookmark button

Informational Tabs

Field Maps

Map DrawBridge database fields to the directory server fields. Add a new relationship with the Add Field Relationship button.

Remove a field relationship with the red trashcan Delete button on the relevant line.

Example configuration (Active Directory)

Note: Your environment may be different.

Console Field	Directory Field
first_name	givenName
last_name	sn
username	cn
cid	objectGUID
email	userPrincipalName

Company Maps (Active Directory only)

Assign a Directory Group to a DrawBridge Company with the Add Group to Company Map button.

Remove a Directory Group to DrawBridge Company relationship with the red trashcan Delete button on the relevant line.

Devices

Overview

Create and manage Local and Remote Device records and corresponding Company and People associations, as well as static Device Groups

Devices are the “target” of filter settings configured in Content Filter.

Note: for proper network operation:

all Devices need to have the DrawBridge CA Security Certificate installed. See Essential Concepts: Web Page Classification: Traffic Visibility Prerequisites for further information.
Remote Devices must have the correct External Networks assigned to them. See page Remote Devices in this chapter for further information.

Identifying Devices on the network

The DrawBridge has several ways of identifying Devices

Local Devices via either
- auto-created records via built-in network detection, or,
- auto-created records via the DrawBridge Agent software (Windows-only), or,
- manually created records by a user.
Remote devices created by users; these authenticate with the DrawBridge username and password

In this chapter:

Devices Dashboard
- Local Devices
- Remote Devices
- Device Groups
Apps: Device Configuration
- SSL Certificates
- External Networks

Devices Dashboard

Local Devices: devices on the network where your DrawBridge is located.

For example, the desktop you have in your office.
Remote Devices: devices that access your DrawBridge from “outside” your network; ie. from the public Internet.

For example, a laptop that’s configured to connect to your DrawBridge for filtering whenever you’re out on the road using a hotspot.
Device Groups: entities that contain Local and/or Remote devices

Apps: Device Configuration

SSL Certificates: mandatory SSL/TLS Certificate Authority security certificates for all devices connecting through a DrawBridge
External Networks: list of external network information used for assisting Remote Device Authentication operations

Devices

Local Devices

A Local Device record is an an entity intended to represent one Device on the local network, no matter how many network interfaces the Device has. (Exception: special IP Range devices; see FAQ below)

Devices are created by:

Auto-detection: The DrawBridge monitors network traffic to detect local devices based on the IP address, and automatically creates a Local Device record if none exists for that address.
A DrawBridge Console user: Click the + located in the upper right corner of the Local Devices list view to to create a new Local Device Record.
The DrawBridge Agent: If the DrawBridge agent "calls home" with Device information that does not match an existing record, a new Local Device record will be created (only if the MAC address can be validated; see FAQ below)
Active Directory sync: If your DrawBridge is configure to sync with an Active Directory server, Devices listed in the AD server will be automatically created on the DrawBridge.
Compass Portal Sync: (Remote Devices Only)

In the Local Device list view, select any local device record by tapping the device name or IP address link shown in the Hostname column to see an individual device record.

Record View

A Local Device record contains the following parameters:

Parameter	About
Company	the Company associated with the Device; see Accounts: Companies for more information
Auto Hostname	the automatically-detected hostname of the device on the network, if available
Platform	the operating system of the device, if specified
Type	the type of hardware, such as Laptop, Smartphone, Tablet, and so forth
Status	this local device record is: `Active` or `Inactive`
Source	origin of the record information: auto-detected or User Entry
Last Active	the timestamp of the last filter traffic recorded for this device
Reportable	traffic from this device Is or Is Not included in Activity Reports

Device Record header buttons:

Add a new Local Device record with the blue + Create Local Device button
Edit this Local Device record with the green pencil Update Local Device button
Delete this Local Device record with the red trashcan Delete Local Device button
Hamburger menu:
- Today's Log Lines: a shortcut to the the Reports module with the device pre-selected in data views
- Add Network Interface**: add an additional network interface to the device
- Reset DrawBridge Agent: reset the record association with the DrawBridge Agent
- Record Activity Stream: view the changelog for this Device record
Bookmark this page with the ribbon Bookmark button

Informational Tabs

Network Interfaces: IP address(es) and Mac address(es) associated with the device.

Keep in mind that a device can have multiple network interfaces and also multiple IP addresses, so multiple lines may be listed here. For example, a laptop may have a Wi-Fi network interface as well as a wired Ethernet interface. Both interfaces will have unique MAC/hardware addresses, so if you want to apply a filter policy to that particular Device, no matter how it is connected to your network, you’ll need to ensure both interfaces (WiFi and Ethernet) are specified here.
Access Policies: a list of Access Policies that are applied to this device. (see Content Filter: Access Policies for further information)

This list is generated based on the membership of the Device in a particular Device Group, a component of an Access Policy. The exact Access Policy can be visited by clicking the link in the list under the Name column, or, you can view all Access Policies for your company by clicking the Access Policies/Access Policy Dashboard button to the right.

Device Group Membership

A local device is always part of the alldevices Device Group of the associated Company. A local device can be associated with an unlimited number of Device Groups. See the Device Groups page for further information

FAQs

Q: Why aren't Local Devices automatically appearing on my account?

A: Auto-generated Local Device records are only generated for the Main Company. Verify that your account is set as Main if you are not seeing Local Device records auto-populate.

Q: Why doesn't the Local Device record display the MAC address of my device?

A: Bogus/Randomized MAC addresses may be automatically discarded by the console to reduce the amount of auto-generated Local Device records. For more context and a resolution, see the Question "Why are there so many Local Devices listed?".

Q: Why are there so many Local Devices listed? (I only have X number of devices on my network.)

A: Several factors may result in a proliferation of Local Device records:

“Network churn”: many new devices joining the network and old ones leaving. The DHCP server will do its job to utilize the limited address space available to it, which may involve assigning a previously-used address to a new device. This may result in the DrawBridge creating additional Local Device records or unexpectedly adding new MAC address associations to an existing IP Address / Hostname record.

Countermeasure: configure address reservations in your network DHCP server (DrawBridge ClearOS webconfig panel or other network equipment, if applicable) to ensure that a specific MAC address may only ever be assigned a specific IP address.
Operating system privacy features: randomized hardware interface addresses (also known as MAC addresses). Most operating systems now have functionality to generate a random hardware address for a particular network to prevent devices from being tracked across public WiFi hotspots. While most Operating Systems will maintain the same randomly-generated MAC address for a particular “remembered” network, if you reset your network settings or Forget the saved network, and re-join, the randomly-generated MAC will have changed. As above, this may result in the DrawBridge creating additional Local Device records or unexpectedly adding new MAC address associations to an existing IP Address / Hostname record.

Countermeasures: Turn off physcial/MAC address randomization for your DrawBridge-protected network name (for example, for your WiFi network), and then set a DHCP reservation for the actual device hardware MAC address. Turn off hardware address randomization, by operating system:
- iOS: Settings/WiFi/ information icon/ toggle Private WiFi Address off
- Android: Settings/WiFi/ gear icon/Advanced/set Privacy to Use Device MAC
- Windows 10; All Networks: Settings/Network and Internet/WiFi/toggle Use random hardware addresses off
- Windows 10; Specific Network: Settings/Network and Internet/WiFi/Manage Known Networks/select /Properties/set Use random hardware addresses to off
- Windows 11: Settings/Network and Internet/WiFi/ gear icon/Advanced/Privacy/set Use device MAC
Then add an address reservation in your DHCP server, as described above.

Note: The DrawBridge console does perform a background cleanup of "dead" local device records on a regular basis.

Q: Any type of "agent" software available for Windows computers to positively identify Local Devices on a network?

A: Yes! See the page DrawBridge Agent Reference in this chapter for further information

Q: Can I create an “entity” for an IP address range instead of making a bunch of Local Device records?

A: Yes! Create a new Local Device, and in the Platform field, select Network IP / IP Range, then enter the IP address range. This special “Local Device” can be used in a Device Group just like an ordinary Local Device or Remote Device record.

Devices

Remote Devices

A Remote Device connects through your DrawBridge from "outside" your network -- from the public Internet.

Remote Devices are created by:

A DrawBridge Console user: Click the + located in the upper right corner of the Local Devices list view to to create a new Local Device Record.
CF Odoo Portal sync: Devices created in the Portal are automatically synchronized either via a triggered sync run (Cloud Servers), or the scheduled sync job.

In the Remote Device list view, select any remote device record by tapping the username shown in the Filter Username column to see an individual device record.

Record View

The individual Remote Device record contains the following parameters:

Parameter	About
Company	the Company associated with the Device; see the Accounts section for more information
Console User	the Person record associated with the Remote Device
Filter Username	the unique username this Device uses for authentication; this must either match or begin with the username of the associated Console User/Person
Email	the email address of the associated Person record
Status	this device record is: `Active` or `Inactive`
Canonical ID	the global unique identifier for this Remote Device; used for synchronization
Contact CID	the global unique identifier of the associated Person record; used for sychronization
Last Active	the timestamp of the last filter traffic recorded for this device
Device Type	the type of hardware, such as Laptop, Smartphone, Tablet, and so forth

Remote Device Record header Buttons:

Add a new Remote Device record with the blue + Create Remote Device button
Edit this Remote Device record with the green pencil Update Remote Device button
Delete this Remote Device record with the red trashcan Delete Remote Device button
Hamburger menu:
- Update Personal Details: edit the information of the associated Person record
- Set Console Password: set a DrawBridge Console password for this Remote Device User
- Add Group Membership: add this Remote Device User to a Console Permission Group (see Informational Tabs: Permissions, below)
- View Realtime Log Lines: jump to the Realtime Log Viewer, with the data view limited to this device
- Today's Log Lines: jump to the the Reports module with the device pre-selected in data views
- Record Activity Stream: view the changelog for this Device record
Impersonate User (take on the identity and permissions of this Remote Device user in the DrawBridge; used for troubleshooting)
Bookmark this page with the ribbon Bookmark button
Sync Menu (chain-link icon)
- Sync Mode (default is 2 Way - Push / Pull from Server); click record sync information
- Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server
- Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server
- Mark to Resync: flag this record in the background to be included in the next sync run

Informational Tabs

Authentication: Additional parameters used to identify the device to streamline authentication. See Why do I need to have a Port/Platform/ExternalNetwork set for a Remote Device? in the FAQ below.

Also displayed are:
- User URL: a link that can be visited in a browser on the device to authenticate its public IP with the DrawBridge
- PAC URL: Proxy Auto-Configuration: a spec-compliant URL that can be used by major operating systems to programatically fetch proxy settings
Auth Activity: A recent history view of public IP addresses that this device has successfully authenticated from, in addition to the associated reverse-DNS network name, when retreivable.
Access Policies: a list of Access Policies that are applied to this device. (see Content Filter for more information on Access Policies) This list is generated based on the membership of the Device in a particular Device Group, a component of an Access Policy. The exact Access Policy can be visited by clicking the link in the list under the Name column, or, you can view all Access Policies for your company by clicking the Access Policies/Access Policy Dashboard button to the right.
Permissions: a list of Console Permission Groups that this Remote Device User is a member of. (Permits or does Not Permit the submision of an AutoFix, for example)

Device Group Membership

A remote device is always part of the alldevices Device Group of the associated Company. A remote device can be associated with an unlimited number of Device Groups. See the Device Groups page for further information.

FAQs

Q: Why am I getting a Proxy Authentication Required popup on my mobile device?

A: Your device is not properly authenticated with the DrawBridge. Visit the User URL for your device in a browser on that device, and ensure you get a Success message.

If you continue to get these Proxy Authentication Required popups after a successful authentication event:

Verify the proxy configuration on the device is correct (particularly the assigned port)
Verify the network you are connecting from is listed in External Networks under the device. See the FAQ item below: How does setting Port+Platform+ExternalNetwork information assist Remote Device authentication?

Q: Why does the Last Active timestamp not line up with the known usage of the Remote Device?

A: This timestamp is the last recorded filter log activity for the device. There are several possibilities to explain why a device that is known to be in-use is not showing a current corresponding timestamp:

The device does not have a data connection.

Solution:
- Ensure the device has an active data plan and/or connect the device to an open WiFi network (not a captive-portal-controlled network, such as many public hotspots).
- Perform activities on the device that will generate log data, such as visiting a search engine in a browser.
- Verify while performing the activies that loglines are shown in the DrawBridge Realtime Log Viewer for the device.
- If loglines for that device are displayed in the Realtime viewer, wait at least 15 minutes for the logs to be processed.
- Refresh the Device Record page to see if the Last Active timestamp has been updated.
The device is not properly authenticating with the DrawBridge, therefore, no web activity logs are being recorded.

Solution:
- Follow the same steps as detailed above to verify there are loglines displayed in the Realtime Log Viewer for the device in question.
- If there are no loglines, and yet web resources can be accessed on the device, then the proxy software on the device is failing to properly proxy traffic.
- Verify the proxy settings/software on the device are correctly configured.
- Visit the device User URL in a browser on the device to trigger an authentication event while monitoring the DrawBridge Realtime Log Viewer Errors Log, with the Remote Device port entered in the Pattern field. You should see one or more lines indicating successful authentication.
Note for Android devices: Android has a "fail-open" proxy design, so if authentication fails for any reason, Android will bypass the proxy. This can generally be resolved by re-authenticating the device with the DrawBridge.
The only traffic that is getting recorded is considered "system activity" and is not considered reportable, and is therefore not saved, so the Last Activity timestamp is not updated.

Solution: Follow the steps in #1 and #2 (if needed) to ensure the device is properly proxied and authenticating with the DrawBridge.

Q: Why do Remote Devices need to be authenticated?

A: It's critical for filtering and reporting purposes that the device that is connecting to the DrawBridge be postitively, unmistakably, identified.

Beyond that, anything connected to the internet is potentially a target for misuse. For example, if no authentication (username/password) was required for a remote device, a hacker could route their activities unimpeded through your internet connection, therefore making their malicious traffic appear to be originating with you. You may be held legally responsible for what happens on your internet connection. Depending on the type of activities, you may receive a legal notice warning of a DMCA violation. (Digital Millenium Copyright Act.) However, requiring authentication from all remote devices eliminates these concerns.

Q: How does setting Port+Platform+ExternalNetwork information assist Remote Device authentication?

A: As noted above, the DrawBridge requires authentication for Remote Devices. However, mobile operating system platforms (Android and iOS) are notorious for failing to always communicate the required credentials for authentication of each network session they establish. So, to smooth the user experience, the DrawBridge accomodates "assumed authentication" -- if a network request matches all three parameters:

sent to the unique Port assigned to the device
sent by the operating system Platform specified for the device
originates from an External Network (mobile network) the device is known to be using

... then the DrawBridge will "assume" that the request is legitimate and consider the request authenticated. This prevents repeated Proxy Authentication Required popups on mobile devices as they roam cellular networks.

Devices

Device Groups

Device Group records are entities containing one or more Devices to which Access Policies can be applied. See Content Filter: Web Page Access for further information.

In the Device Groups list view, click the drop-down arrow button to the left of a line name to display member devices and associated Access Policies.

Depending on your Console Permission Group membership, and whether multiple Companies are present on your DrawBridge, you will be able to see all the Device Groups available on the system. See Essential Concepts: Record Model - Tenancy and Hierarchy for further information.

Note: This panel only displays "static" device groups. For parameter-based "Smart Device Groups", see the Content Filter module.

Devices

SSL Certs

The DrawBridge CA certificate is required on all client devices for proper operation with the DrawBridge.

Different operating systems require different certificate types or encoding types. This menu gives you the appropriate certificate for your operating system. Click the appropriate operating system for your use case and follow the instructions to install the certificate.

Visit the SSL Certs page

If you're on a DrawBridge-protected network, visit the SSL Certs dashboard at: http://draw.bridge/sslcerts/dashboard/

If you're not on a DrawBridge-protected network, visit the SSL Certs dashboard on one of our cloud servers, such as:

Linux systems

As of this writing, a script to install the DrawBridge root CA certificate is available on all DrawBridge systems, however it is not visible in the user interface at this time.

Installation instructions:

Download the installer script here: http://draw.bridge/static/software/linux_installer.zip (Note: must be on a DrawBridge-protected network with DNS resolution properly configured.)
Open a terminal and navigate to the directory where you saved the script. (eg. cd ~/Downloads/)
Extract the script: unzip linux_installer.zip
Run the script: sudo ./Linux_Installer.sh
Recommended: restart your system, or, at a minimum, your web browsers

Devices

External Networks

External Networks are used to assist with remote device authentication.

This list is managed by Compass and generally should not be edited. If you know of a new network that should be listed, please submit a support ticket to Compass (support@compassfoundation.io) to have the new External Network entry added to all DrawBridges.

Devices

DrawBridge Agent Reference

Overview

The DrawBridge Agent positively identifies and links the device it is installed on to a Local Device record in the DrawBridge. At initial install time, it will attempt auto-registration based on the device Hostname. Once the initial registration has occured, further authentication events identify the device to the DrawBridge using the registered Canonical ID (CID).

The DrawBridge Agent enables you to implement filter policies that follow a User around on your network, no matter what Device they are using, provided that the Windows User Name of the Person is known to the DrawBridge and matches a Person record present on the DrawBridge.

While this Agent was devloped primarily for companies with a Windows Active Directory server, it will also function on any local network that is protected by an onsite Drawbridge. Note that only Local Devices are supported (not Remote Devices, which presumably will be managed by a separate MDM [Mobile Device Management] service).

Notes regarding Active Directory Authentication Integration

See Accounts: Authentication Integration for more information on Active Directory server setup.

After initial Active Directory (AD) sync configuration, People records and Group associations can be exclusively managed in the AD server, and the DrawBridge will automatically synchronize that information over.
- The DrawBridge AD sync job automatically synchronizes over all Person and Directory Group records available in the AD infrastructure to the DrawBridge four times a day. (A manual sync can be triggered as well.)
Directory Groups are entities pulled from an AD/LDAP server. A Directory Group must be designated as a Proxy User Group in the DrawBridge to be able to assign it to a Device Group for an Access Policy take effect on it.
- See documentation book How To Guides: Assign a Proxy User Group to an Access Policy for further information.

Prerequisite Network Configuration

draw.bridge must resolve to the local DrawBridge IP address on the local network.

If the DrawBridge is not the DNS server, go to the network DNS server and create a new Forward Lookup Zone and create a new A record for draw.bridge to resolve it properly.

Agent Software Installation

Download the latest version of the Drawbridge Agent installer from https://www.compassfoundation.io/drawbridge_agent/releases/drawbridge_agent.exe.
Run the installer to install the Drawbridge Agent. By default it will be installed into the C:\Program Files (x86)\Compass Foundation\DrawBridge Agent folder. After a successful installation you should see an icon in the system tray.

It is also possible to run the installer silently with the following syntax.

DrawbridgeAgentInstallerX.X.Xexe /exenoui /qn

A prerequsite to running the Agent is that the .NET Desktop Runtime 6.0 or higher needs to be installed. The Drawbridge Agent installer will prompt the user to do this if it isn't already installed. In the case of a silent install, this will happen automatically if needed.
Alternatively, the runtime can be manually downloaded and installed from Microsoft's Download Page.

Operation

After installation the user can click on the icon in the system tray. The Agent will first attempt to register with the Drawbridge by matching the device hostname with the hostname of a Local Device record in the DrawBridge, and if that is successful, it will attempt to authenticate with the Drawbridge.
After this the Agent should automatically authenticate the currently logged in user at every Windows logon or unlock event. There will be toast messages shown to verify this, unless notifications are not turned on.

It is possible for the user to request a manual authentication with the Drawbridge. This is done either by left clicking on the icon in the system tray, or by right clicking and selecting Authenticate User.
Hovering over the icon in the system tray will show the currently logged in Windows user name.

Selecting the About Version option from the right click context menu will show contact and version information.
Selecting the More Info option from the right click context menu will open a dialog with some additional info that may be useful for debugging.

Clicking on the hyperlink in the details page will open up the console page for the local device that is currently being used. (#1 in screenshot). The console user that is currently associated with this device is shown at #2. This Active User can also be clicked on to open the console page for the user.

Selecting the Check for Updates option from the right click context menu will check to see whether there are any newer versions of the Agent available. If there are, the user can choose to update the Agent.

Details

After installation, when the user locks and unlocks the computer, or manually clicks on the icon in the system tray, the Drawbridge Agent will attempt to register the computer with the Drawbridge. If the registration is successful, the computer will be permanently linked to its associated local device in the console. This is a one time operation and will not be done again unless the user uninstalls and reinstalls the Agent.
After the intial registration, or after any subsequent user logon, the Agent will then proceed to try to authenticate the current Windows user and link the Windows user to a console user. There will be a toast message displayed that shows the outcome of this authentication attempt.
If for some reason a user is not able to register a computer with the Drawbridge, he should perform a Repair of the Agent by typing appwiz.cpl into the Windows start menu, then right clicking on the Drawbridge Agent item and selecting Uninstall/Change.

This will then open another dialog where the user can confirm the repair.

When a user uninstalls the Agent, the Agent sends a request to the console to remove the association between the local device on the console, and the user's computer. If this for some reason fails, the user will not be able to succesfully reinstall and register the Agent with the console in the future. It is possible to manually reset this association by logging onto the console, and selecting the option to Reset Drawbridge Agent as shown below.

Troubleshooting

Device Registration Failed - Unable to auto-register - partial match found

In this case the local device on the console did not have the clb.local suffix so the Agent coudl not find a complete match. Upon further investigation, the local device record also had two interfaces defined, one with a MAC and IP, the other with only a MAC. Removing the interface with only the MAC address, and reinitializing the registration process fixed the problem. In summary, there will be an attempt made to match host names that only partially match local device names, but there will need to be a different definitive match found.

Check Agent logs for more details

The Agent records a log file in the C:\Program Files (x86)\Compass Foundation\DrawBridge Agent\ folder. The file name is Drawbridge Agent.log.

The DrawBridge Agent reports that device Registration failed

An important note:

Randomized MAC addresses are not supported for the auto-creation of Local Device records in the DrawBridge. If you have an endpoint that is using a randomized MAC address, either turn off Randomized addresses, OR, if it's a Virtual Machine, for example, and that's not an option, manually create the Local Device record in the DrawBridge console and Make Sure the Hostname field matches the actual Device hostname exactly. Then, when the DrawBridge Agent does the "tap" authentication operation, it will match up with the Local Device record based on the hostname.

Resolution: Search the Local Device list Interface column for the IP address of the device that's failing to register. Take note of the Auto-Hostname field and compare it to the actual Device hostname. These two must match for the registration to be successful.

The DrawBridge Agent local device Registration fails after domain-joining the device

If the DrawBridge Agent is deployed on a Local Device that is then joined to an AD domain at some future point, the Canonical ID for that Local Device record will then be in conflict because of the ID pulled from the Active Directory database.

Resolution: Delete the existing Local Device record; the correct Local Device record should be automatically generated at next sync.

Miscellaneous Tech Notes regarding AD Sync:

AD Sync happens automatically 4 times a day, and can also be manually triggered.
Both plain-text sync and encrypted sync are available. Encryption is strongly recommended: use port 636 to default to LDAPS.

Usage Example

Tommy is a user in an AD database. He's assigned to the Warehouse AD Directory Group.
The Drawbridge has synced over both Tommy the person as well as the Warehouse AD Directory Group, AND Tommy's membership in the Warehouse AD Directory Group.
An Access Policy assigned to the Warehouse Device Group (of which the Warehouse AD Directory Group is a Proxy Users Group member) only allows access to Shipping and related business categories.
Then Tommy gets promoted as a manager to the Strategic Warehouse Development & Improvements Team. The network admin adds Tommy to the Managers AD Directory Group.
The DrawBridge also knows about the Managers AD Directory group group, and a policy already configured for that group allows access to additional categories for research purposes.
When the network admin adds Tommy to the Managers AD Directory group, the DrawBridge synchronizes that information over, and Tommy automatically gets the increased content filter access without anyone needing to touch filter settings in the DrawBridge.

Content Filter

Overview and Essentials

As of November 2023, the Network Access module has been renamed to Content Filter.

Create and manage rulesets to control the web content access of Local and Remote Devices.

Important Notes:

1. About changing default Category Allow/Block settings

The DrawBridge comes with a preset Action for each included Category. When you assign an Action (Allow/Block) to a Category, you're simply applying a change that gets higher priority than the default setting. This means:

You don't need to re-specify your Action preference for every built-in Category -- you only need to include the Categories in your Access Policy that you wish to assign a different action to than is default.

For example: built-in Category Sports is set to a default action of Block.
- If Block is the action you prefer, you do not need to add it to an Access Policy (eg. Company Preferences) with an action of Block -- the default setting is already doing this.
- If Allow is the action you prefer, then you do need to add it to an Access Policy (eg. Company Preferences) with an action of Allow to override the default action.
In the event a custom Access Policy is removed, the filter will revert to the default Action for that Category.

2. Default Category settings are Business-focused

The default settings for the Built-in Categories are tightly scoped to business-usage needs. Depending on your usage expectations, you will want to set more categories to Allow in your Company Preferences Access Policy, or in a custom Access Policy.

Categories, Category Types, and Actions

Categories contain Patterns:

Pattern: a text string representing a domain or regular expression.

Categories can be one of two types:

Classifier category
ACL (Access Control List) category

Actions that can be assigned to a category, by type:

Classifier category:
- Allow
- Block
- Ignore
ACL category:
- Whitelist (allow in spite of Classifier score, above)
- Blacklist (block in spite of Classifier score, above)
- Blanketblock (block all requests Not matching these patterns)

Understanding Classifier categories

Classifier category patterns consist primarily of word and phrase lists (and also domains). The Redwood filter engine evaluates HTTP/S requests and responses and totals up a score for all categories with matching patterns. Then Redwood applies the action (Allow/Block) assigned to the top-scoring category.

Built-in Category patterns are managed by Compass Foundation. If you have improvements you wish to have considered for inclusion in the Built-in Categories, please send a detailed email to support@compassfoundation.io.

Understanding ACL actions & categories

Background

The Redwood filter engine analyzes all the components of a URL, including:

Schema
Top-level Domain (TLD), Domain, and Subdomains
Path
Query String

Also, Redwood analyzes additional parameters of the HTTP request:

Method
Content Type
User Agent
Referrer
and more

Illustrated:

In general, an ACL leverages one or more of these parameters to "tag" a specific action to a request, despite the Category score assigned to the request by the Classifier.

(In other words, this prevents an "arms-race" situation wherein competing actions are assigned by various Classifier categories; an ACL action will always take effect when the parameters match, no matter what the Classifier score and associated Category Action is.)

Note: for an ACL action to fire, the request must meet the minimum threshold score of 200 points. At that point, the action assigned by the ACL to the request is "authoritative", again, no matter the Classifier score.

Redwood ACL Actions

Action	About
`allow`	permit the request
`block`	deny the request
`ignore`	do not factor in the score assigned by this category
`censor_words`	strip out profanity
`disable_proxy_headers`	strip out the X-FORWARDED-FOR header
`hash_image`	generate a mathmatical hash of this picture
`phrase_scan`	evaluate content for matching word phrases
`require_auth`	force HTTP 407 proxy authentication response/challenge
`sslbump`	intercept the SSL/TLS encrypted session
`sslbypass`	do Not intercept the SSL/TLS encrypted session
`virus_scan`	hand off response to external analysis engine

For example, ACLs managed behind-the-scenes of the DrawBridge instruct Redwood to fire the SSL/TLS-inspection action on all requests (or not, in the case of SSLbypass/"Bypass Filter").

ACL Categories in the Console

Categories of the the type ACL enable you to leverage the "authoritative" nature of ACLs in your filter configuration.

In general, it is recommended to configure the desired content filter behavior by assigning Allow or Block to the built-in Classifier categories -- leveraging the "intelligence" built-in to these categories is a much less maintenance-intesive route to content control.

However, perhaps you want to Always assign a specific action (eg. Block) to a specific website. ACL categories are your friend in such a case: by adding a domain to an ACL category with a Block action assigned, the website will always block, even if the action assigned to the Classifier category is Allow.

The preset Always Allow and Always Block options in the Access Policy Dashboard are putting the domains in an ACL category that has the corresponding action assigned to it. These apply Company-wide.

Note: the default score assigned to all ACL category patterns is "1500". Adjusting this number will have no impact on the outcome of the action taken for that pattern, so long as the number is over the minimum score threshold of 200 -- the key detail here is that the pattern is part of an ACL category, so the action assigned to the ACL category is what will happen.

Advanced ACLs in the Console

Advanced ACLs simply expose many more "knobs" to apply a specific action with more granularity. Perhaps, for example, you want to only sslbypass a specific website for a specific Device Group. Advanced ACLs give you the toolset to configure that.

Filter Actions FAQ

Q: What happens if I put a domain in both Always Allow and Always Block? Or what if I put a domain in two different ACL categories with competing actions assigned?
A: Don't do that. :) In such a case, the outcome will be arbitrary. Decide what action you really want to have happen and adjust the policy accordingly.

What is an Access Policy?

An Access policy is the grouping of Devices, Actions, Times, (and, optionally, Applications) to create a customized DrawBridge content filter configuration.

This diagram illustrates:

The Drawbridge supports the "stacking" or "layering" of Access Policies, enabling you to tailor the content filter experience for your users.

Access Policies by Type/Scope

Tenancy Type	Ruleset Scope
Company Access Policy	one Company
Access Policy Group	one Accountability Policy; available to apply to member Companies
Universal Access Policy Group	globally available to all DrawBridges
System Access Policy	a specific DrawBridge; applies to all tenant Companies on that system

What is a Rating?

The DrawBridge classifies text into categories. But what is the the tone of these categories? And what do they values do they represent? A Rating system should help answer that question, as well as offer visual clues for the report reader.

But what kind of rating system? Unlike other filter projects, the DrawBridge does not rate content by who it's appropriate for - as in Everyone / Teens / Adults - but somewhat more like where it is appropriate. The rating names are drawn from the concept of particulate filtering - how fine or coarse is the filter mesh that would permit the content to traverse it.

A key assumption here is that the Internet is most frequently being used in a workplace environment, facilitating the everyday tasks of research, transactions, and commerce. Usage reports are colorized according to the Category Ratings of the content that was accessed.

Misc Rating

The Misc Rating is used when no category of interest could be found. Perhaps the request incident was not text-based, or perhaps a category needs to be extended or created to for this type of situation.

Base Rating

The Base Rating is the most general grade, including categories like Search Engines or Technology Services. Any more specific category and rating would be preferred. For example, it's great to know that a body of text is about Search Engines, but it's better to know what is being searched for.

Silt Rating

The Silt Rating is expected usage in the workplace environment. While not every workplace will commonly access every category in the Silt Rating, any given user in the business environment will periodically need most categories found here.

It is recommended that all categories in the Silt Rating be "allowed" in the workplace, although policies can be created to limit access to given devices.

Sand Rating

The Sand Rating will still be frequently used in the workplace environment, although the industry type will very much determine how much categories in Sand Rating are accessed.

Categories in the Sand Rating can be "allowed" or "blocked" per the business owner's preferences or the preferences established by the Accountability Policy.

Pebble Rating

The Pebble Rating contains categories that generally fall outside the workplace, while remaining universally pertinent to other areas of life, such as Medical, News, Clothing, etc.

Categories in the Pebble Rating can be "allowed" or "blocked" per the business owner's preferences or the preferences established by the Accountability Policy.

Stone Rating

The Stone Rating contains categories that are increasingly beyond the scope of any type of workplace, reaching more into popular culture and society at large.

Categories in the Stone Rating will typically be blocked by most business owners and school administrators.

Rock Rating

The Rock Rating contains categories that tend to represent the rougher edges of popular culture and general society.

Categories in the Rock Rating will typically be blocked by all business owners and school administrators.

Boulder Rating

The Boulder Rating categories that represent the "redlight" district of the Internet. These categories cannot be enabled in the Redwood Console even by administrators.

Categories in the Boulder Rating are always blocked, and cannot be allowed in the DrawBridge.

Actions for Classifier categories

Action	When this category is the top-scoring one on a web request:
`allow`	web request content loads as expected
`block`	web request is served a block page instead of the original destination webpage
`ignore`	web request action referred to next-to-top scoring category

When to use the `ignore` Action

In most situations, the category action should be allow or block, but in some situations the next-to-top scoring category is more meaningful. For example, an automotive shop may perform work that overlaps with the Racing category. If Racing is set to block, the shop's activities will be hampered. If Racing is set to allow, then access may be wider than desired.

Solution - set Racing to ignore. If next-to-top-scoring category is Automotive, the page will be allowed, and if it's Sports, the page will be blocked as Sports.

Filter processing flowchart: Category Filtering

Actions for ACL categories

Action	About
`whitelist`	A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Allow, in spite of the content scores. Use with caution!
`blacklist`	A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Block, in spite of the content scores.
`blanketblock`	A Category consisting of domains (and/or regular expression patterns) to which the DrawBridge will apply regular category-based filtering and block access to all other sites not specified in the blanketblock category (or a linked category)

See below for more information:

Whitelist

A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Allow, in spite of the content scores. Use with caution!

Filter processing flowchart:

Blacklist

A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Block, in spite of the content scores.

Filter processing flowchart:

Blanketblock

A Category consisting of domains (and/or regular expression patterns) to which the DrawBridge will apply regular category-based filtering and block access to all other sites not specified in the blanketblock category (or a linked category)

Filter processing flowchart:

Content Filter

Web Page Access

Access Policies are grouped by Tenancy type:

Company
Policy Group
Universal
Appliance/System

See Essential Concepts: Record Model - Tenancy and Hierarchy for more information.

Click the type of Access Policy for a list view of that type.

In the list view, view a specific Access Policy by clicking on the Name of the policy. This will display the Record view for its type, detailed below.

Company Access Policy record

Attribute	About
Company	the associated Company
Policy	the associated Accountibility Policy (If there is none, this field will not appear)
Status	this record is Active or Inactive
Canonical ID	the global unique identifier for this Access Policy; used for synchronization
Company Policy Dashboard [link]	jump to the Access Policy Dashboard of the associated Company (above)
Type	the tenancy type of the Access Policy
Hits Today	a counter of how many times web traffic has triggered this policy today on this DrawBridge
Device Group	the associated Device Group: who the Access Policy is applied to
Action Group	the associated Action Group: what the Access Policy is enforcing
Time Group	the associated Time Group: when the Access Policy is effective. Optional: if no Time Group is configured, the Access Policy applies all the time.
Application Group	the associated Application Group: which application traffic the Access Policy acts upon. Optional: if no Application Group is configured, the Access Policy will apply to the traffic from all applications.

Create Access Policy with the + button
Update Company Access Policy with the pencil Edit button -- make changes to this access policy.
Delete Company Access Policy with the trashcan Delete button -- delete this access policy
"Hamburger Menu"
- Record Activity Stream: view the changelog for this Access Policy record
Bookmark the page with the ribbon Bookmark icon
Trigger Sync actions with items in the the chain-link sync icon menu

Informational Tabs

Devices: List view of the member devices in the associated Device Group
Categories: List view of the Categories contained in the associated Action Group.
- Add an additional Category to the Action Group with the Add Category Action Pair button, or add multiple Categories at once with the Bulk Assign Categories button.
- Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil Update Record button on the specific Category line desired.
- Remove a Category from the Action Group with the trashcan Delete button.
  
  Note: removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category).
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action
Times: List view of the Time Range(s) from the associated Time Group when this Policy is effective. Note: this tab only displays if a Time Group is assigned to the Policy.
- Add a Time Range with the Add Time Range button.
- Edit a Time Range with the pencil Update Record button on the time range line in focus
- Delete a Time Range with the trashcan Delete Record button on the time range line in focus
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times.
ACL Actions: Special access control list actions that are assigned to this access policy.
- Add an ACL action with the Add ACL Action button
- Edit an ACL Action with the pencil Update Record button on the ACL Action line in focus
- Delete an ACL action with the trashcan Delete Record button on the ACL Action line in focus
Permissions: The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy.
- See the Permissions and Relationships in Essential Concepts for more information.

Access Policy Group record

Attribute	About
Policy	the associated Accountibility Policy (If there is none, this field will not appear)
Status	this record is Active or Inactive
Canonical ID	the global unique identifier for this Access Policy; used for synchronization
Type	the tenancy type of the Access Policy
Hits Today	a counter of how many times web traffic has triggered this policy on this DrawBridge
Device Group	the associated Device Group: who the Access Policy is applied to
Action Group	the associated Action Group: what the Access Policy is enforcing
Time Group	the associated Time Group: when the Access Policy is effective. Optional: if no Time Group is configured, the Access Policy applies all the time.
Application Group	the associated Application Group: which application traffic the Access Policy acts upon. Optional: if no Application Group is configured, the Access Policy will apply to the traffic from all applications.

Create Access Policy with the + button
Update Access Policy Group with the pencil Edit button -- make changes to this access policy.
Delete Access Policy Group with the trashcan Delete button -- delete this access policy
"Hamburger Menu"
- Add Device Group: assign an additional Device Group to this Access policy Group
- Record Activity Stream: view the changelog for this Access Policy record
Bookmark the page with the ribbon Bookmark icon
Trigger Sync actions with items in the the chain-link sync icon menu

Informational Tabs

Device Groups: List view of the member device groups in the associated Device Group collection.
Categories: List view of the Categories contained in the associated Action Group.
- Add an additional Category to the Action Group with the Add Category Action Pair button, or add multiple Categories at once with the Bulk Assign Categories button.
- Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil Update Record button on the specific Category line desired.
- Remove a Category from the Action Group with the trashcan Delete button.
  
  Note: removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category).
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action
Times: List view of the Time Range(s) from the associated Time Group when this Policy is effective. Note: this tab only displays if a Time Group is assigned to the Policy.
- Add a Time Range with the Add Time Range button.
- Edit a Time Range with the pencil Update Record button on the time range line in focus
- Delete a Time Range with the trashcan Delete Record button on the time range line in focus
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times.
ACL Actions: Special access control list actions that are assigned to this access policy.
- Add an ACL action with the Add ACL Action button
- Edit an ACL Action with the pencil Update Record button on the ACL Action line in focus
- Delete an ACL action with the trashcan Delete Record button on the ACL Action line in focus
Permissions: The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy.
- See the Permissions and Relationships in Essential Concepts for more information.

Universal Access Policy Group record

Attribute	About
Status	this record is Active or Inactive
Tenancy	displays tenancy; this record is Universal
Canonical ID	the global unique identifier for this Access Policy; used for synchronization
Type	the tenancy type of the Access Policy
Hits Today	a counter of how many times web traffic has triggered this policy on this DrawBridge
Device Group	the associated Device Group: who the Access Policy is applied to
Action Group	the associated Action Group: what the Access Policy is enforcing
Time Group	the associated Time Group: when the Access Policy is effective. Optional: if no Time Group is configured, the Access Policy applies all the time.
Application Group	the associated Application Group: which application traffic the Access Policy acts upon. Optional: if no Application Group is configured, the Access Policy will apply to the traffic from all applications.

Create Access Policy with the + button
Update Universal Access Policy with the pencil Edit button -- make changes to this access policy.
Delete Universal Access Policy with the trashcan Delete button -- delete this access policy
"Hamburger Menu"
- Add Device Group: assign an additional Device Group to this Access policy Group
- Record Activity Stream: view the changelog for this Access Policy record
Bookmark the page with the ribbon Bookmark icon
Trigger Sync actions with items in the the chain-link sync icon menu

Informational Tabs

Device Groups: List view of the member device groups in the associated Device Group collection.
Categories: List view of the Categories contained in the associated Action Group.
- Add an additional Category to the Action Group with the Add Category Action Pair button, or add multiple Categories at once with the Bulk Assign Categories button.
- Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil Update Record button on the specific Category line desired.
- Remove a Category from the Action Group with the trashcan Delete button.
  
  Note: removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category).
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action
Apps: List view of the apps in the associated Application Group Note: this tab only displays if an Application Group is assigned to the Policy.
- Add an Application with the Add Application button.
- Edit a Application with the pencil Update Record button on the application line in focus
- Delete an Application with the trashcan Delete Record button on the application line in focus
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Application to the Appilcation Group, as well as the specified Applications.
Times: List view of the Time Range(s) from the associated Time Group when this Policy is effective. Note: this tab only displays if a Time Group is assigned to the Policy.
- Add a Time Range with the Add Time Range button.
- Edit a Time Range with the pencil Update Record button on the time range line in focus
- Delete a Time Range with the trashcan Delete Record button on the time range line in focus
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times.
ACL Actions: Special access control list actions that are assigned to this access policy.
- Add an ACL action with the Add ACL Action button
- Edit an ACL Action with the pencil Update Record button on the ACL Action line in focus
- Delete an ACL action with the trashcan Delete Record button on the ACL Action line in focus
Permissions: The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy.
- See the Permissions and Relationships in Essential Concepts for more information.

System Access Policy record

Attribute	About
Company	the associated Company; this will be the Main Company on the DrawBridge
Status	this record is Active or Inactive
Tenancy	displays tenancy; this record is Universal
Canonical ID	the global unique identifier for this Access Policy; used for synchronization
Type	the tenancy type of the Access Policy
Hits Today	a counter of how many times web traffic has triggered this policy on this DrawBridge
Device Group	the associated Device Group: who the Access Policy is applied to
Action Group	the associated Action Group: what the Access Policy is enforcing
Time Group	the associated Time Group: when the Access Policy is effective. Optional if no Time Group is configured, the Access Policy applies all the time.
Application Group	the associated Application Group: which application traffic the Access Policy acts upon. Optional: if no Application Group is configured, the Access Policy will apply to the traffic from all applications.

Create Access Policy with the + button
Update System Access Policy with the pencil Edit button -- make changes to this access policy.
Delete System Access Policy with the trashcan Delete button -- delete this access policy
"Hamburger Menu"
- Add Device Group: assign an additional Device Group to this Access policy Group
- Record Activity Stream: view the changelog for this Access Policy record
Bookmark the page with the ribbon Bookmark icon
Trigger Sync actions with items in the the chain-link sync icon menu

Informational Tabs

Device Groups: List view of the member device groups in the associated Device Group collection.
Categories: List view of the Categories contained in the associated Action Group.
- Add an additional Category to the Action Group with the Add Category Action Pair button, or add multiple Categories at once with the Bulk Assign Categories button.
- Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil Update Record button on the specific Category line desired.
- Remove a Category from the Action Group with the trashcan Delete button.
  
  Note: removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category).
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action
Apps: List view of the apps in the associated Application Group Note: this tab only displays if an Application Group is assigned to the Policy.
- Add an Application with the Add Application button.
- Edit a Application with the pencil Update Record button on the application line in focus
- Delete an Application with the trashcan Delete Record button on the application line in focus
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Application to the Appilcation Group, as well as the specified Applications.
Times: List view of the Time Range(s) from the associated Time Group when this Policy is effective. Note: this tab only displays if a Time Group is assigned to the Policy.
- Add a Time Range with the Add Time Range button.
- Edit a Time Range with the pencil Update Record button on the time range line in focus
- Delete a Time Range with the trashcan Delete Record button on the time range line in focus
- The Record Activity Stream button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times.
ACL Actions: Special access control list actions that are assigned to this access policy.
- Add an ACL action with the Add ACL Action button
- Edit an ACL Action with the pencil Update Record button on the ACL Action line in focus
- Delete an ACL action with the trashcan Delete Record button on the ACL Action line in focus
Permissions: The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy.
- See the Permissions and Relationships in Essential Concepts for more information.

Content Filter

App Stores

Allow access to platform App stores

Access to operating system app stores is blocked by default because they cannot be internally content-filtered.

Quick-access wizards to add Device Groups to preconfigured App Store Access Policy Groups, by platform:

Apple (iPhoneOS/iPadOS/MacOS)
Google Play (Vision phones, Android up to and including version 6, ChromeOS, Chrome Browser Extensions)
Windows (Windows 8 and higher)

Click the platform you wish to open. A wizard will open, prompting you for the following information:

Parameter	About
Device Group	select an existing Device Group for which you wish to open the Store
Required	select whether this configuration requires Accountability permissions to change
Time length	select the timeframe you wish this to apply

Note about Android 7 and newer/ChromeOS Play Store access

Android 7 and newer devices, as well as ChromeOS devices, may require bypassed access to all of google.com for the Play Store to work properly. Obviously, this suspends content filtering for all of Google.

For this reason, there is a separate Access Policy Group to use: Android 7 and up AppStore -- Add the device group (for example alldevices) to this Policy to enable the Play Store for these devices.

Close access to the Store

If you wish to Close the store access opened here, visit your Company Access Policy Dashboard and click the Actions menu on the relevant Access Policy line. Then click Details and Delete. Select Delete Everywhere to ensure it is turned off across your entire account (particularly if your account spans multiple DrawBridge sysytems).

Important Notes

As noted above, the Google Play Store needs to be opened to access the Chrome Extensions store on the Chrome Desktop browser (on all platforms).
Because of backend services overlap, YouTube may begin working if the Google Play Store is enabled, even if the YouTube category is set to Block.

Content Filter

Media Room

The Media Room enables the classification of videos hosted on public video hosting websites, such as YouTube.

For the Media Room to work, the YouTube and Vimeo category must be left at its default blocked setting on the access policy dashboard. * Manually setting the YouTube category to block will block the Media Room and setting the YouTube category to allow will bypass the Media Room

Videos

The Videos module displays a list view of all the videos the DrawBridge has classified.

Click the title of a video in the list to view the video classification record.

Video record view

A video classification record has the following parameters:

Parameter	About
Title	The title of the video
ID	The unique hash identifier provided by the video platform (if available)
Duration	The length of the video
Service	The platform that is hosting the video
Size	The resolution of the video, expressed in a pixel ratio
Channel	The DrawBridge-classified Channel associated with the video, if any (see Channels, below)
Category	The top-scoring Category for this video, determined by the DrawBridge content classifier
Rating	The DrawBridge Classifier rating of the video, based on the top-scoring Category

Record header buttons:

Create a new video classification record with the blue + Create Video button
Edit this video classification record with the green pencil Update Video button
Delete this video classification record with the red trashcan Delete Video button
Hamburger menu:
- Get Category review: jumps to a support ticket form to request clasification by a human
- Video Views by User: jump to Reports: Media Views module
- References to this video: jump to Content Filter: Media Room: Pages Linking to Media
Bookmark this record with the ribbon bookmark button
Sync Menu (chain-link icon)
- Mark to Resync: flag this record in the background to be included in the next sync run

Video Permissions

Jump to the Permissions record that applies to this video (see Permissions section, below). Displays lists views of people records with membership in the Media Admin and Media Viewer permission groups.

Informational tabs

Details

The Details panel contains:

If the origin platform is supported: thumbnail of the video will be displayed with a Play button below it (if the video passed the classifier configuration to be allowed to play)
The Description of the video, fetched from the platform hosting this video
The Genre(s) of the video, determined by the DrawBridge classifier
The Tags associated with the video, fetched from the platform hosting this video

Classification

A list view of any Category Classifications for this video

Classify a new video

Click the + button (Tooltip: Create Classified Media) in the upper right corner of the list view (or use the same + button on a video record page)
Enter the direct URL of the video you wish to classify. Note that it must be a direct link, not a URL-shortened link. For YouTube, the link should start as follows https://www.youtube.com/watch?v=+ the unique hash of the video in question.

Channels

Displays a list view of media channels that should be automatically polled and classified.

Click the title of a channel to view the Channel record page

Channel Record view

A channel record has the following parameters:

Parameter	About
Source	URL of the channel
Title	Title of the channel
Last Updated	Timestamp of the last check of the channel for new videos
Category	Classifier category assigned to the channel by a Media Room administrator
Rating	Classifier rating, based on the assigned Category, above

Record header buttons:

Add a new channel to be classified with the blue + Create Channel button
Edit this channel record with the green pencil Update Channel button
Delete this channel record with the red trashcan Delete Channel button
Hamburger menu:
- Get Category review: jumps to a support ticket form to request clasification by a human
- Channel Videos: jump to list view of the videos contained in this channel
- Channel Permissions: jump to a list view of the Permission Groups (with associated Company info) that may view/modify this Channel (see Permissions section, below)
Bookmark this record with the ribbon bookmark button
Sync Menu (chain-link icon)
- Sync Mode (default is 2 Way - Push / Pull from Server); click record sync information
- Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server
- Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server
- Mark to Resync: flag this record in the background to be included in the next sync run

`<number>` Channel Videos

Jump to a list view of all the videos in this channel that have been classified by the DrawBridge. Clicking an individual record will display a Video Record view, as described above.

Channel Permissions

Jump to the Company Channels permissions group list, which displays any Permission Group + associated Company information assigned to this channel. See Permissions, below.

Informational tabs

Details

The Details panel contains:

The Description of this channel, fetched from the platform hosting this channel
The Tags associated with this channel, fetched from the platform hosting this channel

Classification

A list view of any Category Classifications for this video

Permissions

Video Permissions

Set the Permission Group in which Users must be members to view a specific video. (If a video is in a Channel, the Video Permission Group overrides the Channel Permission Group.)

Displays a list view of Media records and the corresponding Permission Group assigned by the associated Company. Click a Media record link in this view to view a Video Permission record.

Record View

A Video permission record view contains the following parameters:

Parameter	About
Media	The title of the video to which this Video Permission record applies
Company	The Company associated with this Video Permission record
Permission Group	The associated, Company-assigned, minimum Permission Group required to view this video

Video Permission Record header buttons:

Add a new Video Permission Record with the blue + Create Video Permission button
Edit this Video Permission Record with the green pencil Update Video Permission button
Delete this Video Permission Record with the red trashcan Delete Video Permission button
Bookmark this record with the ribbon bookmark button
Sync Menu (chain-link icon)
- Create on Sync Publisher: push this record to the Sync server (only visible for newly-created records)
- Mark to Resync: flag this record in the background to be included in the next sync run

Informational Tabs

Viewers

List views of Person records which are members in the following Permission Groups:

Company Media Room Admin Group
Media Viewer Group

Channel Permissions

Set the Permission Group in which Users must be members to view all videos in a specific Channel.

Record View

A Channel permission record view contains the following parameters:

Parameter	About
Channel	The title of the Channel to which this Channel Permission record applies
Company	The Company associated with this Channel Permission record
Permission Group	The associated, Company-assigned, minimum Permission Group required to view videos in this channel

Channel Permission Record header buttons:

Add a new Channel Permission Record with the blue + Create Channel Permission button
Edit this Channel Permission Record with the green pencil Update Channel Permission button
Delete this Channel Permission Record with the red trashcan Delete Channel Permission button
Bookmark this record with the ribbon bookmark button
Sync Menu (chain-link icon)
- Create on Sync Publisher: push this record to the Sync server (only visible for newly-created records)
- Mark to Resync: flag this record in the background to be included in the next sync run

Informational Tabs

Viewers

List views of Person records which are members in the following Permission Groups:

Company Media Room Admin Group
Media Viewer Group

FAQs:

Q: Why does the title of a video just display _?

A: The title of the video was not able to be acquired. The video may have been embedded as part of another webpage.

Content Filter

Builtin Categories

Classifier categories provided by the Redwood project.

Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and ResCategories are grouped by type and origin:

Builtin Categories
Console Categories
ACL Categories
Parent Categories

Click one of the Category Types displayed in the DrawBridge, and refer to the relevant section below for further information.

Builtin Categories

Classifier categories provided by the Redwood project.

Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and Response. The patterns in Builtin Categories are managed by Compass and are not visible in the DrawBridge.

A list view is provided of all the included Categories. Click an individual Category for more information.

Record View

A Built-in Category contains the following parameters:

Parameter	About
Parent	The parent Category of this record; see Parent Categories, below
Rating	The Classifier Rating assigned to this Category. See Content Filter: Overview and Essentials
Description	Display Name of the category
Status	This record is `Active` or `Inactive`
Tenancy	Visibility in the DrawBridge ecosystem. See Essential Concepts: Record Model - Tenancy and Hierarchy
Canonical ID	The globally-unique identifier for this record
Synchronized	Indicates if this record is handled by Synchronization: `Yes` / `No`
Type	Displays the type of this record: `Builtin` / `Console` / `ACL` / `Parent`
System-wide Action	The default action assigned to this Category on this DrawBridge
Block Invisibly	Sets whether a Block page is returned (or not) when this Category is set to Block

Record header buttons:

Console Categories

Locally managed Classifier categories created on the DrawBridge.

Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and Response.

ACL Categories

Locally managed ACL categories.

ACL Categories only contain rules that match URLs, and therefore operate only on HTTP Requests.

Parent Categories

The only purpose of Parent Categories is to make it easier for people to navigate the category lists.ponse. The patterns in Builtin Categories are managed by Compass and are not visible in the DrawBridge.

A list view is provided of all the included Categories. Click an individual Category for more information.

Record View

A Built-in Category contains the following parameters:

Parameter	About
Parent	The parent Category of this record; see Parent Categories, below
Rating	The Classifier Rating assigned to this Category. See Content Filter: Overview and Essentials
Description	Display Name of the category
Status	This record is `Active` or `Inactive`
Tenancy	Visibility in the DrawBridge ecosystem. See Essential Concepts: Record Model - Tenancy and Hierarchy
Canonical ID	The globally-unique identifier for this record
Synchronized	Indicates if this record is handled by Synchronization: `Yes` / `No`
Type	Displays the type of this record: `Builtin` / `Console` / `ACL` / `Parent`
System-wide Action	The default action assigned to this Category on this DrawBridge
Block Invisibly	Sets whether a Block page is returned (or not) when this Category is set to Block

Record header buttons:

Console Categories

Locally managed Classifier categories created on the DrawBridge.

Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and Response.

ACL Categories

Locally managed ACL categories.

ACL Categories only contain rules that match URLs, and therefore operate only on HTTP Requests.

Parent Categories

The only purpose of Parent Categories is to make it easier for people to navigate the category lists.

Content Filter

Filter Configuration

Configure various advanced components of the DrawBridge, including technical settings for the Redwood filter engine.

ACLs and Auth

Advanced ACL, Authentication, and Page Content Modification settings

Advanced ACLs

Advanced ACLs act on the network request (not the response).

A list view is shown by default. Click the name of an ACL to view the individual ACL record.

ACL Record View

An ACL record contains the following parameters:

Parameter	Setting	About
Level	`Foundation`, `Standard`, `Override`	Defines the priority ruleset group of this rule
Status	`Active` or `Inactive`	This record is available/functional
Synchronized	`Yes` or `No`	This record is globally-available (`Yes`) or local-only (`No`).

List views are shown for associated:

Advanced ACL Patterns -- what triggers this ACL; rules to match traffic. Add a pattern with the Add button at the top of the list.
Advanced ACL Actions -- what this ACL will do to matching traffic. Add an action with the Add button at the top of the list.

Record header buttons:

Add an Advanced ACL record with the blue + Create ACL button
Edit an Advanced ACL record with the green pencil Update ACL button
"Waterdrop" menu button:
- New ACL Pattern: Add a new ACL Pattern to this record
- New ACL Action: Add a new ACL Action to this record
Bookmark this page with the ribbon Bookmark button
Sync Menu (chain-link icon)
- Sync Mode (default is 2 Way - Push / Pull from Server); click record sync information
- Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server
- Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server
- Mark to Resync: flag this record in the background to be included in the next sync run

Note that records wich are built-in/included with the DrawBridge cannot be edited or deleted, therefore those buttons are not available for those record types.

Also note that only relevant Sync Menu items are displayed, which means fewer options may be visible than mentioned here.

Page Pruners

Custom page pruning rules enable the selective removal of certain elements on a webpage. This is an advanced feature; it is assumed that you are familar with CSS (Cascading Style Sheets).

A list view is shown by default. Add a new Page Pruner rule with the blue + Create Page Pruners button in the upper right of the list view.

Record View A Page Pruner record contains the following:

Parameter	About
Status	`Active` or `Inactive`
Canonical ID	The globally-unique identifier for this record

Page Pruner Selectors ruleset list: Add a rule to this Page Pruners record with the Add button at the top of the record ruleset list view.

Page Pruner Record header buttons:

Create a new Page Pruner record with the blue + Create Page Pruner
Edit this Page Pruner record with the green pencil Update Page Pruner button
Delete this Page Pruner record with the red trashcan Delete Page Pruner button
Add a Pruner CSS Selector rule to this record with the blue scissors Add Pruner CSS Selector button
Bookmark this page with the ribbon Bookmark button
Sync Menu (chain-link icon)
- Create on Sync Publisher
- Sync Mode (default is 2 Way - Push / Pull from Server); click record sync information
- Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server
- Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server
- Mark to Resync: flag this record in the background to be included in the next sync run

Note that only relevant Sync Menu items are displayed, which means fewer options may be visible than mentioned here.

Proxy PAC rules

A few important notes:

PAC stands for Proxy Auto Config
Proxy PAC rules apply to only Remote Devices
Rules instruct the recipient operating system to bypass specific traffic from the DrawBridge proxy: in other words, don't redirect X traffic to the DrawBridge to be filtered.
Rules specified here are included in the response to All valid Proxy PAC requests made to this DrawBridge; i.e. there is no tenancy for these records -- they are system-wide.

PAC bypass rules do not have individual record pages.

However, each entry has the following parameters:

Parameter	Options	About
Function	`dnsDomainIs` or `isInNet` or `shExpMatch`	Designate type of pattern: domain name, IP address, or regular expression
Scope	`Host` or `URL`	Set whether the pattern is to match only on the domain name or a full URL string
Pattern	`<user-entered-data>`	The actual data you want to match. For example, if you selected `dnsDomainIs` and `Host`, then you might enter `example.com`
Subnet	`<user-entered-data>`	Subnet for address entered in Pattern when `isInNet` is selected (not used for other Functions)

Rule line buttons:

Edit a rule with the green pencil Update Record button on the relevant line
Delete a rule with the red trashcan Delete Record button on the relevant line
View the changelog with the blue Record Activity Stream button on the relevant line

Redwood Config

Advanced Redwood configuration file directives

Filter Parameters

Filter parameters are advanced, low-level configuration settings for the DrawBridge Redwood content classification engine. These settings are generally managed by Compass and should not be changed unless directed by Compass Foundation support staff.

Directives

Directives are additional advanced, low-level configuration settings for the DrawBridge Redwood content classification engine. These settings are generally managed by Compass and should not be changed unless directed by Compass Foundation support staff.

Safe Search

Safe Search is the enforcement of the Adult Content Blocking made available by various platforms, including YouTube, Bing, and Google.

It is recommended that this generally stay enabled for the cleanest browsing experience. However, with SafeSearch enabled, YouTube livestreams will not be available. It is nessesary to set the YouTube SafeSearch settings to Disabled to view livestreams on that platform. The burden for responsible use lies with the user in such cases.

Safe Search settings are managed at a Company level via the Preferences application. See Essential Concepts: Preferences for further information.

Content Filter

Troubleshooting

Realtime Log Viewer

View live filter traffic data on this DrawBridge, system-wide. Use requires System Owner or higher permission levels.

Individual Remote device Realtime Logs may be viewed by the Company Owner permission-level by visiting the Remote Device record , and clicking View Realtime Log Lines in the record hamburger menu. For Local Devices go to the Content Filter App, select Troubleshooting and then Realtime Log Viewer.

Display Filters

Userip applies to the Access Log and TLS Log only
Pattern applies to any of the three logs
Actions Allow, Block, Block Invisible, and SSLBump only apply to the Access Log

Log Types

Access Log: Live web traffic classification activity
TLS Log: Live information TLS sessions handled by the DrawBridge, including errors when the session establishment was not successful. Traffic that is SSLbypassed will not be visible here, because the DrawBridge is not intercepting and handling those sessions.
Errors Log: Live errors and remote device authentication data

Explaining the Filter Actions

Filter Action	About
`Allow`	The DrawBridge allowed the request after analysis
`Block`	The DrawBridge blocked the request after analysis, and served a block page
`Block Invisible`	The DrawBridge blocked the request after analysis, and served an invisible pixel (used primarily when blocking advertisements)
`SSLBump`	The DrawBridge intercepted the initiation of a TLS session and took over as Man-in-the-Middle.

Note for troubleshooting: When diagnosing a strange connection issue with a particular website or service, be sure to toggle on the SSLBump display filter -- sometimes a web server will abandon a connection when the DrawBridge intercepts the session. In such cases, you'll see one or more sslbump loglines, but no subsequent, allow or block lines as would typically be the case.

If the service must work, then the best solution is to put the domain in the Bypass Filter policy for the Company in question. Note that this does disable DrawBridge filtering on that domain, so use responsibly.

System Update

Regenerate Config Files

Filter changes are normally saved to disk when clicking the Reload button in the banner in DrawBridge.

Manually running this command should only be done when the filter behavior does not match current settings in DrawBridge, such as when output from the Realtime Log Viewer indicates that policy changes have not yet taken effect.

Restart Redwood

Filter adjustments take effect after clicking the Reload button in DrawBridge. Reloading the config files is significantly faster than restarting the filter process, and does not disrupt active network connections.

Use this option if you've changed the Port number for a Remote Device record, or if there's configuration setting that doesn't seem to match your expectations.

Update Classifier Patterns

Redwood receives periodic classification updates throughout the day to enhance accuracy in filtering and reporting. Click below to manually check for updates. Any available updates will automatically take effect.

This command is useful only if your filter administrator requests that it be run.

Content Filter

Content Scanners

Antivirus Scanner

Optional anti-virus file scanning. Contact Compass Foundation support to purchase this add-on.

Reports

Activity Viewers

Live Drilldown

Dive deep into logged activity data.

Important Note:

Data in Live Drilldown will have at least a 3 minute delay from actual occurance. If you need realtime traffic information, use the Realtime Log Viewer, accessed as follows:

Specific device: Select View Realtime Log Lines in the hamburger menu of a Remote Device record
Entire system: Select Realtime Log Viewer under Content Filter / Troubleshooting

Browse by Company

View all the traffic of a particular Company. (Most value in multi-tenant use-cases.)

Presents a list-view of all available Company records on the DrawBridge. After selecting a Company, the user is presented with the Browse by Request Type; see below for more information.

Browse by Category

View traffic statistics aggregated by Category.

Manipulate the data view with the following Select fields:

Timerange
Company
Category
Rating
Parent Category

List view displays:

Name of the Category
Cumulative number of hits in the selected timerange
Cumulative bandwidth in the selected timerange

Browse by Request Type

Page Views
Media Views
API Activity
Application Files
Erased Activity
Shredded Activity

Manipulate the data view with the following Select fields:

Timerange
Company
Category
Rating
Parent Category

List views display:

Column	About
Domain	Base domain of the request
Device	Origin username or IP address of the request
Hits	Counter: displays the number of times this request was made
Bandwidth	Total bandwidth consumed by this request
Time	Timestamp of this request
Type	`Ads/Avatars/Cruft`, `API Calls`, `Audio/Video`, `General Files`, `Page Assets`, `Page Visuals`, `Programs/Applications`, `Web Page`
Category	What the request was classified as

Browse by Searches

View search queries entered by users on popular search and ecommerce sites.

Manipulate the data view with the following Select fields:

Timerange
Company
Category
Rating
Parent Category

List view displays:

Column	About
Search term	The search query entered by a user
Device	Origin username or IP address of the request
Allow	Counter of how many time the request triggered this action
Block	Counter of how many time the request triggered this action
Domain	Site the request occured on
Category	Classification determined by the DrawBridge

Search Activity within the specified timerange by:

Search Term
Device
Domain

Browse by Media Views

View Media Classification requests for media hosted on popular video hosting platforms

Manipulate the data view with the following Select fields:

Timerange
Company
Category
Rating

List view displays:

Column	About
Title	Title of the video
Service	Platform hosting the video
Hits	Counter of how many times this request was performed

Search the data within the specified timerange by:

Name/Title
Service/Hosting platform

Browse by Page Titles

View title information for all visited websites. (The title is what displays in a browser tab.)

Manipulate the data view with the following Select fields:

Timerange
Company
Rating
Parent Category
Category

List view displays:

Column	About
Title	Title of the website
Device	Device making the request
Domain	Base domain of the request
Category	Classification of the request

Search the data within the specified timerange by:

Name/Title
Device
Domain

Browse by Antivirus Hits

Events logged by the optional Antivirus protection service

Manipulate the data view with the following Select fields:

Timerange
Company

List view displays:

Column	About
Name	Name of event
Domain	Domain of the request
File	Name of the file that was examined
Hits	Counter: number of times this file was requested
Bandwidth	Bandwidth consumed by this request

Search the data within the specified timerange by:

Name

Browse by Applications

View traffic that originated from Applications/programs (not necessarily browsers).

Manipulate the data view with the following Select fields:

Timerange
Company
Application
App Type

List view displays:

Column	About
Name	Name of the Application
Type	Type of Application
Hits	Counter: Number of requests mapped to this Application
Bandwidth	Bandwidth consumed by this Application
Time	Estimated cumulative period of time this application generated requests

Search the data within the specified timerange by:

Name

Browse by Domains

View all traffic sorted by domain.

Manipulate the data view with the following Select fields:

Timerange
Company
Action
Category
Rating

List view displays:

Column	About
Domain	Domain name of the request
Device	Origin of the request
Hits	Counter: number of times requested
Bandwidth	Bandwidth consumed by this domain
Time	Estimated cumulative period of time this domain was visited
Type	`Ads/Avatars/Cruft`, `API Calls`, `Audio/Video`, `General Files`, `Page Assets`, `Page Visuals`, `Programs/Applications`, `Web Page`
Category	Classification of the request

Search the data within the specified timerange by:

Name/Domain
Device

Browse by Loglines

View all traffic logged and classified.

Manipulate the data view with the following Select fields:

Timerange
Company
Request Type
Filter Action
Category
Rating

Match data with the following free text fields:

Devices
domain

Important: This view requires clicking the blue magnifying-glass Search button to apply filters to the data; it does not update "live" as the other views do.

List view displays:

Column	About
Date	Timestamp of the logline
Device	Origin of the logline
Action	Filter action taken on the logline
Method	HTTP method of the logline
Mimetype	Type of request
Length	Size/Length of the HTTP response body
Rating	Classification rating of the logline
Category	Classification rating of the logline
URL	Exact URL of this logline; click for further details

Record view

Each logline entry has a Record view with more details that is accessed by clicking the URL displayed in the logline row.

Technical data is displayed under the following headers:

URL Details
Application Details
Filter Details
Device Details
Client Details

Classification data is shown under the following headers:

Rating Details
Category Details
Rule Details

History

Report History

List of printable, regularly scheduled Usage Reports for past report periods.

Displays a list view of all report file archives.

Column	About
Report	Name of the report
Start Date	Beginning of the timeperiod covered by the report
Layout	Data visualization preset used by the report
Company	Company associated with the report

Filter the view with the following search/select fields:

Name
Timeframe
Interval
Company

Record View

Parameter	About
Sections	Data Visualization preset(s) included in this report
Schedule/Details	Link: Name of the scheduled job that ran this report
Report Type	`Alert/Notification` or `Usage Report`
Date Range	Timeperiod covered by this report
Generated on	Timestamp of report creation
Status	`Succeeded` or `Failed`
Time Taken	Amount of time it took to crunch the data to generate this report

Report Record Header buttons:

Delete this report record with the red trashcan Delete Report Archive button
Resend this report file with the green airplane Resend Report button
Hamburger menu:
- Report Settings: Jumps to the corresponding Report Schedule record
- Scheduled/Active Reports

Informational Tabs

Report Files
- Presents a link to access the HTML report file
Recipients
- Displays Current Recipients and Available Recipients in two lists.
- Move people from one list to the other one with the appropriate - or + buttons.
- Add a Company Recipient with the Add Company Recipient button: pops up a form window to add the recipient

Note that available recipients are the contacts associated with the Company, and also any Accountability Contacts if the Company is associated with an Accountability Policy.

Autofix History

List of Autofixes and details for each incident.

List View displays:

Column	About
Date	Date of the Autofix request
User / IP	Remote Device Username, Person (Active Directory), or IP address that requested the Autofix
Domain	The web link requested to be analyzed by Autofix

Filter the view with the following search/select fields:

Time Range
Company
Name

View an individual Autofix Record by clicking the URL displayed in the Domain column.

Autofix Record View

Parameter	About
Date	Timestamp of the request
Expiration	When the filter policy changes made by the AutoFix will revert to the original settings
Block Details	URL that was blocked
Company	Associated company of the User or Device that requested the Autofix
Remote / Local Device	Remote Device User, Person, or IP address which requested the Autofix
Device User	Associated Person record of the Remote Device, when applicable
Comments	Information entered by the person requesting the Autofix
Blocking Category	The Classification initially determined by the DrawBridge
Score	Score of the Blocking Category for this web request
Tier	`Level1`, `Level2`, or `Level3`; see Essential Concepts: Preferences for more information
Explanation	Observations of the Autofix reclassification operation
Autofix Permitted	Autofix is permitted (True) or not (False) for this category. See Essential Concepts: Preferences for more information
Device Group	Device Group membership of the Remote / Local Device requesting the Autofix

Send for Human Review button: sends technical data of this event to Compass Foundation support staff for further analysis.

Be sure to click Send for Human Review if the Autofix request was used to access content that was genuinely misclassified. Compass Foundation support staff will review the technical data sent over in the background and, if needed, release a permanent fix that benefits all DrawBridge users.

Human Review

List of blocked URLs submitted for Human Review.

List View displays:

Column	About
Date	Date of the Human Review request
User / IP	Remote Device Username, Person (Active Directory), or IP address that requested the Human Review
Domain	The web link requested to be analyzed

Filter the view with the following search/select fields:

Time Range
Company
Name

View an individual Human Review Record by clicking the URL displayed in the Domain column.

Human Review Record View

Parameter	About
Date	Timestamp of the request
URL	URL that was blocked
Company	Associated company of the User or Device that requested the Human Review
User	The filter username, where applicable, that requested the Human Review
Device User	Associated Person record of the requesting Remote Device, when applicable
Comments	Information entered by the person requesting the Human Review
Blocking Category	The Classification determined by the DrawBridge
Permitted by Preferences	Preferences settings allow (`Yes`) Human Review requests for this Category or not (`No`)
Score	Score of the Blocking Category for this web request
Submitted	The Human Review request was sent (`Yes`) to Compass Foundation support or not (`No`)
Autofixed	`Yes` or `No` -- indicates whether the request was triggered from an Autofix request
Device Group	Device Group membership of the Remote / Local Device requesting the Autofix

Reports

Report Settings

Scheduled Reports

List view of all scheduled report jobs.

Filter the view with the following search/select fields:

Interval
Report (Type)
Company

List View displays:

Column	About
Report	Type of report that is scheduled
Layout	Data Visualization Template preset selected for the scheduled report
Company	Associated Company of the scheduled report

View a Scheduled Report record by clicking the link in the Report column

Scheduled Report Record view

Parameter	About
Report	Report type
Company	Associated Company of this schedule record
Delivery	Email report files, email report links, or save to DrawBridge only (no email)
Recipients	Groups of recipients
Report Detail	`Combined - all usage in one file` or `Detailed - One File per User / IP`
Report Type	`Usage Report`, `Alert/Notification`, `DNS Firewall`, or `Access Policy Report`
Report Scope	`All Users/IPs in the Company` or `Manually Specified Users/IPs`

Scheduled Report record header menu:

Add a scheduled report with the blue + Create Report button
Edit this scheduled report with the green pencil Update Report button
Delete this scheduled report with the red trashcan Delete Report button
Bookmark this report with the blue ribbon Bookmark this Page button
Hamburger menu:
- Report History: Jump to the report archives for this scheduled report
- Add New Schedule: Add an additional schedule line for this report
- Scheduled Reports: Jump to Scheduled Reports
- Inactive Reports: Jup to Inactive Reports
- Record Activity Stream: View the changelog for this scheduled report record
Sync menu (blue chain icon)
- Create on Sync Publisher: Push this record to the Sync Server

Informational Tabs

Schedules: List view of scheduled runtime(s); Delete with the red trashcan Delete Report Schedule button
Recipients: List views of Current Recipients and Available Recipients; Add Company Recipients and Add (Accountability) Policy Recipients with buttons of the same name. Remove recipients with the red - button available on each Current Recipient line.

Report Layouts

List view of all available Report Layouts (preset data visualization templates) that can be applied to Scheduled Reports.

Column	About
Name	Name of the Layout
Sections	Preset data visualization sections included in the layout
Company	Associated Company, if applicable
Policy	Associated Accountability Policy, if applicable

Report Layout record view

Parameter	About
Builtin Layout	This preset was included with the DrawBridge (`True`) or was user created (`False`)
Type	`Usage Report`, `Alert/Notification`, `DNS Firewall`, or `Access Policy Report`
Report Sections	List; preset data visualizations included in this layout (see below)

Report Layout record header menu:

Add a new report layout with the blue + Create Report Layout button
Clone this report layout with the yellow Clone Report Layout button
View changes to this record with the blue Record Activity Stream button
Bookmark this page with the blue ribbon Bookmark this Page button
Sync menu (blue chainlink icon)
- 2 Way - Push / Pull from Server: call a sync run for this record
- Push to Sync Publisher: send this record to the sync server
- Pull from Sync Publisher: fetch this record from the sync server
- Mark to Resync: flag this record for inclusion in the next sync server run

Report Sections

Layouts contain one or more of the following Sections:

Section	About
`accesspolicy`
`api`	List of domains that are likely to have been visited programatically by an operating system or other software
`autofixes`	List of Autofix requests, including the requesting user/IP address, the timestamp, URL requested, action taken, and additional information
`categories`	Overview graph of all most popular Categories visited, by percentage
`disinfected`
`erased`	List of "background traffic" domains that were most likely linked to by websites (not visited directly by a user
`graphs`	Time-of-day Usage graph and also graphs of Page View and Search ratings and actions taken
`mediaviews`	List of videos loaded in a browser; only major hosting platform supported: YouTube, Vimeo
`pagetitles`	Full-text of the Title every single page loaded in a browser. The "Title" is what displays in a browser tab. Extremely detailed.
`pageviews`	List of domains that are likely to have been visited in a browser by a human
`searches`	Full-text of search queries entered on major search and ecommerce platforms
`shredded`	List of domains that were denied on every request; origin may be system/program or human

Report Presets

List view of all Report presets, and Policy ownership, where applicable

Filter the view with the following search/select fields:

Preset (Name)
Template (Name)
(Accountability) Policy

List View displays:

Column	About
Report	Name of the Report
Layout	Data Visualization Template preset selected for the scheduled report
Policy	Associated (Accountability) Policy of the Report Preset, where applicable

View a Report Preset record by clicking the link in the Report column

Report Preset record view

Parameter	About
Preset	Name of the preset
Policy	Associated Accountability Policy, if applicable
Layout	Layout used by this Preset
Schedule	Default schedule interval assigned to this Preset
Delivery	Email Report files, Email Report Links, or Save Only (no email)
Recipients	Default recipients of this Preset

Report Layout record header menu:

Add a Report Preset with the blue + Create Report Preset button
Edit this Report Preset with the green pencil Update Report Preset button
Clone this Report Preset with the yellow Clone Report Preset button
Delete this Report Preset with the red trashcan Delete Report Preset button
View the record changelog with the blue Record Stream Activity button
Bookmark this record with the blue ribbon Bookmark this Page button
Sync menu (blue chainlink icon)
- Create on Sync Publisher: push this record to the sync server
- 2 Way - Push / Pull from Server: call a sync run for this record
- Push to Sync Publisher: send this record to the sync server
- Pull from Sync Publisher: fetch this record from the sync server
- Mark to Resync: flag this record for inclusion in the next sync server run

Note: Built-in (included with the DrawBridge) report presets are not editible, or deletable, and therefore won't have all the record header menu options shown above.

Reports

Log Processing

Logline Filters are employed to ensure only relevant human activity is stored in the DrawBridge web activity database.

Log Servers + Log Sender Batches together are an optional function used for export of DrawBridge filtering logs to an external web traffic log analysis service.

When configured: a device is filtered by the DrawBridge, which logs all the web traffic of that device. Then, on a schedule, the DrawBridge uploads those web traffic logs to a separate log analysis/Reporter server for additional operations to be performed.

Important Note: The Log Server/Sender system is inactive unless the following two conditions are met:

A Log Server is configured. (See below)
A Log Server Account Number is configured on one or more Company records. See Accounts: Companies for more information.

Logline Filters

Remove unwanted Log Lines before saving them to Reporter database.

Displays a list view of rulesets which apply to loglines prior saving them in the DrawBridge log database.

List view displays:

Column	About
Sequence	Priority of rule when processing is performed
Filter	Name of rule
Scope	Defines operations of the rule
Field	Parameter of Logline database field to which the rule applies
Operator	Data matching parameter (`In`, `Contains`, `Starts With`, and so forth)

Logline Filter Record view

Parameter	About
Name Details	Name of the rule
Notes	Comments about the rule, where applicable
Matches If	Expressions which trigger the rule
data list	Exact text that is referenced in the expression.

Logline Filter Record header buttons:

Add a Logline Filter record with the blue + Create Logline Filter button
Edit this Logline Filter record with the green pencil Update Logline Filter button
Delete this Logline Filter record with the red trashcan Delete Logline Filter button
Sync menu (blue chainlink icon)
- 2 Way - Push / Pull from Server: call a sync run for this record
- Push to Sync Publisher: send this record to the sync server
- Pull from Sync Publisher: fetch this record from the sync server
- Mark to Resync: flag this record for inclusion in the next sync server run

Scope options:

A rule can apply with the following scope of action:

Skip All Logging -- Discard/Don't Save or Upload traffic matching this rule
Log Summary Details Only -- Skip detailed logging data for traffic matching this rule
DNS Log Lines -- Discard/Don't Save or Upload traffic containing these domain names

Log Servers

Uploaded Log Lines to compatible Report Server for further processing.

Displays a list view of configured Log Servers.

List View displays:

Column	About
Name	Display name of the log server
URL	Web address of the log server

Log Server Record View

Parameter	About
Name	Display name of the Log Server
Status	This record is `Active` or `Inactive`
URL	Web address of the log server

Log Server Record header buttons:

Add a Log Server record with the blue + Create Log Server button
Edit this Log Server record with the green pencil Update Log Server button
Delete this Log Server record with the red trashcan Delete Log Server button
Bookmark this record with the blue ribbon Bookmark This Page button
Sync menu (blue chain icon)
- Create on Sync Publisher: Push this record to the Sync Server

Log Sender Batches

Log Sender Batch Details

Displays a list view of all configured Log Sender batches for Company records which have a Log Server Account number specified.

Filter the data with the following Select field:

Company

List View displays:

Column	About
Name	Display name of batch job
Company	Associated company of the batch job
Date	Timestamp of last batch job run event
Uploaded To	Timestamp of most recent data uploaded
Results	What the Log Processor job did

Log Sender Batches is informational-only and does not have a record view.

FAQ:

Q: Why does the Log Sender Batch indicate 0 lines uploaded, even though devices on the Company are being used?

A: Either the devices are not properly connecting to the DrawBridge, or, any data that was recorded was considered system activity, not human activity, and was therefore discarded. See Logline Filters above for more information.

Reports

Device Detection

Detect network devices by analyzing traffic.

User Agents

A User Agent (UA) text string identifies the software making a web request in HTTP. For example, a browser may identify as a particular version of Chrome.

List view displays:

Column	About
User Agent	The exact text string of the UA
Device	Device type assigned to the UA
App	Application type assigned to the UA

Click the User Agent name link to view an individual User Agent record.

User Agent Record View

Parameter	About
Device	The Device Type contained in the UA
Application	The Application contained in the UA
OS	The Operating System contained in the UA
Canonical ID	The globally-unique identifier in the DrawBridge ecosystem
Device Type	The device type assigned to the UA
Application Type	The Application type assigned to the UA

User Agent Record header buttons:

Add a new User Agent record with the blue + Create User Agent Record button
Edit this User Agent record with the green pencil Update User Agent Record button
Delete this User Agent record with the red trashcan Delete User Agent Record button
Bookmark this User Agent record with the blue ribbon Bookmark This Page button

Ja3 Hashes

Ja3 hashes can be used to positively identify an application based on a TLS fingerprint. Read more about the standard on the official Github page.

List view displays:

Column	About
Hash	Ja3 Hash
Notes	Information about the hash

Ja3 Hash Record View

Parameter	About
Name	Exact Ja3 hash
Notes	Further information about this particular hash
Canonical ID	Globally-unique record identifier in the DrawBridge ecosystem

List: Application -- displays Applications associated with this particular Ja3 hash. Add an Application to the hash record with the Add TLS Fingerprint button above the Application list view in the record.

**Ja3 Hash Record header buttons:

Add a new Ja3 Hash record with the blue + Create J A3 Hash button
Edit this Ja3 Hash record with the green pencil Update J A3 Hash button
Delete this Ja3 Hash record with the red trashcan Delete J A3 Hash button
Bookmark this Ja3 Hash record with the blue ribbon Bookmark This Page button
Sync menu (blue chain icon)
- Create on Sync Publisher: Push this record to the Sync Server

Devices

Specific hardware identity records.

List view displays:

Column	About
Model	The model of the Device
Brand	The manufacturer of the Device
Type	The device type, eg. `Smartphone`, `Desktop PC`, and so forth

Locate a specific record with the following search/select fields:

Name

Device record view

Parameter	About
Name	Name of the specific hardware
Type	Device type, eg. `Smartphone`, `Desktop PC`, and so forth
OS	Operating System of the Device
Canonial ID	Globally-unique record identifier in the DrawBridge ecosystem
Brand	Manufacturer of the Device

Device Record header buttons:

Add a new Device record with the blue + Create Device button
Edit this Device record with the green pencil Update Device button
Delete this Device record with the red trashcan Delete Device button
Bookmark this Device record with the blue ribbon Bookmark This Page button
Sync menu (blue chainlink icon)
- 2 Way - Push / Pull from Server: call a sync run for this record
- Push to Sync Publisher: send this record to the sync server
- Pull from Sync Publisher: fetch this record from the sync server
- Mark to Resync: flag this record for inclusion in the next sync server run

Applications

Comprehensive listing of Mobile Device and Desktop applications

List view displays:

Column	About
Name	Name of the Application
Type	Type of application, if known. Eg. `Browser`, `Mobile App`, and so forth

Locate a specific record with the following search/select fields:

Name

Application record view

Parameter	About
Name	Name of the Application
Type	Type of application, if known. Eg. `Browser`, `Mobile App`, and so forth
Canonial ID	Globally-unique record identifier in the DrawBridge ecosystem

Application Record header buttons:

Add a new Application record with the blue + Create Application button
Edit this Application record with the green pencil Update Application button
Delete this Application record with the red trashcan Delete Application button
Bookmark this Application record with the blue ribbon Bookmark This Page button
Sync menu (blue chainlink icon)
- 2 Way - Push / Pull from Server: call a sync run for this record
- Push to Sync Publisher: send this record to the sync server
- Pull from Sync Publisher: fetch this record from the sync server
- Mark to Resync: flag this record for inclusion in the next sync server run

Informational Tabs

App Store IDs -- List view of unique App Store identifiers; Add an ID with the Add App Store ID button above the list
UA Patterns -- List view of User Agent regular expressions to match this Application; Add a UA pattern with the Add UA Pattern button
JA3 Hashes -- List view of Ja3 Hashes of this Application; add a new hash with the Add TLS Fingerprint button
User Agents -- List view of User Agent strings associated with this Application

Applications (ACL-ready)

Accessed as a sub-menu item under Applications in the left sidebar menu.

Appstore IDs

Accessed as a sub-menu item under Applications in the left sidebar menu.

Brands

Operating Systems

System

Console Sync

Compass Foundation maintains a record synchronization infrastructure with a master publisher server to facilitate the interoperation of various systems.

Synced Records

Complete list view of all synchronized records.

List view displays:

Column	About
Name	The name of the record
Table	The database table in which the record exists
Sync Server	The name of the sync server for this record

List View header buttons:

Add a new Synced Record with the blue + Create Synced Record button

Click the Record name link to view an individual Synced Record record.

Record View

Parameter	About
(Name)	The name of the record
CID	(Canonical ID) The globally-unique record identifier in the DrawBridge ecosystem
Local Record	The local name of the record
Table	The database table in which the record exists
Sync Mode	State: 1/2-way Push/Pull from Server details
Sync Status	Status of this record with the Publisher server
Sync Server	The configured sync publisher server for this record

User Agent Record header buttons:

Pull from Sync Publisher: initiate a record sync from the master server (origin) to this DrawBridge
Push to Sync Publisher: initiate a record sync from this DrawBridge (origin) to the master server
Bookmark: this User Agent record with the blue ribbon Bookmark This Page button

Additional information:

Fields to Update -- Information on any data for this record pending synchronization
Tenant Changes -- Status of local changes to the record
Sync Errors -- Information regarding errors on the synchronization of this record

Sync Batches

List view of the Batches in which Record Sync is performed.

List view displays:

Column	About
Sync Batch	The name of the batch
Batch Type	Details regarding the batch type
Sequence	Priority of the batch when Sync occurs
Server	Configured server that the sync mechanism will communicate for this batch

List View header buttons:

Add a new Sync Batch Record with the blue + Create Sync Batch button
Bookmark this list view with the blue ribbon Bookmark This Page button

Click the Batch name link to view an individual batch record.

Batch Record View

Parameter	About
Name	The name of the batch record
Type	Details regarding the batch type
Server	The configured sync publisher server for this record
Comments	Additional information relevant to this batch
Last Run	Timestamp of the last time this batch was run (Red circular arrow button: Reset this timestamp to sync all records)
Next Run	Timestamp of the next scheduled sync batch run

User Agent Record header buttons:

Trigger a "dry run" (test run / no actual record changes) of sync batch with the green target Trigger Sync Batch - Dry Run button
Trigger a sync batch run with the red target Trigger Sync Batch button
Add a new sync batch with the blue + Add Sync Batch button
Edit the sync batch with the green pencil Update Sync Batch button
Bookmark this sync batch with the blue ribbon Bookmark This Page button

Additional information:

Tables to Sync

Column	About
Table	Database table
Sequence	Priority of the database table when Sync occurs
Comments	Additional informatin relevant to this batch
Mode	State: 1/2-way Push/Pull from Server details

Individual record buttons in list view:

Edit the table record with the green pencil button
Delete the table record with the red trashcan button

Sync Servers

Synchronize

System

Configuration

Technical DrawBridge system configuration settings. (Does not contain filter settings; see Content Filter for content filter settings.)

Local Settings

DrawBridge system identity details, specific to this system.

Parameter	About
Name	Globally-unique name of this DrawBridge
Local	Yes/No -- this record belongs to this hardware
Admin URL	The URL and port number for the management interface (if no port is displayed, the default is 443)
Cloud Server	Yes/No -- this system is/is-not a "cloud filter"
Rebranded	Yes/No
Project Name	Brand information
Console Name	Brand information
Filter Name	Brand information
Hostname	Brand information
Slogan	Brand information
Phone	Brand information
Email	Brand information
Canonical ID	Globally-unique identifier for this DrawBridge
Sync Role	Publisher/Subscriber -- role of this DrawBridge in the Synchronization ecosystem

Appliance Companies

List view of all tenant Company records; displays Company-Appliance/DrawBridge relationship. Typically only relevant in the context of the Synchronization ecosystem.

Backups

List view of system database backups. (Database backups are automatically uploaded to Compass Foundation offsite storage.)

Email Settings

Configuration details regarding email alerts. Managed by Compass Foundation.

Parameter	About
Host	Mail Server domain
Port	Port for SMTP
Use TLS	Yes/No
Verify TLS	Yes/No
From Address	Brand information
Username	Username to use with email server for authentication

Certificate Authority

Information regarding the Certificate Authority, SSL Certificates, and Software (Client SSL Cert Installers) in-use on the DrawBridge. Relevant primarily when Rebranded = Yes (see Local Settings, above).

DrawBridge Terminal

Applicable only to systems running DrawBridgeOS. Does not apply to ClearOS-based systems. (See the Platform field in your DrawBridge System Overview page to see which operating system your DrawBridge is running.)

Modes of operation

More information coming soon.

System

Hardware & Processes

Note: Requires System Owner permissions.

Docs coming soon.

System

DNS Firewall

Docs coming soon.

In the screenshot below objects.githubusercontent.com got added to the firehollevel3 DNS firewall, presumably at the upstream FireHOL project.

For a domain with that broad of usage, it was probably legitimately being abused somewhere, and hence ended up on that list. But obviously it has a massive impact then on everything else hosted on that domain.

To resolve the issue, you'll have to add objects.githubusercontent.com to the DNS Firewall local whitelist on Whitespire

Make sure that you are not connected to the Tech VPN when testing.

Help

Care Center

View classification tickets automatically generated by AutoFix and Human Review procedures.

Create new support tickets to be automatically submitted to Compass Foundation support.

Change Logs

View software changelogs.

API Documentation

View DrawBridge API documentation.

Additional Services

Passageway

Passageway is a full-featured password management database and sync service that is hosted on the DrawBridge.

Please visit https://help.passageway.id for the Passageway documentation.

Note: Passageway is only available to on-premises DrawBridge accounts (not cloud DrawBridge accounts), and the DrawBridge must be running a currently-supported base Operating System. (Passageway is not supported on ClearOS 6 systems.)

Additional Services

Tabula (deprecated)

Tabula is a contact records database + sync service hosted on the DrawBridge.

Domain: tabula.<drawbridgename>.myvision.id

Tabula must be initialized on a per-user basis by going to the Person record and using the record header button menu option to Create Tabula Account.

Compass Foundation Infrastructure

Network Addresses

Network Administrators: please ensure unrestricted access to the following addresses:

US & Global services:

IPv4	Equivalent CIDR notation
8.33.19.221 - 8.33.19.226	(not a CIDR block)
63.150.19.74 - 63.150.19.79	63.150.19.72/29
65.152.194.73 - 65.152.194.78	65.152.194.72/29
104.218.187.15 - 104.218.187.18	(not a CIDR block)
108.24.40.122 - 108.24.40.126	(not a CIDR block)
173.161.228.229	173.161.228.229/32
199.224.68.177-199.224.68.189	199.224.68.176/28
204.111.143.225 - 204.111.143.238	204.111.143.224/28

IPv6
pending

Canada services:

IPv4 Address	Equivalent CIDR notation
69.41.195.98 - 69.41.195.102	69.41.195.97/29
205.203.220.163 - 205.203.220.166	205.203.220.162/29
216.46.150.2 - 216.46.150.6	216.46.150.1/29

IPv6
N/A

Compass Foundation Infrastructure

Abuse/Security Contact

Abuse/Security concerns: please email support@compassfoundation.io or call 856-974-5335

Access Policy Dashboard Report

The Access Policy Dashboard Report is based very closely on the layout of the live Dashboard page for a specific company (example report).

Reading the Report

Header Details

The Report calls out areas of special interest, such as:

A count of changes made
Person performing the change
Date and time the change was performed

Access Policy Lines

Each Access Policy line that was changed is marked with a Categories Changed badge. Click the Down Arrow to reveal more details about the change.

Report Delivery

By default, this report is a Daily notification that only is delivered when changes have been made in the prior 24 hours.

The report can also be manually delivered to recipients by navigating to the Company's Access Policy Dashboard and clicking "Deliver Access Policy Report" in the Context menu.

Console Reference Docs

Essential Concepts

Web Page Classification

Traffic Visibility Prerequisites

Example

Important Notes

1. About changing default Category Allow/Block settings

2. Default Category settings are Business-focused

Further Reading

FAQ: Is TLS inspection "bad" or "breaking encryption" or "weakening security"?

Record Model - Tenancy and Hierarchy

Record Tenancy

The Main Company

Record Hierarchy

Permissions and Relationships

Permissions

Relationships

Relationships in the Console

Examples

Accountability

Record Relationships

Policy Roles

Role Features

Administrator

Reviewer

Company Opt-in

Examples

Administrator Role

Reviewer Role

Preferences

Preference Tenancy

Preference Record Sections

Preferences, in detail

Filter Console

Access Valve Permissions

App Store Settings

Safe Search Settings

Media Room

Viewability

Channels

Block Page Overrides

AutoFix Settings

Human Review Settings

Preference Record View

Accounts

People

Person Record View

Informational Tabs

Unrelated People

Inactive Relationships

Companies

Record View

Name of Company

Informational Tabs

Local Devices

Remote Devices

Contacts

Reports

Appliances

Dashboard buttons

Access Policies -- Access Policy Dashboard

Activity Viewers -- Loglines & Reports

Preferences -- Preferences Dashboard

Accountability Policy -- ("Policy Name" or "None")

Inactive Companies

Accountability Policies

Record view

Informational Tabs

Dashboard Buttons

Preferences Dashboard

Accountability Contacts

Record View

Informational tabs

Groups

Permission Groups

People Groups

Proxy User Groups

Directory Groups

Implementation Concept Diagram

Authentication Integration

When to use the `ignore` Action