# Console Reference Docs # Essential Concepts # Web Page Classification Web page classification analyzes the domain, URL, and most importantly, the words and phrases on *every page load* to tally a numerical score in one or more Categories for *that page load*. The filter Action configuration (Allow/Block/Ignore) for the top-scoring Category is then used to handle that particular page request. #### Traffic Visibility Prerequisites Webpage word and phrase analysis is only possible with full SSL/TLS decryption (`sslbump`), which is the default action for most1 web requests on TCP ports 80 (HTTP) and 443 (HTTPS). And, for this to work without browser security errors, all endpoint devices connecting through the DrawBridge must have the **DrawBridge Certificate Authority certificate** installed. See the page **SSL Certs** under the **Devices** module for more information. 1**Note:** for security reasons, banking and financial-related websites **are not TLS-decrypted**. It is assumed that these sites are safe from inappropriate content. You can verify a site is Not being TLS-decrypted by clicking the shield or padlock in your browser address bar and viewing the certificate. If the certicate is issued by a public Certificate Authority (and not your DrawBridge), you can know that the DrawBridge is Not intercepting the connection. **Also Note:** Certain web traffic (for example some cloud backup services and application traffic) that is not specification-compliant or is otherwise incompatible with content filtering are exempted at a firewall level from the traffic inspection on TCP ports 80 and 443. ## Example Visiting https://www.cabelas.com is most likely to score the most points in the Category `Hunting and Fishing`. * If the Action assigned to `Hunting and Fishing` is `Allow`, the Cabelas page will load as if nothing happened. * If the Action assigned to `Hunting and Fishing` is `Block`, a DrawBridge block page is loaded to inform the user that the request was blocked due to filter settings. * If the Action assigned to `Hunting and Fishing` is `Ignore`, the next-to-top scoring Category action is selected to handle the page load.

The option to `Ignore` is strongly discouraged except for special situations. If you decide to specify custom Actions for Categories, please only use `Allow` or `Block` to ensure most reliable filtering.

## Important Notes #### 1. About changing default Category Allow/Block settings The DrawBridge comes with a preset Action for each included (Built-in) Category. When you assign an Action (Allow/Block) to a Category, **you're simply applying a change that gets higher priority than the default setting.** #### 2. Default Category settings are Business-focused The default settings for the Built-in Categories are tightly scoped to business-usage needs. Depending on your usage expectations, you may want to set more categories to **Allow** in your *Company Preferences* Access Policy, or in a custom Access Policy. For more information on Built-In Categories, including how to view default Actions, see **Content Filter: Categories: Built-In Categories** ## Further Reading For more information on Categories and Actions, including how to change the Action for a Category, see page **Overview and Essentials** under the **Content Filter** module. For more information on Certificates and Certificate Authorities, [this Wikipedia article on Public Key Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) may be helpful. ## FAQ: Is TLS inspection "bad" or "breaking encryption" or "weakening security"? In a word, **no** *(if implemented correctly)* Despite much negative press, blog posts by both [Cloudflare](https://blog.cloudflare.com/monsters-in-the-middleboxes/) and [US-CERT](https://www.cisa.gov/uscert/ncas/alerts/TA17-075A) acknowledge that legitimate use-cases (and secure methods) of TLS inspection exist. Some of the concerns raised in the two articles linked above are very valid. However, the DrawBridge filter engine is designed to follow industry best-practices to ensure that it doesn't downgrade security or mask upstream security flaws. Much of this debate boils down to two things: 1. Intention: Why is the TLS traffic being inspected? (legitimate or malicious?) 2. Privacy: Are the end-users aware of the inspection? (visible/policy or invisible/spycraft?) For #1: The DrawBridge employs TLS inspection to ensure content filtering properly classifies page content For #2: Yes: DrawBridge account holders need to purchase the content filter service and need to install a Certificate Authority for the service to work correctly. (It is the responsibility of account holders to inform any user of the service of the content monitoring and inspection.) This discussion leads to an even deeper question: *Who owns this device*? If you truly own a computer, for example, you should have the authority to decide what Certificate Authorities it will be allowed to trust, and with whom it will communicate. Thankfully, most platforms accomodate adding additional Certificate Authorities, enabling you to know and control the network traffic of your device. The notable exception is Android, because of [an alleged "security" decision by Google](https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html). While there were threats they were able to prevent by taking a scorched-earth no-user-CA-trust position1, this implementation also conveniently prevents auditing of the traffic of third-party apps and bundled Google apps. 1Exception: browser apps on Android will trust user-installed Certificate Authorities. # Record Model - Tenancy and Hierarchy # Record Tenancy The DrawBridge records are `multi-tenanted`. `Tenancy` is established by associating a record (such as Device Group, Access Policy, or Report) to a given tenant (see Types, below), and ensuring that other tenants cannot see those records. Four types of tenants are supported: Tenancy Type | Visibility | Permissions --- | --- | --- Company | Just that Company | Contacts assigned to this Company, contacts of the Accountability Policy associated with this Company Accountability Policy | All Member Companies | Contacts of the Accountability Policy Appliance | All Companies on that DrawBridge | Contacts of the Main Company Universal | All Companies on all DrawBridges | System Administrators In other words, the Tenancy Type of a record can be determined by looking at the association relationship(s): * A record assigned to a Company belongs to that company * A record assigned to an Accountability Policy is available to all Member companies * A record assigned to a System/Appliance applies to all tenant companies * A record with none of the above relationships is available to all companies everywhere. ### The Main Company All Companies on a DrawBridge are tenants, however, for proper record and configuration ownership, it is essential that one Company be the Main Company of a DrawBridge. The Main Company is the Owner of the DrawBridge, or the owner of the premise on which it is located. The Contacts on the Main Company are the only ones who can control System-wide settings, such as QoS, Firewall settings, DNS, and so forth. # Record Hierarchy Certain types of records can have have a "Parent"/"Child" designation: * **Accountability Policy:** An Accountability Policy can be a "Child" of another Accountability Policy, enabling the automatic inheritance of configuration settings at the "Parent" level, such as Report Presets. * **Category:** Built-in Categories are members of "Parent" categories for easy classification into genres. For example, Parent Category **Automotive** contains the following child categories: * `Automotive and Trucks` * `Automotive - Objectionable` * `Metals / Welding` * `Powersports` # Permissions and Relationships # Permissions **Permission Groups** in the DrawBridge Console are analagous to User [Groups](https://en.wikipedia.org/wiki/Group_(computing)) in typical operating systems.1 Permissions Groups are a way of assigning a particular Role to a Person: Adding a Person record to the `Accountability` permission group gives them the access and controls exclusive to `Accountability` and higher level permission groups. Person records are given the permissions by being added as a member of a particular Permissions Group. Permission Groups in the DrawBridge Console: Permission Group | Required Relationship | About --- | --- | ---- `Company Owner` | Company Owner | The owner of a Company `Appstore Access` | Company or Accountability Policy | Allows Person to Enable App Store Access on a Company record `Can Submit Autofix Requests` | Company | Allows use of the Autofix reclassification function `Can Submit Sites for Human Review` | Company | Allows submission of a Classification Review support ticket `Media Viewer` | Company | Allows classification of a video in the Media Room `Company Media Room Admin` | Company | Allows administration of a company Media Room `Report Viewer` | Company or Accountability Policy | Allows viewing of web activity Reports `System Owner` | Company Owner | Allows visibility and control of all Tenant Companies on that DrawBridge `ACL Pumpkineer` | Accountability Policy or Compass Foundation Staff | Allows creation and modification of ACLs `Accountablity` | Accountability Policy | Allows visibility and control of member Company configurations and reports `Device Detector Admin` | (?) | (?) `Realtime Log Viewer` | Company Owner of Main Company | Allows access to the system-wide Realtime Log Viewer `Reseller` | (?) | Allows visibility and control of all Tenant Companies on that DrawBridge `Sysadmin` | (?) | (?) 1For further advanced reading, see the [POSIX specification documentation](https://pubs.opengroup.org/onlinepubs/9699919799/) by The Open Group and IEEE. # Relationships Records in the DrawBridge console, particularly Person records, can have one or more relationship associations. For an analogy, consider how individual people in real life have different relationships to others, depending on their role: Parent-Parent, Parent-Child, Brother-Sister, and so forth. #### Relationships in the Console A **Person** can have the following relationships to **Companies**: * Owner * Associate * Tech Support * General Contact A **Person** can have the following relationships to an **Acountability Policy**: * Accountability Contact A **Company** can have the following relationship to an **Accountability Policy**: * Member # Examples Person *fred_smith* owns Company *Eastwood Trading Co*. He therefore is assigned a `Company Owner` Relationship, and added to the `Company Owner` Permissions Group. Company *Eastwood Trading Co.* has an on-premises DrawBridge, so *fred_smith* is also added to the `System Owner` Permissions Group. Person *jack_miller* is on the IT staff for *Eastwood Trading Co*. He is assigned a `Tech Support` Relationship, and added to the `Sysadmin` Permissions Group. # Accountability The DrawBridge supports an Accountability model to facilitate voluntary, centrally-administered, usage report sharing and content filter configuration of Member Companies by specified administrators in a community context. An Accountabilility Policy provides: * Central administration of Accountability-associated Report Presets and Access Policies for all Member Companies * All *Report Presets* of a Policy automatically propagate to all Member Companies. * Access Policies associated with an Accountability policy are made available to all Member Companies as a *Policy Group* that can be easily joined by Member Companies. Changes to that particular Access Policy (Group) automatically propagate to all Member Companies that are part of the Access Policy. * Accountability Contacts associated to that Accountability Policy can access report information and view filter policy configuration for that Company (see Accountability Policy Roles below). * Community Accountability-level Preference configurations to override Company-level Preference configurations (see Preferences page for more information). # Record Relationships The following records can be associated with an Accountability Policy Record: Record Type | About --- | --- **Person** | Accountability Contact: view reports and set configurations on Member Companies **Company** | Accountability Member Company: enable features detailed below # Policy Roles An Accountability Policy can be either type of Role: Role | About --- | --- **Reviewer** | Accountability Contacts have *read-only* access to member Company settings **Administrator** | Accountability Contacts have *read-write* access to member Company settings and diagnostic functions ## Role Features #### Administrator Designed for Accountability Policies who have members on the Policy with capable IT skills, understand the DrawBridge Console, and commit to remaining up-to-date with ongoing DrawBridge releases. #### Reviewer Designed for Accountability Policies who are primarily responsible for reviewing reports and Access Policies to confirm that settings are as expected. ##### Company Opt-in A Company Owner assigned to an Accountability Policy with the Reviewer Role may want his Accountability Contacts to have the Administrator Role on his company. If so, he can add the him as Company Staff to [grant the Administrator Role](https://books.compassfoundation.io/books/how-to-guides/page/grant-administrator-role). # Examples ### Administrator Role The people in the Golden Sands Christian Fellowship community want to have a uniform content filter policy across their brotherhood, as well as have specific individuals responsible to administer the policy and review all their web usage. To answer this need, the `Golden Sands Christian Fellowship` Accountability Policy is created with Administrator role, and several people are associated with it as Accountability Contacts (see Relationships page for more information). This Accountability Policy has several associations: * The people that are designated as `Accountability Contacts`. * A `Church Preferences` Access Policy that sets the Action on a number of Categories to Allow. * A `Summary` Report configured that displays the genres of information being accessed by each Company, to be sent to the designated Accountability Contacts. Those Companies using DrawBridge filtering in this context add the Golden Sands Christian Fellowship policy to their Company record. This performs the following: * Enables the specified Accountability Contacts to view the report data and filter configurations of all Member Companies in the DrawBridge Console. * Makes the centrally-administered `Church Preferences` Access Policy available to them to apply to their Company. * Each Company Owner then applies the `Church Preferences` Access Policy by assigning it to his *alldevices* Device Group. * Automatically configures the `Summary` report to the member Company, with delivery to the Accountability Contacts. ### Reviewer Role The people in the Salem Christian Fellowship community want to have a uniform content filter policy across their brotherhood. Either outside IT provider or Compass Foundation will administrate the settings and provide technical support. The `Salem Christian Fellowship` policy is created with the Reviewer role. They will have Read-Only access to review Reports and Access Policy settings. Any required changes will be channeled by the Company to IT Provider or Compass Foundation. # Preferences Preferences enable you to: * configure minimum Permission Groups required to perform a specific action (see Permissions and Relationships page for more information), and, * configure other feature thresholds and behaviors # Preference Tenancy Preference record tenancy association is available to both Companies and Accountability Policies. Each Preference Record has a field indicating the associated Company or Policy, thus communicating the tenancy association. If a Preference detailed here is not present on your DrawBridge, simply create it with the **+** button in the upper right corner of the list view for that Section. Then you can assign the Records to that Preference as desired. Preferences associated with an Accountablity Policy override any conflicting preferences associated with a Member Company. Priority | Relationship | Override lower priority configuration --- | --- | --- 1 | Accountability Policy | Yes 2 | Company Owner | (NA) To clarify: if there is no Accountability Policy associated with a Company, the notes about Accountability Policy override do not apply. # Preference Record Sections Heirarchy: * **Section** * **Preference** * **Record** As implemented: * **Filter Console** *(Section)* * **Access Valve Permissions** *(Preference)* * **Widen Access Privileges** *(Record)* and so forth * App Store Settings * Safe Search Settings * Media Room * Viewability * Channels * Block Page Overrides * AutoFix Settings * Human Review Settings # Preferences, in detail ## Filter Console #### Access Valve Permissions Record Name | Value | About --- | --- | --- **Widen Access Privileges** | `Company Owner` / `Accountability Contact` / `Accountability or Filter Admin` | Set minimum Permission Group required to set a Category to Allow **Restrict Access Privileges** | `Company Owner` / `Accountability Contact` / `Accountability or Filter Admin` | Set minimum Permission Group required to set a Category to Block #### App Store Settings Record Name | Value | About --- | --- | --- **Permission Group** | `Company Owner` / `Accountability Contact` / `Accountability or Filter Admin` | Set minimum Permission Group required to "open" an App Store #### Safe Search Settings Record Name | Value | About --- | --- | --- **Name of Service** eg. Bing, YouTube, etc | `Yes` / `No` | Enable the platform-provided Adult content blocking ## Media Room #### Viewability Record Name | Value | Contents | About --- | --- | --- | --- **Category Actions** | `Always Block Categories` / `Always Allow Categories` | List of Categories | Configure the Media Room action for specified Categories **Viewability Status** | `Allowed Categories Only` / `Allowed Category or Unclassified` / `Viewing Classified Media Disabled` | (N/A) | Configure the "permissiveness" of the Media Room In detail: * **Category Actions:** The Media Room will Allow or Block a video from playing based on the top-scoring category it scores/classifies as. The Category Actions records here allow you to set a list of Categories that will Always or Never play when a video has a top score in the category(ies) you specify. * **Viewability Status:** Set the behavior of the Media Room: * `Allowed Categories Only`: Only videos which have a top score in a Category set to Allow will play. Videos with a top score in a Category set to Ignore or Allow will not play. * `Allowed Category or Unclassified`: In addition to the videos matching Allowed Categories, above, if a classification can not be automatically made, the video will still be allowed to play. This is the most permissive setting. * `Viewing Classified Media Disabled`: The Media Room will not allow any videos to play, regardless of the classification. #### Channels Record Name | Value | About --- | --- | --- **Permission Group** | `Media Admin` / `Accountability Contact` / `Accountability or Filter Admin` | Set minimum Permission Group required to add a Channel for automatic classification ## Block Page Overrides #### AutoFix Settings Record Name | Value | Contents | About --- | --- | --- | --- **Category Actions** | `Always Allow Categories` / `Always Block Categories` | List of Categories | Always Allow or Block the AutoFix request for specified categories **Level 1 Enabled** | `Yes` / `No` | (N/A) | Enable AutoFix Level 1 behavior **Level 2 Enabled** | `Yes` / `No` | (N/A) | Enable AutoFix Level 2 behavior **Level 3 Enabled** | `Yes` / `No` | (N/A) | Enable AutoFix Level 3 behavior **Skip Owner Confirmation** | `Yes` / `No` | (N/A) | Specify whether Company Owner contact confirmation is required for an Autofix request. If Owner Confirmation is required, an AutoFix request will email the Company Owner contact, who will need to sign-in and approve the request before it can proceed. #### Human Review Settings Record Name | Value | Contents | About --- | --- | --- | --- **Category Actions** | `Always Allow Categories` / `Always Block Categories` | List of Categories | Always Allow or Block the AutoFix request for specified categories **Skip Owner Confirmation** | `Yes` / `No` | (N/A) | Specify whether Company Owner contact confirmation is required for an Autofix request. If Owner Confirmation is required, a Human Review request will email the Company Owner contact, who will need to sign-in and approve the request before it can proceed. # Preference Record View Create a preference record by clicking the **+** button in the upper right of the list view in any of the Sections above. Edit a Preference record by clicking the green pencil Edit button on the relevant line. View a Preference record by clicking on the blue navigate-symbol View Preference button on the relevant line. Each Preference record will display: Parameter | About --- | --- **Company**/**Policy** | The tenancy association (Company or Accountability Policy) of the record **Canonical ID** | The globally-unique identifier for the record **Preference Setting** | What the record does Records which contain Category List views have these options: * Add a Category with the **+ Add** button above the list area * Remove a Category with the red trashcan Delete button on the relevant Category line # Accounts # People A person entity is required to sign-in and use the DrawBridge web portal. Additionally, Person records are associated with Companies, and, optionally, Accountability Policies. View the Active People list by clicking **Accounts**, then **People** in the left menu bar. Click the Name of a Person in the list to view the Record for that person. ### Person Record View A Person record contains the following parameters: Parameter | About --- | --- **Name** | Display Name **Email** | Email address **Mobile** | (Optional) Mobile phone number **Canonical ID** | The global unique identifier **Last Active** | Timestamp of last sign-in activity; see Sessions informational tab, below **Person Record header buttons:** * **Add** a new Person record with the blue **+** Create Person button * **Edit** this Person record with the green pencil Update Person button * **Delete** this Person record with the red trashcan Delete Person button * **Impersonate User** (take on the identity and permissions of this user in the DrawBridge; used for troubleshooting) * **Merge Person records** with the blue picture-frame "Merge other Person records into this one" button * Hamburger menu: * **Set Console Password**: set a DrawBridge Console password for this Person * **Create Tabula account**: see **Additional Services: Tabula** for more information * **Add Group Membership**: add this Remote Device User to a Console Permission Group (see Informational Tabs: Permissions, below) * **View Realtime Log Lines**: jump to the Realtime Log Viewer, with the data view limited to this device * **Today's Log Lines**: jump to the the *Reports* module with the device pre-selected in data views * **Record Activity Stream**: view the changelog for this Device record * **Bookmark** this record with the ribbon Bookmark button * Sync Menu (chain-link icon) * **Sync Mode** (default is `2 Way - Push / Pull from Server`); click record sync information * **Push to Sync Publisher**: initiate a record update push from this DrawBridge to the Sync Server * **Pull from Sync Publisher**: initiate a record update pull to this DrawBridge from the Sync Server * **Mark to Resync**: flag this record in the background to be included in the next sync run ### Informational Tabs Data associated with this Person: * **Bookmarks:** List view of any console shortcuts * Add a bookmark by clicking the Ribbon button on any record in the Console * Delete a bookmark with the red trashcan Delete button on the relevant Bookmark line here * **Companies:** List view of any associated Company relationships * Add a Company relationship with the `Add Company Staff Relationship` button * Edit a Company relationship with the green pencil Update button on the relevent line * Delete a Company relationship with the red trashcan Delete button on the relevant line * View Company Relationship history log with the blue Record Activity Stream button on the relevant line * **Policies:** List view of any associated Accountability Policy relationships * Add an Accountability Policy relationship with the `Add Accountability Policy Relationship` button * Edit an Accountability Policy relationship with the green pencil Update button on the relevent line * Delete an Accountability Policy relationship with the red trashcan Delete button on the relevant line * View an Accountability Policy relationship history log with the blue Record Activity Stream button on the relevant line * **Devices:** List view of any associated Devices * Add a Remote Device relationship with the `Add Remote Device` button * Edit a Remote Device relationship with the green pencil Update button on the relavant line * Delete a Remote Device relationship with the red trashcan Delete button on the relevant line * View a Remote Deice relationship history log with the blue Record Activity Stream button on the relevant line * **Permissions:** List view of any associated Permission Groups and Proxy User Groups * Add a Permission Group membership relationship with the `Add Permission` button * Add a Proxy User Group membership relationship with the `Add to Proxy Users Group` button * Edit a Group relationship with the green pencil Update button on the relevant line * Delete a Group relationship with the red trashcan Delete button on the relevant line * View a Group relationship history log with the blue Record Activity Stream button on the relevant line * **Sessions:** List view of all active/signed-in Console sessions this User has on this DrawBridge. Fields: * Last Updated: timestamp of last activity * IP: IP Address of last activity * Client: the User-Agent reported by the last activity ## Unrelated People Unrelated People are People records that have no Company or Accountability Policy relationship assigned. This list should generally be empty. ## Inactive Relationships This is a list of `Person - Company` or `Person - Accountability Policy` Relationships that have been set to `Inactive`. This list should generally be empty. # Companies A Company record is essential to using the DrawBridge: all People records and Device records must be associated with a Company record (or an Accountability Policy) to enable full use of their functionality. If your Company is the only company present on your DrawBridge, clicking on **Accounts: Companies** will jump directly to your Company record view. If more than one Company is present on a DrawBridge, and your sign-in credentials are part of a System Owner permissions group or higher, a list view of the Company records will be displayed when `Companies` is clicked in the left menu bar. Click the Name of the company to view the Company Record. See **Essential Concepts: Record Model - Tenancy and Hierarchy** for further information about multi-tenancy. The Company record view is your headquarters for viewing important data on your account, and also for jumping to other places in the DrawBridge to make configuration changes for your Company. ## Record View ##### Name of Company Parameter | About --- | --- **Status** | This record is `Active` / `Inactive` **Main** | `Yes`/`No`: indicates whether this Company record is designated as the Main Company for this DrawBridge. **Log Server Account** | Optional: Account number on the Log Server; see **Reports: Log Processing** for more information **Canonical ID** | The globally-unique identifier for this record Link: **Log Batches** -- jumps you to the list of Log Batches configured for this Company. See **Reports: Log Processing** for more information. Link: **Sync Settings** -- jumps you to the Appliance Companies record. See **System: Configuration: Appliance Companies** for more information. **Company Record header buttons:** * Add a new Company record with the blue **+** Add Company button * Edit this Company record with the green pencil Update Company button * Delete this Company record with the red trashcan Delete Company button * Hamburger menu: * Today's Log Lines: jump to Reports: Browse by Loglines -- view web activity access logged today * Report History: jump to Report Archives * Record Activity Stream: view the changelog for this record * Bookmark this page with the ribbon Bookmark button * Sync Menu (chain-link icon) * Sync Mode (default is `2 Way - Push / Pull from Server`); click record sync information * Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server * Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server * Mark to Resync: flag this record in the background to be included in the next sync run ### Informational Tabs ##### Local Devices List of Local Device records on this DrawBridge. See **Devices: Local Devices** for more information. Create a new Local Device record with the `New Local Device` button. Manipulate existing Local Device records in the list view by clicking the desired button on the relevant line: * Edit a record with the green pencil Update Record button * Delete a record with the red trashcan Delete button * View the record changelog with the blue Record Activity Stream button ##### Remote Devices List of Remote Devices records on this DrawBridge. See **Devices: Remote Devices** for more information. Create a new Remote Device record with the `New Local Device` button. Manipulate existing Remote Device records in the list view by clicking the desired button on the relevant line: * Edit a record with the green pencil Update Record button * Delete a record with the red trashcan Delete Record button * View the record changelog with the blue Record Activity Stream button ##### Contacts List of Person records with a Relationship to the Company. See **Accounts: People** for more information. Add a new Person--Company relationship with the `Add Company Staff Relationship` button. Manipulate existing Relationship records in the list view by clicking the desired button on the relevant line: * Edit a record with the green pencil Update Record button * Delete a record with the red trashcan Delete Record button * View the record changelog with the blue Record Activity Stream button ##### Reports List of configured Reports associated with this Company. See **Reports: Scheduled Reports** for more information. Add a Report with the `Schedule New Report` button. Manipulate existing Scheduled Report records in the list view by clicking the desired button on the relevant line: * Edit a record with the green pencil Update Record button * Delete a record with the red trashcan Delete Record button * View the record changelog with the blue Record Activity Stream button ##### Appliances Displays the Appliance record associated with this Company. See **System: Configuration: Appliance Companies** for more information. ### Dashboard buttons ##### Access Policies -- Access Policy Dashboard Jump to the Access Policy Dashboard for this Company, which displays all the Access Policies which apply to the devices of this Company. See **Content Filter: Web Page Access** for more information. ##### Activity Viewers -- Loglines & Reports Jump to Report Activity Viewers. See **Reports: Activitity Viewers** for more information. ##### Preferences -- Preferences Dashboard Jump to any Preferences associated with this Company. See **Essential Concepts: Preferences** for more information. ##### Accountability Policy -- ("Policy Name" or "None") Jump to associated Accountability Policy (if applicable). If this Company is a Member of an Accountability Policy, the name will be displayed. If the Company is not a Member of any Accountability Policy, it will display "None". See **Essential Concepts: Accountability** and **Accounts: Accountability Policies** for more information. # Inactive Companies Inactive Companies are Company Records which have had the Status changed from Active to Inactive. # Accountability Policies As noted on the **Accountability** page under the [**Essential Concepts**](https://books.compassfoundation.io/books/console-reference-docs/page/accountability) chapter: > The DrawBridge supports an Accountability model to facilitate voluntary, centrally-administered, information sharing and content filter configuration of Member Companies by specified administrators in a community context. An Accountability Policy consists of the Accountability Policy name and contains Member Companies. Also, an Accountability Policy contains Preferences (specific controls over member companies) and configures Report Presets (default report settings and recipients) for member companies. ## Record view Link: **Assigned Companies** -- list view of Companies associated with this Accountability Policy Parameter | Setting or Data | About --- | --- | --- **Parent** | `` | The higher-on-the-heirarchy Policy, where applicable **Include Parent Contacts** | `Yes` / `No` | Include Parent-policy Contacts by default in this policy, where applicable (see Parent, above) **Role** | `Reviewer` / `Administrative` | The default scope of control associated Contacts have over member companies. See **Essential Concepts** for more info **Appstore** | `Company Owner` / `Accountability Contact` / `Accountabilty or Filter Admin` | The minimum permission level Preference assigned to the Policy permitted to open the App Store **Send Logs** | `Yes` / `No` | Send member-company traffic web usage data to the Log Server specified in Reports / Log Processing / Log Servers. **Canonical ID** | `` | The globally-unique identifer for this record. **Accountability Policy Record header buttons:** * Add a new Accountability Policy record with the blue **+** Create Accountability Policy button * Edit this Accountability Policy record with the green pencil Update Accountability Policy button * Delete this Accountability Policy record with the red trashcan Delete Accountabilty Policy button * View the changelog for this Accountability Policy with the blue Record Activity Stream button * Bookmark this page with the ribbon Bookmark button * Sync Menu * Create on Sync Publisher (push this record to the Sync Server) ### Informational Tabs * **Contacts:** List view of Contacts associated to this Policy * Add an Accountability Contact association with the `Add Accountability Policy Relationship` button * Edit the Relationship and Report Delivery options for that Contact with the green pencil Update button on the specific contact line in the list view * Remove an Accountability Contact with the red trashcan Delete button on the specific contact line in the list view * View the changelog for a particular Contact--Accountability Policy association with the View Record Activity Stream button on the specific contact line in the list view * **Report Presets:** List view of Reports associated with this Policy (these Reports automatically apply to all Member Companies). * Add a Report Preset with the `New Report Preset` button. * Remove a Report Preset association by visiting the record page for that Report Preset and editing the Policy association there. * **Policy Groups:** List view of Access Policy Groups associated with this Policy (these Access Policies are made available for all Member Companies to join). * Add an Access Policy relationship with the `New Access Policy Group` button. * Remove an Access Policy relationship by visiting the record page for the Access Policy and editing the Policy association there. ### Dashboard Buttons #### Preferences Dashboard Preferences configured on an Accountability Policy level override any Preferences specified on Member Companies. See **Essential Concepts: Preferences** for more information. # Accountability Contacts List view of `Person - Accountability Contact` relationships. ## Record View An Accountability Contact Record has the following information: Parameter | About --- | --- **Name** | Name of the associated Person record **Email** | Email of the associated Person record **Policy** | Name of the associated Accountability Policy record **Canonical ID** | Globally-unique identifier of this `Person - Accountability Contact` relationship **Contact CID** | Globally-unique identifier of the associated Person record **Last Active** | Timestamp of the last recorded login **Accountability Contact Record header buttons:** * Add a new Accountability Contact record with the blue **+** button * Edit this Accountability Contact record with the green pencil Update Record button * Delete this Accountability Contact record with the red trashcan Delete Record button * Hamburger menu: * Update Personal Details (edit the details on the associated Person record) * Set Console Password * Add Group Membership * Impersonate User (take on the identity and permissions of this user in the DrawBridge; used for troubleshooting) * Bookmark this page with the ribbon Bookmark button * Sync Menu (chain-link icon) * Sync Mode (default is `2 Way - Push / Pull from Server`); click record sync information * Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server * Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server * Mark to Resync: flag this record in the background to be included in the next sync run ### Informational tabs * **Companies:** List view of the associated Companies * Add a Company relationship with the `Add Company Staff Relationship` button * Edit a Company relationship with the green pencil Update button on the specific company line in the list view * Remove a Company relationship with the red trashcan Delete button on the specific company line in the list view * View the changelog for a particular Company association with the View Record Activity Stream button on the specific company line in the list view * **Policies:** List view of associated Accountability Policies * Add an Accountability Policy relationship with the `Add Accountability Policy Relationship` button * Edit an Accountability Policy relationship with the green pencil Update button on the specific Accountability Policy line in the list view * Remove an Accountability Policy relationship with the red trashcan Delete button on the specific Accountability Policy line in the list view * View the changelog for a particular Accountability Policy association with the View Record Activity Stream button on the specific accountability policy line in the list view * **Permissions:** List view of Permission Group membership * Add Permission Group membership with the `Add Permission` button * Add to a Proxy User Group with the `Add to Proxy Users Group` button * Remove a Permission Group membership with the red trashcan Delete Record button on the specific Permission Group line * View the changelog for a particular Permission Group Membership with the View Record Activity Stream button # Groups # Permission Groups The DrawBridge console uses the model of Permission Groups: a Person record can be a member of a particular Permission Group, and thus gain the abilities allowed by that Permission Group. For more information, see **Essential Concepts: Permissions and Relationships**. # People Groups ### Proxy User Groups A `Proxy User Group` is a group of People (similar to Device Groups being groups of Devices). People in the Proxy User Group are users on the local network which are authenticated to the DrawBridge via the DrawBridge Agent software installed on the endpoint. A `Proxy User Group` can have two origins: 1. Created either by manually adding People records to a "standalone" Proxy User Group, or, 2. An existing `Directory Group` designated as a Proxy User Group. Create a standalone Proxy User Group by clicking the **+** button in the upper right corner of the list view. Give the group a name, specify the minimum permissions required to add People to the group, select any Parent Group if applicable, and ensure that Proxy Users is toggled to Yes. Note that the list view in **Proxy User Groups** displays both "standalone" Proxy User Groups, as well as all Directory Groups _that have been specified as a Proxy User Group;_ see below. ### Directory Groups A `Directory Group` is a group of People that has been synchronized from another server, for example, an Active Directory server. A `Directory Group` can be designated a Proxy User Group by Editing the Directory Group record and toggling the Proxy Users setting to `Yes`. The advantage of designating a particular Directory Group as a Proxy Users Group is that the (Person) members of that group can be managed on the AD Server; no ongoing people membership maintenance is needed in the DrawBridge. Changes in Directory Group membership made on the AD server are automatically synchronized via the regular AD--DrawBridge sync job. ## Implementation Concept Diagram This diagram illustrates how People Groups can be assigned to an Access Policy via association with a Device Group. See **How To Guides: Assign a Proxy User Group to an Access Policy** for further instructions. [![drawbridge-groups.drawio.png](https://books.compassfoundation.io/uploads/images/gallery/2022-10/scaled-1680-/drawbridge-groups-drawio.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-10/drawbridge-groups-drawio.png) # Authentication Integration The DrawBridge supports connection to an external user database for User and Group synchronization using the following database types: * Active Directory * OpenLDAP ## Purpose These features are intended to be used in conjunction with the DrawBridge Agent software (Windows computers only) to link the actual User signed-in on a Local Device to a specific Access Policy. See **Accounts: Groups** for further information on People Groups. See **Content Filter: Web Page Access** for further information on configuring Access Policies. See **How To Guides: Assign a Proxy User Group to an Access Policy** for further implementation details. ## Technical specifics The DrawBridge connects to external user databases either using plain-text LDAP communication on port 389, or using TLS (LDAPS) on port 636. A scheduled job perfomrs a background sychnronization with the database server four times a day. A username and password to access the user database must be provided to the DrawBridge. The only permissions that are needed for the user are read access to the user and group information on the server. **Security Notes:** * The security-by-least-privilege principle dictates that the credentials provided to the DrawBridge to access the user database should not have any permissions beyond read-only access. * When using LDAPS: The DrawBridge accepts any certificate presented by the server -- it does not perform verification/validity checks. ## Record View Both Active Directory and OpenLDAP server records have the following parameters: Parameter | About --- | --- **Name** | User-assigned display name of the server **Host** | Address of the server, eg. `192.168.250.66:636` (Active Directory) or `ldap://127.0.0.1:636` (OpenLDAP) **Server Type** | `Active Directory` or `OpenLDAP` **Username Format** | `Active Directory` or `OpenLDAP` **Status** | This record is `Active` or `Inactive` **Search Base** | Examples: `dc=local` or `ou=Accounts,dc=eastwoodtc,dc=lan` **User Object Class** | Examples: `person` (Active Directory) or `exinetOrgPerson` (OpenLDAP) **Group Object Class** | Examples: `group` (Active Directory) or `posixGroup` (OpenLDAP) **Device Object Class** | Example: `computer` (Active Directory) **Record header menu buttons:** * **Edit** the Directory Server settings with the green pencil Update Directory Server button * **Delete** the Directory Server record with the red trashcan Delete Directory Server button * Hamburger menu: * **Verify Connection settings**: test the provided authentication credentials. An alert will display the results of this test within seconds. * **Sync Directory Servers**: trigger a manual sync job to run immediately. (Note: this routine does not provide any status information.) * **Bookmark** this page with the ribbon Bookmark button ### Informational Tabs #### Field Maps Map DrawBridge database fields to the directory server fields. Add a new relationship with the `Add Field Relationship` button. Remove a field relationship with the red trashcan Delete button on the relevant line. ##### Example configuration (Active Directory) Note: Your environment may be different. Console Field | Directory Field --- | --- first_name | givenName last_name | sn username | cn cid | objectGUID email | userPrincipalName #### Company Maps (Active Directory only) Assign a Directory Group to a DrawBridge Company with the `Add Group to Company Map` button. Remove a `Directory Group to DrawBridge Company` relationship with the red trashcan Delete button on the relevant line. # Devices # Overview Create and manage Local and Remote Device records and corresponding Company and People associations, as well as static Device Groups Devices are the “target” of filter settings configured in **Content Filter**. **Note:** for proper network operation: * all Devices need to have the DrawBridge CA Security Certificate installed. See **Essential Concepts: Web Page Classification: Traffic Visibility Prerequisites** for further information. * Remote Devices must have the correct External Networks assigned to them. See page **Remote Devices** in this chapter for further information. ### Identifying Devices on the network The DrawBridge has several ways of identifying Devices * Local Devices via either * auto-created records via built-in network detection, or, * auto-created records via the DrawBridge Agent software (Windows-only), or, * manually created records by a user. * Remote devices created by users; these authenticate with the DrawBridge username and password ### In this chapter: * Devices Dashboard * Local Devices * Remote Devices * Device Groups * Apps: Device Configuration * SSL Certificates * External Networks ### Devices Dashboard * **Local Devices:** devices on the network where your DrawBridge is located. For example, the desktop you have in your office. * **Remote Devices:** devices that access your DrawBridge from “outside” your network; ie. from the public Internet. For example, a laptop that’s configured to connect to your DrawBridge for filtering whenever you’re out on the road using a hotspot. * **Device Groups:** entities that contain Local and/or Remote devices ### Apps: Device Configuration * **SSL Certificates:** mandatory SSL/TLS Certificate Authority security certificates for all devices connecting through a DrawBridge * **External Networks:** list of external network information used for assisting Remote Device Authentication operations # Local Devices A Local Device record is an an entity intended to represent one Device on the local network, no matter how many network interfaces the Device has. (Exception: special IP Range devices; see FAQ below) Devices are created by: * **Auto-detection:** The DrawBridge monitors network traffic to detect local devices based on the IP address, and automatically creates a Local Device record if none exists for that address. * **A DrawBridge Console user:** Click the **+** located in the upper right corner of the Local Devices list view to to create a new Local Device Record. * **The DrawBridge Agent:** If the DrawBridge agent "calls home" with Device information that does not match an existing record, a new Local Device record will be created (*only* if the MAC address can be validated; see FAQ below) * **Active Directory sync:** If your DrawBridge is configure to sync with an Active Directory server, Devices listed in the AD server will be automatically created on the DrawBridge. * **Compass Portal Sync:** (Remote Devices Only) In the Local Device list view, select any local device record by tapping the device name or IP address link shown in the `Hostname` column to see an individual device record. ## Record View A Local Device record contains the following parameters: Parameter | About --- | --- **Company** | the Company associated with the Device; see **Accounts: Companies** for more information **Auto Hostname** | the automatically-detected hostname of the device on the network, if available **Platform** | the operating system of the device, if specified **Type** | the type of hardware, such as Laptop, Smartphone, Tablet, and so forth **Status** | this local device record is: `Active` or `Inactive` **Source** | origin of the record information: auto-detected or User Entry **Last Active** | the timestamp of the last filter traffic recorded for this device **Reportable** | traffic from this device Is or Is Not included in Activity Reports **Device Record header buttons:** * Add a new Local Device record with the blue **+** Create Local Device button * Edit this Local Device record with the green pencil Update Local Device button * Delete this Local Device record with the red trashcan Delete Local Device button * Hamburger menu: * Today's Log Lines: a shortcut to the the *Reports* module with the device pre-selected in data views * Add Network Interface**: add an additional network interface to the device * Reset DrawBridge Agent: reset the record association with the DrawBridge Agent * Record Activity Stream: view the changelog for this Device record * Bookmark this page with the ribbon Bookmark button ##### Informational Tabs * **Network Interfaces**: IP address(es) and Mac address(es) associated with the device. Keep in mind that a device can have multiple network interfaces and also multiple IP addresses, so multiple lines may be listed here. For example, a laptop may have a Wi-Fi network interface as well as a wired Ethernet interface. Both interfaces will have unique MAC/hardware addresses, so if you want to apply a filter policy to that particular Device, no matter how it is connected to your network, you’ll need to ensure both interfaces (WiFi and Ethernet) are specified here. * **Access Policies**: a list of Access Policies that are applied to this device. (see **Content Filter: Access Policies** for further information) This list is generated based on the membership of the Device in a particular *Device Group*, a component of an *Access Policy*. The exact Access Policy can be visited by clicking the link in the list under the Name column, or, you can view all Access Policies for your company by clicking the *Access Policies/Access Policy Dashboard* button to the right. #### Device Group Membership A local device is always part of the *alldevices* Device Group of the associated Company. A local device can be associated with an unlimited number of Device Groups. See the Device Groups page for further information ## FAQs **Q:** Why aren't Local Devices automatically appearing on my account? **A:** Auto-generated Local Device records are only generated for the Main Company. Verify that your account is set as Main if you are not seeing Local Device records auto-populate. -------------- **Q:** Why doesn't the Local Device record display the MAC address of my device? **A:** Bogus/Randomized MAC addresses may be automatically discarded by the console to reduce the amount of auto-generated Local Device records. For more context and a resolution, see the Question "Why are there so many Local Devices listed?". -------------- **Q:** Why are there so many Local Devices listed? (I only have X number of devices on my network.) **A:** Several factors may result in a proliferation of Local Device records: * **“Network churn”**: many new devices joining the network and old ones leaving. The DHCP server will do its job to utilize the limited address space available to it, which may involve assigning a previously-used address to a new device. This may result in the DrawBridge creating additional Local Device records or unexpectedly adding new MAC address associations to an existing IP Address / Hostname record. ***Countermeasure:*** configure address reservations in your network DHCP server (DrawBridge ClearOS webconfig panel or other network equipment, if applicable) to ensure that a specific MAC address may only ever be assigned a specific IP address. * **Operating system privacy features**: randomized hardware interface addresses (also known as MAC addresses). Most operating systems now have functionality to generate a random hardware address for a particular network to prevent devices from being tracked across public WiFi hotspots. While most Operating Systems will maintain the same randomly-generated MAC address for a particular “remembered” network, if you reset your network settings or Forget the saved network, and re-join, the randomly-generated MAC will have changed. As above, this may result in the DrawBridge creating additional Local Device records or unexpectedly adding new MAC address associations to an existing IP Address / Hostname record. ***Countermeasures:*** Turn off physcial/MAC address randomization for your DrawBridge-protected network name (for example, for your WiFi network), and then set a DHCP reservation for the actual device hardware MAC address. Turn off hardware address randomization, by operating system: * iOS: Settings/WiFi/ information icon/ toggle `Private WiFi Address` off * Android: Settings/WiFi/ gear icon/Advanced/set `Privacy` to `Use Device MAC` * Windows 10; All Networks: Settings/Network and Internet/WiFi/toggle `Use random hardware addresses` off * Windows 10; Specific Network: Settings/Network and Internet/WiFi/Manage Known Networks/select /Properties/set `Use random hardware addresses` to off * Windows 11: Settings/Network and Internet/WiFi/ gear icon/Advanced/Privacy/set `Use device MAC` Then add an address reservation in your DHCP server, as described above. **Note:** The DrawBridge console does perform a background cleanup of "dead" local device records on a regular basis. ------------- **Q:** Any type of "agent" software available for Windows computers to positively identify Local Devices on a network? **A:** Yes! See the page **DrawBridge Agent Reference** in this chapter for further information ------------- **Q:** Can I create an “entity” for an IP address range instead of making a bunch of Local Device records? **A:** Yes! Create a new Local Device, and in the Platform field, select `Network IP / IP Range`, then enter the IP address range. This special “Local Device” can be used in a Device Group just like an ordinary Local Device or Remote Device record. # Remote Devices A Remote Device connects through your DrawBridge from "outside" your network -- from the public Internet. Remote Devices are created by: * **A DrawBridge Console user:** Click the **+** located in the upper right corner of the Local Devices list view to to create a new Local Device Record. * **CF Odoo Portal sync:** Devices created in the [Portal](https://erp.compassfoundation.io/web/login) are automatically synchronized either via a triggered sync run (Cloud Servers), or the scheduled sync job. In the Remote Device list view, select any remote device record by tapping the username shown in the `Filter Username` column to see an individual device record. ## Record View The individual Remote Device record contains the following parameters: Parameter | About --- | --- **Company** | the Company associated with the Device; see the Accounts section for more information **Console User** | the Person record associated with the Remote Device **Filter Username** | the unique username this Device uses for authentication; this must either ***match*** or ***begin with*** the username of the associated Console User/Person **Email** | the email address of the associated Person record **Status** | this device record is: `Active` or `Inactive` **Canonical ID** | the global unique identifier for this Remote Device; used for synchronization **Contact CID** | the global unique identifier of the associated Person record; used for sychronization **Last Active** | the timestamp of the last filter traffic recorded for this device **Device Type** | the type of hardware, such as Laptop, Smartphone, Tablet, and so forth **Remote Device Record header Buttons:** * **Add** a new Remote Device record with the blue **+** Create Remote Device button * **Edit** this Remote Device record with the green pencil Update Remote Device button * **Delete** this Remote Device record with the red trashcan Delete Remote Device button * Hamburger menu: * **Update Personal Details:** edit the information of the associated Person record * **Set Console Password:** set a DrawBridge Console password for this Remote Device User * **Add Group Membership:** add this Remote Device User to a Console Permission Group (see Informational Tabs: Permissions, below) * **View Realtime Log Lines:** jump to the Realtime Log Viewer, with the data view limited to this device * **Today's Log Lines:** jump to the the *Reports* module with the device pre-selected in data views * **Record Activity Stream:** view the changelog for this Device record * **Impersonate User** (take on the identity and permissions of this Remote Device user in the DrawBridge; used for troubleshooting) * **Bookmark** this page with the ribbon Bookmark button * Sync Menu (chain-link icon) * Sync Mode (default is `2 Way - Push / Pull from Server`); click record sync information * Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server * Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server * Mark to Resync: flag this record in the background to be included in the next sync run ##### Informational Tabs * **Authentication**: Additional parameters used to identify the device to streamline authentication. See *Why do I need to have a Port/Platform/ExternalNetwork set for a Remote Device?* in the FAQ below. Also displayed are: * **User URL:** a link that can be visited in a browser on the device to authenticate its public IP with the DrawBridge * **PAC URL:** Proxy Auto-Configuration: a spec-compliant URL that can be used by major operating systems to programatically fetch proxy settings * **Auth Activity**: A recent history view of public IP addresses that this device has successfully authenticated from, in addition to the associated reverse-DNS network name, when retreivable. * **Access Policies**: a list of Access Policies that are applied to this device. (see Content Filter for more information on Access Policies) This list is generated based on the membership of the Device in a particular Device Group, a component of an Access Policy. The exact Access Policy can be visited by clicking the link in the list under the Name column, or, you can view all Access Policies for your company by clicking the Access Policies/Access Policy Dashboard button to the right. * **Permissions**: a list of Console Permission Groups that this Remote Device User is a member of. (Permits or does Not Permit the submision of an AutoFix, for example) #### Device Group Membership A remote device is always part of the *alldevices* Device Group of the associated Company. A remote device can be associated with an unlimited number of Device Groups. See the Device Groups page for further information. ## FAQs **Q:** Why am I getting a `Proxy Authentication Required` popup on my mobile device? **A:** Your device is not properly authenticated with the DrawBridge. Visit the **User URL** for your device in a browser on that device, and ensure you get a `Success` message. If you continue to get these `Proxy Authentication Required` popups after a successful authentication event: * Verify the proxy configuration on the device is correct (particularly the assigned port) * Verify the network you are connecting from is listed in `External Networks` under the device. See the FAQ item below: *How does setting `Port`+`Platform`+`ExternalNetwork` information assist Remote Device authentication?* ---------- **Q:** Why does the *Last Active* timestamp not line up with the known usage of the Remote Device? **A:** This timestamp is the last recorded filter log activity for the device. There are several possibilities to explain why a device that is known to be in-use is not showing a current corresponding timestamp: 1. *The device does not have a data connection.* **Solution:** * Ensure the device has an active data plan and/or connect the device to an open WiFi network (not a captive-portal-controlled network, such as many public hotspots). * Perform activities on the device that will generate log data, such as visiting a search engine in a browser. * Verify while performing the activies that loglines are shown in the DrawBridge Realtime Log Viewer for the device. * If loglines for that device are displayed in the Realtime viewer, wait at least 15 minutes for the logs to be processed. * Refresh the Device Record page to see if the Last Active timestamp has been updated. 2. *The device is not properly authenticating with the DrawBridge, therefore, no web activity logs are being recorded.* **Solution:** * Follow the same steps as detailed above to verify there are loglines displayed in the Realtime Log Viewer for the device in question. * If there are no loglines, and yet web resources can be accessed on the device, then the proxy software on the device is failing to properly proxy traffic. * Verify the proxy settings/software on the device are correctly configured. * Visit the device User URL in a browser on the device to trigger an authentication event while monitoring the DrawBridge Realtime Log Viewer `Errors Log`, with the Remote Device port entered in the Pattern field. You should see one or more lines indicating successful authentication. **Note for Android devices:** Android has a "fail-open" proxy design, so if authentication fails for any reason, Android will bypass the proxy. This can generally be resolved by re-authenticating the device with the DrawBridge. 3. *The only traffic that is getting recorded is considered "system activity" and is not considered reportable, and is therefore not saved, so the* Last Activity *timestamp is not updated.* **Solution:** Follow the steps in #1 and #2 (if needed) to ensure the device is properly proxied and authenticating with the DrawBridge. ---------- **Q:** Why do Remote Devices need to be authenticated? **A:** It's critical for filtering and reporting purposes that the device that is connecting to the DrawBridge be postitively, unmistakably, identified. Beyond that, anything connected to the internet is potentially a target for misuse. For example, if no authentication (username/password) was required for a remote device, a hacker could route their activities unimpeded through your internet connection, therefore making their malicious traffic appear to be originating with you. You may be held legally responsible for what happens on your internet connection. Depending on the type of activities, you may receive a legal notice warning of a DMCA violation. ([Digital Millenium Copyright Act](https://www.copyright.gov/dmca/).) However, requiring authentication from all remote devices eliminates these concerns. ---------- **Q:** How does setting `Port`+`Platform`+`ExternalNetwork` information assist Remote Device authentication? **A:** As noted above, the DrawBridge requires authentication for Remote Devices. However, mobile operating system platforms (Android and iOS) are notorious for failing to always communicate the required credentials for authentication of each network session they establish. So, to smooth the user experience, the DrawBridge accomodates "assumed authentication" -- if a network request matches **all three** parameters: * sent to the unique Port assigned to the device * sent by the operating system Platform specified for the device * originates from an External Network (mobile network) the device is known to be using ... then the DrawBridge will "assume" that the request is legitimate and consider the request authenticated. This prevents repeated `Proxy Authentication Required` popups on mobile devices as they roam cellular networks. # Device Groups Device Group records are entities containing one or more Devices to which Access Policies can be applied. See **Content Filter: Web Page Access** for further information. In the Device Groups list view, click the drop-down arrow button to the left of a line name to display member devices and associated Access Policies. Depending on your Console Permission Group membership, and whether multiple Companies are present on your DrawBridge, you will be able to see all the Device Groups available on the system. See **Essential Concepts: Record Model - Tenancy and Hierarchy** for further information. **Note:** This panel only displays "static" device groups. For parameter-based "Smart Device Groups", see the Content Filter module. # SSL Certs The DrawBridge CA certificate is required on all client devices for proper operation with the DrawBridge. Different operating systems require different certificate types or encoding types. This menu gives you the appropriate certificate for your operating system. Click the appropriate operating system for your use case and follow the instructions to install the certificate. ## Visit the SSL Certs page If you're on a DrawBridge-protected network, visit the SSL Certs dashboard at: [http://draw.bridge/sslcerts/dashboard/](http://draw.bridge/sslcerts/dashboard/) If you're **not** on a DrawBridge-protected network, visit the SSL Certs dashboard on one of our cloud servers, such as: * [http://whitespire.compassfoundation.io/sslcerts/dashboard/](http://whitespire.compassfoundation.io/sslcerts/dashboard/) * [http://sweetspire.compassfoundation.io/sslcerts/dashboard/](http://sweetspire.compassfoundation.io/sslcerts/dashboard/) ## Linux systems As of this writing, a script to install the DrawBridge root CA certificate is available on all DrawBridge systems, however it is not visible in the user interface at this time. #### Installation instructions: 1. Download the installer script here: [http://draw.bridge/static/software/linux_installer.zip](http://draw.bridge/static/software/linux_installer.zip) (Note: must be on a DrawBridge-protected network with DNS resolution properly configured.) 2. Open a terminal and navigate to the directory where you saved the script. (eg. `cd ~/Downloads/`) 3. Extract the script: `unzip linux_installer.zip` 4. Run the script: `sudo ./Linux_Installer.sh` 5. Recommended: restart your system, or, at a minimum, your web browsers # External Networks External Networks are used to assist with remote device authentication. This list is managed by Compass and generally should not be edited. If you know of a new network that should be listed, please submit a support ticket to Compass (support@compassfoundation.io) to have the new External Network entry added to all DrawBridges. # DrawBridge Agent Reference ## Overview The DrawBridge Agent positively identifies and links the device it is installed on to a Local Device record in the DrawBridge. At initial install time, it will attempt auto-registration based on the device Hostname. Once the initial registration has occured, further authentication events identify the device to the DrawBridge using the registered Canonical ID (CID). The DrawBridge Agent enables you to implement filter policies that follow a User around on your network, no matter what Device they are using, provided that the Windows User Name of the Person is known to the DrawBridge and matches a Person record present on the DrawBridge. While this Agent was devloped primarily for companies with a Windows Active Directory server, it will also function on any local network that is protected by an onsite Drawbridge. Note that only Local Devices are supported (not Remote Devices, which presumably will be managed by a separate MDM [Mobile Device Management] service). ### Notes regarding Active Directory Authentication Integration See **Accounts: Authentication Integration** for more information on Active Directory server setup. * After initial Active Directory (AD) sync configuration, People records and Group associations can be exclusively managed in the AD server, and the DrawBridge will automatically synchronize that information over. * The DrawBridge AD sync job automatically synchronizes over all Person and Directory Group records available in the AD infrastructure to the DrawBridge four times a day. (A manual sync can be triggered as well.) * Directory Groups are entities pulled from an AD/LDAP server. A Directory Group must be designated as a Proxy User Group in the DrawBridge to be able to assign it to a Device Group for an Access Policy take effect on it. * See documentation book **How To Guides: Assign a Proxy User Group to an Access Policy** for further information. ### Prerequisite Network Configuration * `draw.bridge` must resolve to the local DrawBridge IP address on the local network. If the DrawBridge is not the DNS server, go to the network DNS server and create a new Forward Lookup Zone and create a new A record for `draw.bridge` to resolve it properly. ### Agent Software Installation * Download the latest version of the Drawbridge Agent installer from [https://www.compassfoundation.io/drawbridge_agent/releases/drawbridge_agent.exe](https://www.compassfoundation.io/drawbridge_agent/releases/drawbridge_agent.exe). * Run the installer to install the Drawbridge Agent. By default it will be installed into the `C:\Program Files (x86)\Compass Foundation\DrawBridge Agent` folder. After a successful installation you should see an icon in the system tray. [![AgentIcon.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/agenticon.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/agenticon.png) * It is also possible to run the installer silently with the following syntax. `DrawbridgeAgentInstallerX.X.Xexe /exenoui /qn` * A prerequsite to running the Agent is that the `.NET Desktop Runtime 6.0` or higher needs to be installed. The Drawbridge Agent installer will prompt the user to do this if it isn't already installed. In the case of a silent install, this will happen automatically if needed. * Alternatively, the runtime can be manually downloaded and installed from [Microsoft's Download Page](https://dotnet.microsoft.com/en-us/download/dotnet/6.0). ### Operation * After installation the user can click on the icon in the system tray. The Agent will first attempt to register with the Drawbridge by matching the device hostname with the hostname of a Local Device record in the DrawBridge, and if that is successful, it will attempt to authenticate with the Drawbridge. * After this the Agent should automatically authenticate the currently logged in user at every Windows logon or unlock event. There will be toast messages shown to verify this, unless notifications are not turned on. [![userswitch.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/userswitch.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/userswitch.png) * It is possible for the user to request a manual authentication with the Drawbridge. This is done either by left clicking on the icon in the system tray, or by right clicking and selecting `Authenticate User`. * Hovering over the icon in the system tray will show the currently logged in Windows user name. [![tooltip.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/tooltip.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/tooltip.png) * Selecting the `About Version` option from the right click context menu will show contact and version information. * Selecting the `More Info` option from the right click context menu will open a dialog with some additional info that may be useful for debugging. [![details.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/details.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/details.png) * Clicking on the hyperlink in the details page will open up the console page for the local device that is currently being used. (#1 in screenshot). The console user that is currently associated with this device is shown at #2. This `Active User` can also be clicked on to open the console page for the user. [![device details.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/device-details.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/device-details.png) * Selecting the `Check for Updates` option from the right click context menu will check to see whether there are any newer versions of the Agent available. If there are, the user can choose to update the Agent. ### Details * After installation, when the user locks and unlocks the computer, or manually clicks on the icon in the system tray, the Drawbridge Agent will attempt to register the computer with the Drawbridge. If the registration is successful, the computer will be permanently linked to its associated local device in the console. This is a one time operation and will not be done again unless the user uninstalls and reinstalls the Agent. * After the intial registration, or after any subsequent user logon, the Agent will then proceed to try to authenticate the current Windows user and link the Windows user to a console user. There will be a toast message displayed that shows the outcome of this authentication attempt. * If for some reason a user is not able to register a computer with the Drawbridge, he should perform a `Repair` of the Agent by typing `appwiz.cpl` into the Windows start menu, then right clicking on the `Drawbridge Agent` item and selecting `Uninstall/Change`. [![repairStart.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/repairstart.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/repairstart.png) This will then open another dialog where the user can confirm the repair. [![repair.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/repair.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/repair.png) * When a user uninstalls the Agent, the Agent sends a request to the console to remove the association between the local device on the console, and the user's computer. If this for some reason fails, the user will not be able to succesfully reinstall and register the Agent with the console in the future. It is possible to manually reset this association by logging onto the console, and selecting the option to `Reset Drawbridge Agent` as shown below. [![resetAgent.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/resetagent.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/resetagent.png) ## Troubleshooting #### Device Registration Failed - Unable to auto-register - partial match found [![Screenshot.png](https://books.compassfoundation.io/uploads/images/gallery/2023-01/scaled-1680-/screenshot.png)](https://books.compassfoundation.io/uploads/images/gallery/2023-01/screenshot.png) In this case the local device on the console did not have the `clb.local` suffix so the Agent coudl not find a complete match. Upon further investigation, the local device record also had two interfaces defined, one with a MAC and IP, the other with only a MAC. Removing the interface with only the MAC address, and reinitializing the registration process fixed the problem. In summary, there will be an attempt made to match host names that only partially match local device names, but there will need to be a different definitive match found. #### Check Agent logs for more details The Agent records a log file in the `C:\Program Files (x86)\Compass Foundation\DrawBridge Agent\` folder. The file name is `Drawbridge Agent.log`. #### The DrawBridge Agent reports that device Registration failed An important note: * Randomized MAC addresses are not supported for the auto-creation of Local Device records in the DrawBridge. If you have an endpoint that is using a randomized MAC address, either turn off Randomized addresses, OR, if it's a Virtual Machine, for example, and that's not an option, manually create the Local Device record in the DrawBridge console and Make Sure the Hostname field matches the actual Device hostname exactly. Then, when the DrawBridge Agent does the "tap" authentication operation, it will match up with the Local Device record based on the hostname. **Resolution:** Search the Local Device list Interface column for the IP address of the device that's failing to register. Take note of the `Auto-Hostname` field and compare it to the actual Device hostname. These two must match for the registration to be successful. #### The DrawBridge Agent local device Registration fails after domain-joining the device If the DrawBridge Agent is deployed on a Local Device that is then joined to an AD domain at some future point, the Canonical ID for that Local Device record will then be in conflict because of the ID pulled from the Active Directory database. **Resolution:** Delete the existing Local Device record; the correct Local Device record should be automatically generated at next sync. ## Miscellaneous Tech Notes regarding AD Sync: * AD Sync happens automatically 4 times a day, and can also be manually triggered. * Both plain-text sync and encrypted sync are available. Encryption is strongly recommended: use port 636 to default to LDAPS. ## Usage Example * Tommy is a user in an AD database. He's assigned to the Warehouse AD Directory Group. * The Drawbridge has synced over both Tommy the person as well as the Warehouse AD Directory Group, AND Tommy's membership in the Warehouse AD Directory Group. * An Access Policy assigned to the Warehouse Device Group (of which the Warehouse AD Directory Group is a Proxy Users Group member) only allows access to Shipping and related business categories. * Then Tommy gets promoted as a manager to the Strategic Warehouse Development & Improvements Team. The network admin adds Tommy to the Managers AD Directory Group. * The DrawBridge also knows about the Managers AD Directory group group, and a policy already configured for that group allows access to additional categories for research purposes. * When the network admin adds Tommy to the Managers AD Directory group, the DrawBridge synchronizes that information over, and Tommy automatically gets the increased content filter access without anyone needing to touch filter settings in the DrawBridge. # Content Filter # Overview and Essentials

As of November 2023, the Network Access module has been renamed to Content Filter. Create and manage rulesets to control the web content access of Local and Remote Devices. ## Important Notes: #### 1. About changing default Category Allow/Block settings The DrawBridge comes with a preset Action for each included Category. When you assign an Action (Allow/Block) to a Category, **you're simply applying a change that gets higher priority than the default setting.** This means: 1. You don't need to re-specify your Action preference for every built-in Category -- you only need to include the Categories in your Access Policy that you wish to assign a different action to than is default. **For example:** built-in Category **Sports** is set to a default action of **Block**. * If **Block** is the action you prefer, you *do not* need to add it to an Access Policy (eg. Company Preferences) with an action of **Block** -- the default setting is already doing this. * If **Allow** is the action you prefer, then you *do* need to add it to an Access Policy (eg. Company Preferences) with an action of **Allow** to override the default action. 2. In the event a custom Access Policy is removed, the filter will revert to the default Action for that Category. #### 2. Default Category settings are Business-focused The default settings for the Built-in Categories are tightly scoped to business-usage needs. Depending on your usage expectations, you will want to set more categories to **Allow** in your *Company Preferences* Access Policy, or in a custom Access Policy. ## Categories, Category Types, and Actions Categories contain **Patterns**: **Pattern**: a text string representing a domain or [regular expression](https://www.regular-expressions.info). Categories can be one of two types: * Classifier category * ACL (Access Control List) category Actions that can be assigned to a category, by type: * Classifier category: * Allow * Block * Ignore * ACL category: * Whitelist (allow in spite of Classifier score, above) * Blacklist (block in spite of Classifier score, above) * Blanketblock (block all requests Not matching these patterns) ## Understanding Classifier categories Classifier category patterns consist primarily of word and phrase lists (and also domains). The Redwood filter engine evaluates HTTP/S requests and responses and totals up a score for all categories with matching patterns. Then Redwood applies the action (Allow/Block) assigned to the top-scoring category. Built-in Category patterns are managed by Compass Foundation. If you have improvements you wish to have considered for inclusion in the Built-in Categories, please send a detailed email to support@compassfoundation.io. ## Understanding ACL actions & categories ### Background The Redwood filter engine analyzes all the components of a [URL](https://en.wikipedia.org/wiki/URL), including: * Schema * Top-level Domain (TLD), Domain, and Subdomains * Path * Query String [![url-breakdown-diagram--url.png](https://books.compassfoundation.io/uploads/images/gallery/2022-10/scaled-1680-/url-breakdown-diagram-url.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-10/url-breakdown-diagram-url.png) Also, Redwood analyzes additional parameters of the HTTP request: * Method * Content Type * User Agent * Referrer * and more Illustrated: [![url-breakdown-diagram--additional-parameters.png](https://books.compassfoundation.io/uploads/images/gallery/2022-10/scaled-1680-/url-breakdown-diagram-additional-parameters.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-10/url-breakdown-diagram-additional-parameters.png) In general, an ACL leverages one or more of these parameters to "tag" a specific action to a request, despite the Category score assigned to the request by the Classifier. (In other words, this prevents an "arms-race" situation wherein competing actions are assigned by various Classifier categories; an ACL action will always take effect when the parameters match, no matter what the Classifier score and associated Category Action is.) Note: for an ACL action to fire, the request must meet the minimum threshold score of 200 points. At that point, the action assigned by the ACL to the request is "authoritative", again, no matter the Classifier score. ##### Redwood ACL Actions Action | About --- | --- `allow` | permit the request `block` | deny the request `ignore` | do not factor in the score assigned by this category `censor_words` | strip out profanity `disable_proxy_headers` | strip out the X-FORWARDED-FOR header `hash_image` | generate a mathmatical hash of this picture `phrase_scan` | evaluate content for matching word phrases `require_auth` | force HTTP 407 proxy authentication response/challenge `sslbump` | intercept the SSL/TLS encrypted session `sslbypass` | do Not intercept the SSL/TLS encrypted session `virus_scan` | hand off response to external analysis engine For example, ACLs managed behind-the-scenes of the DrawBridge instruct Redwood to fire the SSL/TLS-inspection action on all requests (or not, in the case of SSLbypass/"Bypass Filter"). ### ACL Categories in the Console Categories of the the type ACL enable you to leverage the "authoritative" nature of ACLs in your filter configuration. In general, it is recommended to configure the desired content filter behavior by assigning Allow or Block to the built-in Classifier categories -- leveraging the "intelligence" built-in to these categories is a much less maintenance-intesive route to content control. However, perhaps you want to Always assign a specific action (eg. Block) to a specific website. ACL categories are your friend in such a case: by adding a domain to an ACL category with a Block action assigned, the website will always block, even if the action assigned to the Classifier category is Allow. The preset Always Allow and Always Block options in the Access Policy Dashboard are putting the domains in an ACL category that has the corresponding action assigned to it. These apply Company-wide. Note: the default score assigned to all ACL category patterns is "1500". Adjusting this number will have **no impact** on the outcome of the action taken for that pattern, so long as the number is over the minimum score threshold of 200 -- the key detail here is that the pattern is part of an ACL category, so the action assigned to the ACL category is what will happen. ### Advanced ACLs in the Console Advanced ACLs simply expose many more "knobs" to apply a specific action with more granularity. Perhaps, for example, you want to only sslbypass a specific website for a specific Device Group. Advanced ACLs give you the toolset to configure that. ## Filter Actions FAQ * **Q:** What happens if I put a domain in both Always Allow and Always Block? Or what if I put a domain in two different ACL categories with competing actions assigned? * **A:** Don't do that. :) In such a case, the outcome will be arbitrary. Decide what action you really want to have happen and adjust the policy accordingly. -------------- # What is an Access Policy? An Access policy is the grouping of Devices, Actions, Times, (and, optionally, Applications) to create a customized DrawBridge content filter configuration. This diagram illustrates: [![accesspolicy.drawio.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/accesspolicy-drawio.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/accesspolicy-drawio.png) The Drawbridge supports the "stacking" or "layering" of Access Policies, enabling you to tailor the content filter experience for your users. ## Access Policies by Type/Scope Tenancy Type | Ruleset Scope --- | --- Company Access Policy | one Company Access Policy Group | one Accountability Policy; available to apply to member Companies Universal Access Policy Group | globally available to all DrawBridges System Access Policy | a specific DrawBridge; applies to all tenant Companies on that system # What is a Rating? The DrawBridge classifies text into categories. But what is the the tone of these categories? And what do they values do they represent? A Rating system should help answer that question, as well as offer visual clues for the report reader. But what kind of rating system? Unlike other filter projects, the DrawBridge does not rate content by who it's appropriate for - as in Everyone / Teens / Adults - but somewhat more like *where* it is appropriate. The rating names are drawn from the concept of particulate filtering - how fine or coarse is the filter mesh that would permit the content to traverse it. A key assumption here is that the Internet is most frequently being used in a workplace environment, facilitating the everyday tasks of research, transactions, and commerce. Usage reports are colorized according to the Category Ratings of the content that was accessed. ### Misc Rating The Misc Rating is used when no category of interest could be found. Perhaps the request incident was not text-based, or perhaps a category needs to be extended or created to for this type of situation. ### Base Rating The Base Rating is the most general grade, including categories like Search Engines or Technology Services. Any more specific category and rating would be preferred. For example, it's great to know that a body of text is about Search Engines, but it's better to know what is being searched for. ### Silt Rating The Silt Rating is expected usage in the workplace environment. While not every workplace will commonly access every category in the Silt Rating, any given user in the business environment will periodically need most categories found here. It is recommended that all categories in the Silt Rating be "allowed" in the workplace, although policies can be created to limit access to given devices. ### Sand Rating The Sand Rating will still be frequently used in the workplace environment, although the industry type will very much determine how much categories in Sand Rating are accessed. Categories in the Sand Rating can be "allowed" or "blocked" per the business owner's preferences or the preferences established by the Accountability Policy. ### Pebble Rating The Pebble Rating contains categories that generally fall outside the workplace, while remaining universally pertinent to other areas of life, such as Medical, News, Clothing, etc. Categories in the Pebble Rating can be "allowed" or "blocked" per the business owner's preferences or the preferences established by the Accountability Policy. ### Stone Rating The Stone Rating contains categories that are increasingly beyond the scope of any type of workplace, reaching more into popular culture and society at large. Categories in the Stone Rating will typically be blocked by most business owners and school administrators. ### Rock Rating The Rock Rating contains categories that tend to represent the rougher edges of popular culture and general society. Categories in the Rock Rating will typically be blocked by all business owners and school administrators. ### Boulder Rating The Boulder Rating categories that represent the "redlight" district of the Internet. These categories cannot be enabled in the Redwood Console even by administrators. Categories in the Boulder Rating are always blocked, and cannot be allowed in the DrawBridge. # Actions for Classifier categories Action | When this category is the top-scoring one on a web request: --- | --- `allow` | web request content loads as expected `block` | web request is served a block page instead of the original destination webpage `ignore` | web request action referred to next-to-top scoring category ##### When to use the `ignore` Action In most situations, the category action should be `allow` or `block`, but in some situations the next-to-top scoring category is more meaningful. For example, an automotive shop may perform work that overlaps with the Racing category. If Racing is set to `block`, the shop's activities will be hampered. If Racing is set to `allow`, then access may be wider than desired. Solution - set Racing to `ignore`. If next-to-top-scoring category is Automotive, the page will be allowed, and if it's Sports, the page will be blocked as Sports. ##### Filter processing flowchart: Category Filtering [![Defaultfilter.drawio.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/defaultfilter-drawio.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/defaultfilter-drawio.png) # Actions for ACL categories Action | About --- | --- `whitelist` | A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Allow, in spite of the content scores. ***Use with caution!*** `blacklist` | A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Block, in spite of the content scores. `blanketblock` | A Category consisting of domains (and/or regular expression patterns) to which the DrawBridge will apply *regular category-based filtering* **and** block access to all other sites **not specified** in the blanketblock category (or a linked category) See below for more information: ### Whitelist A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Allow, in spite of the content scores. ***Use with caution!*** ##### Filter processing flowchart: [![Whitelistfilter.drawio.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/whitelistfilter-drawio.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/whitelistfilter-drawio.png) ### Blacklist A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Block, in spite of the content scores. ##### Filter processing flowchart: [![Blacklistlistfilter.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/blacklistlistfilter.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/blacklistlistfilter.png) ### Blanketblock A Category consisting of domains (and/or regular expression patterns) to which the DrawBridge will apply *regular category-based filtering* **and** block access to all other sites **not specified** in the blanketblock category (or a linked category) ##### Filter processing flowchart: [![Blanketblock2.drawio.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/blanketblock2-drawio.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/blanketblock2-drawio.png) # Web Page Access Access Policies are grouped by Tenancy type: * **Company** * **Policy Group** * **Universal** * **Appliance/System** See **Essential Concepts: Record Model - Tenancy and Hierarchy** for more information. Click the type of Access Policy for a list view of that type. In the list view, view a specific Access Policy by clicking on the Name of the policy. This will display the Record view for its type, detailed below. ## Company Access Policy record Attribute | About --- | --- **Company** | the associated Company **Policy** | the associated Accountibility Policy (If there is none, this field will not appear) **Status** | this record is Active or Inactive **Canonical ID** | the global unique identifier for this Access Policy; used for synchronization **Company Policy Dashboard [link]** | jump to the Access Policy Dashboard of the associated Company (above) **Type** | the tenancy type of the Access Policy **Hits Today**| a counter of how many times web traffic has triggered this policy today on this DrawBridge **Device Group** | the associated Device Group: who the Access Policy is applied to **Action Group** | the associated Action Group: what the Access Policy is enforcing **Time Group** | the associated Time Group: when the Access Policy is effective. ***Optional***: if no Time Group is configured, the Access Policy applies all the time. **Application Group** | the associated Application Group: which application traffic the Access Policy acts upon. ***Optional***: if no Application Group is configured, the Access Policy will apply to the traffic from all applications. **Record menu header buttons:** Action items in the upper right corner of the Access Policy record page: * **Create Access Policy** with the **+** button * **Update Company Access Policy** with the pencil Edit button -- make changes to this access policy. * **Delete Company Access Policy** with the trashcan Delete button -- delete this access policy * **"Hamburger Menu"** * **Record Activity Stream:** view the changelog for this Access Policy record * **Bookmark** the page with the ribbon Bookmark icon * **Trigger Sync actions** with items in the the chain-link sync icon menu #### Informational Tabs * **Devices:** List view of the member devices in the associated Device Group * **Categories:** List view of the Categories contained in the associated Action Group. * Add an additional Category to the Action Group with the `Add Category Action Pair` button, or add multiple Categories at once with the `Bulk Assign Categories` button. * Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil `Update Record` button on the specific Category line desired. * Remove a Category from the Action Group with the trashcan `Delete` button. **Note:** removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category). * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action * **Times:** List view of the Time Range(s) from the associated Time Group when this Policy is effective. ***Note:*** this tab only displays if a Time Group is assigned to the Policy. * Add a Time Range with the `Add Time Range` button. * Edit a Time Range with the pencil `Update Record` button on the time range line in focus * Delete a Time Range with the trashcan `Delete Record` button on the time range line in focus * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times. * **ACL Actions:** Special access control list actions that are assigned to this access policy. * Add an ACL action with the `Add ACL Action` button * Edit an ACL Action with the pencil `Update Record` button on the ACL Action line in focus * Delete an ACL action with the trashcan `Delete Record` button on the ACL Action line in focus * **Permissions:** The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy. * See the Permissions and Relationships in Essential Concepts for more information. ## Access Policy Group record Attribute | About --- | --- **Policy** | the associated Accountibility Policy (If there is none, this field will not appear) **Status** | this record is Active or Inactive **Canonical ID** | the global unique identifier for this Access Policy; used for synchronization **Type** | the tenancy type of the Access Policy **Hits Today** | a counter of how many times web traffic has triggered this policy on this DrawBridge **Device Group** | the associated Device Group: who the Access Policy is applied to **Action Group** | the associated Action Group: what the Access Policy is enforcing **Time Group** | the associated Time Group: when the Access Policy is effective. ***Optional***: if no Time Group is configured, the Access Policy applies all the time. **Application Group** | the associated Application Group: which application traffic the Access Policy acts upon. ***Optional***: if no Application Group is configured, the Access Policy will apply to the traffic from all applications. **Record menu header buttons:** * **Create Access Policy** with the **+** button * **Update Access Policy Group** with the pencil Edit button -- make changes to this access policy. * **Delete Access Policy Group** with the trashcan Delete button -- delete this access policy * **"Hamburger Menu"** * **Add Device Group:** assign an additional Device Group to this Access policy Group * **Record Activity Stream:** view the changelog for this Access Policy record * **Bookmark** the page with the ribbon Bookmark icon * **Trigger Sync actions** with items in the the chain-link sync icon menu #### Informational Tabs * **Device Groups:** List view of the member device groups in the associated Device Group collection. * **Categories:** List view of the Categories contained in the associated Action Group. * Add an additional Category to the Action Group with the `Add Category Action Pair` button, or add multiple Categories at once with the `Bulk Assign Categories` button. * Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil `Update Record` button on the specific Category line desired. * Remove a Category from the Action Group with the trashcan `Delete` button. **Note:** removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category). * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action * **Times:** List view of the Time Range(s) from the associated Time Group when this Policy is effective. ***Note:*** this tab only displays if a Time Group is assigned to the Policy. * Add a Time Range with the `Add Time Range` button. * Edit a Time Range with the pencil `Update Record` button on the time range line in focus * Delete a Time Range with the trashcan `Delete Record` button on the time range line in focus * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times. * **ACL Actions:** Special access control list actions that are assigned to this access policy. * Add an ACL action with the `Add ACL Action` button * Edit an ACL Action with the pencil `Update Record` button on the ACL Action line in focus * Delete an ACL action with the trashcan `Delete Record` button on the ACL Action line in focus * **Permissions:** The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy. * See the Permissions and Relationships in Essential Concepts for more information. ## Universal Access Policy Group record Attribute | About --- | --- **Status** | this record is Active or Inactive **Tenancy** | displays tenancy; this record is Universal **Canonical ID** | the global unique identifier for this Access Policy; used for synchronization **Type** | the tenancy type of the Access Policy **Hits Today** | a counter of how many times web traffic has triggered this policy on this DrawBridge **Device Group** | the associated Device Group: who the Access Policy is applied to **Action Group** | the associated Action Group: what the Access Policy is enforcing **Time Group** | the associated Time Group: when the Access Policy is effective. ***Optional***: if no Time Group is configured, the Access Policy applies all the time. **Application Group** | the associated Application Group: which application traffic the Access Policy acts upon. ***Optional***: if no Application Group is configured, the Access Policy will apply to the traffic from all applications. **Record menu header buttons:** * **Create Access Policy** with the **+** button * **Update Universal Access Policy** with the pencil Edit button -- make changes to this access policy. * **Delete Universal Access Policy** with the trashcan Delete button -- delete this access policy * **"Hamburger Menu"** * **Add Device Group:** assign an additional Device Group to this Access policy Group * **Record Activity Stream:** view the changelog for this Access Policy record * **Bookmark** the page with the ribbon Bookmark icon * **Trigger Sync actions** with items in the the chain-link sync icon menu #### Informational Tabs * **Device Groups:** List view of the member device groups in the associated Device Group collection. * **Categories:** List view of the Categories contained in the associated Action Group. * Add an additional Category to the Action Group with the `Add Category Action Pair` button, or add multiple Categories at once with the `Bulk Assign Categories` button. * Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil `Update Record` button on the specific Category line desired. * Remove a Category from the Action Group with the trashcan `Delete` button. **Note:** removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category). * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action * **Apps:** List view of the apps in the associated Application Group ***Note:*** this tab only displays if an Application Group is assigned to the Policy. * Add an Application with the `Add Application` button. * Edit a Application with the pencil `Update Record` button on the application line in focus * Delete an Application with the trashcan `Delete Record` button on the application line in focus * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Application to the Appilcation Group, as well as the specified Applications. * **Times:** List view of the Time Range(s) from the associated Time Group when this Policy is effective. ***Note:*** this tab only displays if a Time Group is assigned to the Policy. * Add a Time Range with the `Add Time Range` button. * Edit a Time Range with the pencil `Update Record` button on the time range line in focus * Delete a Time Range with the trashcan `Delete Record` button on the time range line in focus * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times. * **ACL Actions:** Special access control list actions that are assigned to this access policy. * Add an ACL action with the `Add ACL Action` button * Edit an ACL Action with the pencil `Update Record` button on the ACL Action line in focus * Delete an ACL action with the trashcan `Delete Record` button on the ACL Action line in focus * **Permissions:** The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy. * See the Permissions and Relationships in Essential Concepts for more information. ## System Access Policy record Attribute | About --- | --- **Company** | the associated Company; this will be the Main Company on the DrawBridge **Status** | this record is Active or Inactive **Tenancy** | displays tenancy; this record is Universal **Canonical ID** | the global unique identifier for this Access Policy; used for synchronization **Type** | the tenancy type of the Access Policy **Hits Today** | a counter of how many times web traffic has triggered this policy on this DrawBridge **Device Group** | the associated Device Group: who the Access Policy is applied to **Action Group** | the associated Action Group: what the Access Policy is enforcing **Time Group** | the associated Time Group: when the Access Policy is effective. ***Optional*** if no Time Group is configured, the Access Policy applies all the time. **Application Group** | the associated Application Group: which application traffic the Access Policy acts upon. ***Optional***: if no Application Group is configured, the Access Policy will apply to the traffic from all applications. **Record menu header buttons:** * **Create Access Policy** with the **+** button * **Update System Access Policy** with the pencil Edit button -- make changes to this access policy. * **Delete System Access Policy** with the trashcan Delete button -- delete this access policy * **"Hamburger Menu"** * **Add Device Group:** assign an additional Device Group to this Access policy Group * **Record Activity Stream:** view the changelog for this Access Policy record * **Bookmark** the page with the ribbon Bookmark icon * **Trigger Sync actions** with items in the the chain-link sync icon menu #### Informational Tabs * **Device Groups:** List view of the member device groups in the associated Device Group collection. * **Categories:** List view of the Categories contained in the associated Action Group. * Add an additional Category to the Action Group with the `Add Category Action Pair` button, or add multiple Categories at once with the `Bulk Assign Categories` button. * Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil `Update Record` button on the specific Category line desired. * Remove a Category from the Action Group with the trashcan `Delete` button. **Note:** removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category). * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action * **Apps:** List view of the apps in the associated Application Group ***Note:*** this tab only displays if an Application Group is assigned to the Policy. * Add an Application with the `Add Application` button. * Edit a Application with the pencil `Update Record` button on the application line in focus * Delete an Application with the trashcan `Delete Record` button on the application line in focus * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Application to the Appilcation Group, as well as the specified Applications. * **Times:** List view of the Time Range(s) from the associated Time Group when this Policy is effective. ***Note:*** this tab only displays if a Time Group is assigned to the Policy. * Add a Time Range with the `Add Time Range` button. * Edit a Time Range with the pencil `Update Record` button on the time range line in focus * Delete a Time Range with the trashcan `Delete Record` button on the time range line in focus * The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times. * **ACL Actions:** Special access control list actions that are assigned to this access policy. * Add an ACL action with the `Add ACL Action` button * Edit an ACL Action with the pencil `Update Record` button on the ACL Action line in focus * Delete an ACL action with the trashcan `Delete Record` button on the ACL Action line in focus * **Permissions:** The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy. * See the Permissions and Relationships in Essential Concepts for more information. # App Stores # Allow access to platform App stores Access to operating system app stores is blocked by default because they cannot be internally content-filtered. Quick-access wizards to add Device Groups to preconfigured App Store Access Policy Groups, by platform: * **Apple** (iPhoneOS/iPadOS/MacOS) * **Google Play** (Vision phones, Android up to and including version 6, ChromeOS, Chrome Browser Extensions) * **Windows** (Windows 8 and higher) Click the platform you wish to open. A wizard will open, prompting you for the following information: Parameter | About --- | --- **Device Group** | select an existing Device Group for which you wish to open the Store **Required** | select whether this configuration requires Accountability permissions to change **Time length** | select the timeframe you wish this to apply ## Note about Android 7 and newer/ChromeOS Play Store access Android 7 and newer devices, as well as ChromeOS devices, may require bypassed access to all of `google.com` for the Play Store to work properly. Obviously, this suspends content filtering for all of Google. For this reason, there is a separate Access Policy Group to use: `Android 7 and up AppStore` -- Add the device group (for example `alldevices`) to this Policy to enable the Play Store for these devices. # Close access to the Store If you wish to **Close** the store access opened here, visit your Company Access Policy Dashboard and click the Actions menu on the relevant Access Policy line. Then click Details and `Delete`. Select `Delete Everywhere` to ensure it is turned off across your entire account (particularly if your account spans multiple DrawBridge sysytems). # Important Notes * As noted above, the Google Play Store needs to be opened to access the **Chrome Extensions** store on the **Chrome Desktop browser** (on all platforms). * Because of backend services overlap, **YouTube may begin working if the Google Play Store is enabled**, even if the YouTube category is set to Block. # Media Room The Media Room enables the classification of videos hosted on public video hosting websites, such as YouTube.

For the Media Room to work, the YouTube and Vimeo category must be left at its default blocked setting on the access policy dashboard. * Manually setting the YouTube category to block will block the Media Room and setting the YouTube category to allow will bypass the Media Room

# Videos The Videos module displays a list view of all the videos the DrawBridge has classified. Click the title of a video in the list to view the video classification record. ### Video record view A video classification record has the following parameters: Parameter | About --- | --- **Title** | The title of the video **ID** | The unique hash identifier provided by the video platform (if available) **Duration** | The length of the video **Service** | The platform that is hosting the video **Size** | The resolution of the video, expressed in a pixel ratio **Channel** | The DrawBridge-classified Channel associated with the video, if any (see Channels, below) **Category** | The top-scoring Category for this video, determined by the DrawBridge content classifier **Rating** | The DrawBridge Classifier rating of the video, based on the top-scoring Category **Record header buttons:** * **Create** a new video classification record with the blue **+** Create Video button * **Edit** this video classification record with the green pencil Update Video button * **Delete** this video classification record with the red trashcan Delete Video button * Hamburger menu: * **Get Category review**: jumps to a support ticket form to request clasification by a human * **Video Views by User**: jump to **Reports: Media Views** module * **References to this video**: jump to **Content Filter: Media Room: Pages Linking to Media** * **Bookmark** this record with the ribbon bookmark button * Sync Menu (chain-link icon) * **Mark to Resync**: flag this record in the background to be included in the next sync run ##### Video Permissions Jump to the Permissions record that applies to this video (see Permissions section, below). Displays lists views of people records with membership in the Media Admin and Media Viewer permission groups. #### Informational tabs ##### Details The Details panel contains: * If the origin platform is supported: thumbnail of the video will be displayed with a `Play` button below it (if the video passed the classifier configuration to be allowed to play) * The Description of the video, fetched from the platform hosting this video * The Genre(s) of the video, determined by the DrawBridge classifier * The Tags associated with the video, fetched from the platform hosting this video ##### Classification A list view of any Category Classifications for this video ### Classify a new video 1. Click the **+** button (Tooltip: `Create Classified Media`) in the upper right corner of the list view (or use the same **+** button on a video record page) 2. Enter the direct URL of the video you wish to classify. Note that it must be a direct link, not a URL-shortened link. For YouTube, the link should start as follows `https://www.youtube.com/watch?v=`+ the unique hash of the video in question. # Channels Displays a list view of media channels that should be automatically polled and classified. Click the title of a channel to view the Channel record page ### Channel Record view A channel record has the following parameters: Parameter | About --- | --- **Source** | URL of the channel **Title** | Title of the channel **Last Updated** | Timestamp of the last check of the channel for new videos **Category** | Classifier category assigned to the channel by a Media Room administrator **Rating** | Classifier rating, based on the assigned Category, above **Record header buttons:** * **Add** a new channel to be classified with the blue **+** Create Channel button * **Edit** this channel record with the green pencil Update Channel button * **Delete** this channel record with the red trashcan Delete Channel button * Hamburger menu: * **Get Category review**: jumps to a support ticket form to request clasification by a human * **Channel Videos**: jump to list view of the videos contained in this channel * **Channel Permissions**: jump to a list view of the Permission Groups (with associated Company info) that may view/modify this Channel (see Permissions section, below) * **Bookmark** this record with the ribbon bookmark button * Sync Menu (chain-link icon) * **Sync Mode** (default is `2 Way - Push / Pull from Server`); click record sync information * **Push to Sync Publisher**: initiate a record update push from this DrawBridge to the Sync Server * **Pull from Sync Publisher**: initiate a record update pull to this DrawBridge from the Sync Server * **Mark to Resync**: flag this record in the background to be included in the next sync run #### `` Channel Videos Jump to a list view of all the videos in this channel that have been classified by the DrawBridge. Clicking an individual record will display a Video Record view, as described above. #### Channel Permissions Jump to the Company Channels permissions group list, which displays any Permission Group + associated Company information assigned to this channel. See Permissions, below. #### Informational tabs ##### Details The Details panel contains: * The Description of this channel, fetched from the platform hosting this channel * The Tags associated with this channel, fetched from the platform hosting this channel ##### Classification A list view of any Category Classifications for this video # Permissions ### Video Permissions Set the Permission Group in which Users must be members to view a specific video. (If a video is in a Channel, the Video Permission Group overrides the Channel Permission Group.) Displays a list view of Media records and the corresponding Permission Group assigned by the associated Company. Click a Media record link in this view to view a Video Permission record. ### Record View A Video permission record view contains the following parameters: Parameter | About --- | --- **Media** | The title of the video to which this Video Permission record applies **Company** | The Company associated with this Video Permission record **Permission Group** | The associated, Company-assigned, minimum Permission Group required to view this video **Video Permission Record header buttons:** * **Add** a new Video Permission Record with the blue **+** Create Video Permission button * **Edit** this Video Permission Record with the green pencil Update Video Permission button * **Delete** this Video Permission Record with the red trashcan Delete Video Permission button * **Bookmark** this record with the ribbon bookmark button * Sync Menu (chain-link icon) * **Create on Sync Publisher**: push this record to the Sync server (only visible for newly-created records) * **Mark to Resync**: flag this record in the background to be included in the next sync run #### Informational Tabs ##### Viewers List views of Person records which are members in the following Permission Groups: * Company Media Room Admin Group * Media Viewer Group ### Channel Permissions Set the Permission Group in which Users must be members to view all videos in a specific Channel. ### Record View A Channel permission record view contains the following parameters: Parameter | About --- | --- **Channel** | The title of the Channel to which this Channel Permission record applies **Company** | The Company associated with this Channel Permission record **Permission Group** | The associated, Company-assigned, minimum Permission Group required to view videos in this channel **Channel Permission Record header buttons:** * **Add** a new Channel Permission Record with the blue **+** Create Channel Permission button * **Edit** this Channel Permission Record with the green pencil Update Channel Permission button * **Delete** this Channel Permission Record with the red trashcan Delete Channel Permission button * **Bookmark** this record with the ribbon bookmark button * Sync Menu (chain-link icon) * **Create on Sync Publisher**: push this record to the Sync server (only visible for newly-created records) * **Mark to Resync**: flag this record in the background to be included in the next sync run #### Informational Tabs ##### Viewers List views of Person records which are members in the following Permission Groups: * Company Media Room Admin Group * Media Viewer Group # FAQs: **Q:** Why does the title of a video just display `_`? **A:** The title of the video was not able to be acquired. The video may have been embedded as part of another webpage. # Categories Categories are grouped by type and origin: * Builtin Categories * Console Categories * ACL Categories * Parent Categories Click one of the Category Types displayed in the DrawBridge, and refer to the relevant section below for further information. # Builtin Categories Classifier categories provided by the Redwood project. Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and ResCategories are grouped by type and origin: * Builtin Categories * Console Categories * ACL Categories * Parent Categories Click one of the Category Types displayed in the DrawBridge, and refer to the relevant section below for further information. # Builtin Categories Classifier categories provided by the Redwood project. Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and Response. The patterns in Builtin Categories are managed by Compass and are not visible in the DrawBridge. A list view is provided of all the included Categories. Click an individual Category for more information. ## Record View A Built-in Category contains the following parameters: Parameter | About --- | --- **Parent** | The parent Category of this record; see Parent Categories, below **Rating** | The Classifier Rating assigned to this Category. See **Content Filter: Overview and Essentials** **Description** | Display Name of the category **Status** | This record is `Active` or `Inactive` **Tenancy** | Visibility in the DrawBridge ecosystem. See **Essential Concepts: Record Model - Tenancy and Hierarchy** **Canonical ID** | The globally-unique identifier for this record **Synchronized** | Indicates if this record is handled by Synchronization: `Yes` / `No` **Type** | Displays the type of this record: `Builtin` / `Console` / `ACL` / `Parent` **System-wide Action** | The default action assigned to this Category on this DrawBridge **Block Invisibly** | Sets whether a Block page is returned (or not) when this Category is set to Block **Record header buttons:** # Console Categories Locally managed Classifier categories created on the DrawBridge. Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and Response. # ACL Categories Locally managed ACL categories. ACL Categories only contain rules that match URLs, and therefore operate only on HTTP Requests. # Parent Categories Parent Category list, grouping categories into genres. The only purpose of Parent Categories is to make it easier for people to navigate the category lists.ponse. The patterns in Builtin Categories are managed by Compass and are not visible in the DrawBridge. A list view is provided of all the included Categories. Click an individual Category for more information. ## Record View A Built-in Category contains the following parameters: Parameter | About --- | --- **Parent** | The parent Category of this record; see Parent Categories, below **Rating** | The Classifier Rating assigned to this Category. See **Content Filter: Overview and Essentials** **Description** | Display Name of the category **Status** | This record is `Active` or `Inactive` **Tenancy** | Visibility in the DrawBridge ecosystem. See **Essential Concepts: Record Model - Tenancy and Hierarchy** **Canonical ID** | The globally-unique identifier for this record **Synchronized** | Indicates if this record is handled by Synchronization: `Yes` / `No` **Type** | Displays the type of this record: `Builtin` / `Console` / `ACL` / `Parent` **System-wide Action** | The default action assigned to this Category on this DrawBridge **Block Invisibly** | Sets whether a Block page is returned (or not) when this Category is set to Block **Record header buttons:** # Console Categories Locally managed Classifier categories created on the DrawBridge. Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and Response. # ACL Categories Locally managed ACL categories. ACL Categories only contain rules that match URLs, and therefore operate only on HTTP Requests. # Parent Categories Parent Category list, grouping categories into genres. The only purpose of Parent Categories is to make it easier for people to navigate the category lists. # Filter Configuration Configure various advanced components of the DrawBridge, including technical settings for the Redwood filter engine. # ACLs and Auth Advanced ACL, Authentication, and Page Content Modification settings ## Advanced ACLs Advanced ACLs act on the network request (not the response). A list view is shown by default. Click the name of an ACL to view the individual ACL record. ### ACL Record View An ACL record contains the following parameters: Parameter | Setting | About --- | --- | --- **Level** | `Foundation`, `Standard`, `Override` | Defines the priority ruleset group of this rule **Status** | `Active` or `Inactive` | This record is available/functional **Synchronized** | `Yes` or `No` | This record is globally-available (`Yes`) or local-only (`No`). List views are shown for associated: * Advanced ACL Patterns -- what triggers this ACL; rules to match traffic. Add a pattern with the `Add` button at the top of the list. * Advanced ACL Actions -- what this ACL will do to matching traffic. Add an action with the `Add` button at the top of the list. **Record header buttons:** * **Add** an Advanced ACL record with the blue **+** Create ACL button * **Edit** an Advanced ACL record with the green pencil Update ACL button * "Waterdrop" menu button: * **New ACL Pattern:** Add a new ACL Pattern to this record * **New ACL Action:** Add a new ACL Action to this record * **Bookmark** this page with the ribbon Bookmark button * Sync Menu (chain-link icon) * Sync Mode (default is `2 Way - Push / Pull from Server`); click record sync information * Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server * Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server * Mark to Resync: flag this record in the background to be included in the next sync run Note that records wich are built-in/included with the DrawBridge cannot be edited or deleted, therefore those buttons are not available for those record types. Also note that only relevant Sync Menu items are displayed, which means fewer options may be visible than mentioned here. ## Page Pruners Custom page pruning rules enable the selective removal of certain elements on a webpage. This is an advanced feature; it is assumed that you are familar with CSS ([Cascading Style Sheets](https://en.wikipedia.org/wiki/CSS)). A list view is shown by default. Add a new Page Pruner rule with the blue **+** Create Page Pruners button in the upper right of the list view. **Record View** A Page Pruner record contains the following: Parameter | About --- | --- **Status** | `Active` or `Inactive` | This record is available/functional **Canonical ID** | The globally-unique identifier for this record Page Pruner Selectors ruleset list: Add a rule to this Page Pruners record with the `Add` button at the top of the record ruleset list view. **Page Pruner Record header buttons:** * **Create** a new Page Pruner record with the blue **+** Create Page Pruner * **Edit** this Page Pruner record with the green pencil Update Page Pruner button * **Delete** this Page Pruner record with the red trashcan Delete Page Pruner button * **Add** a Pruner CSS Selector rule to this record with the blue scissors Add Pruner CSS Selector button * **Bookmark** this page with the ribbon Bookmark button * Sync Menu (chain-link icon) * Create on Sync Publisher * Sync Mode (default is `2 Way - Push / Pull from Server`); click record sync information * Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server * Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server * Mark to Resync: flag this record in the background to be included in the next sync run Note that only relevant Sync Menu items are displayed, which means fewer options may be visible than mentioned here. ## Proxy PAC rules A few important notes: * PAC stands for [Proxy Auto Config](https://en.wikipedia.org/wiki/Proxy_auto-config) * Proxy PAC rules apply to only Remote Devices * Rules instruct the recipient operating system to **bypass** specific traffic from the DrawBridge proxy: in other words, don't redirect X traffic to the DrawBridge to be filtered. * Rules specified here are included in the response to All valid Proxy PAC requests made to this DrawBridge; i.e. there is no tenancy for these records -- they are system-wide. PAC bypass rules do not have individual record pages. However, each entry has the following parameters: Parameter | Options | About --- | --- | --- **Function** | `dnsDomainIs` or `isInNet` or `shExpMatch` | Designate type of pattern: domain name, IP address, or regular expression **Scope** | `Host` or `URL` | Set whether the pattern is to match only on the domain name or a full URL string **Pattern** | `` | The actual data you want to match. For example, if you selected `dnsDomainIs` and `Host`, then you might enter `example.com` **Subnet** | `` | Subnet for address entered in Pattern when `isInNet` is selected (not used for other Functions) **Rule line buttons:** * **Edit** a rule with the green pencil Update Record button on the relevant line * **Delete** a rule with the red trashcan Delete Record button on the relevant line * **View the changelog** with the blue Record Activity Stream button on the relevant line # Redwood Config Advanced Redwood configuration file directives ## Filter Parameters Filter parameters are advanced, low-level configuration settings for the DrawBridge Redwood content classification engine. These settings are generally managed by Compass and should not be changed unless directed by Compass Foundation support staff. ## Directives Directives are additional advanced, low-level configuration settings for the DrawBridge Redwood content classification engine. These settings are generally managed by Compass and should not be changed unless directed by Compass Foundation support staff. # Safe Search Safe Search is the enforcement of the Adult Content Blocking made available by various platforms, including YouTube, Bing, and Google. It is recommended that this generally stay enabled for the cleanest browsing experience. However, with SafeSearch enabled, YouTube livestreams will not be available. It is nessesary to set the YouTube SafeSearch settings to `Disabled` to view livestreams on that platform. The burden for responsible use lies with the user in such cases. Safe Search settings are managed at a Company level via the Preferences application. See **Essential Concepts: Preferences** for further information. # Troubleshooting # Realtime Log Viewer View live filter traffic data on this DrawBridge, system-wide. Use requires `System Owner` or higher permission levels. Individual Remote device Realtime Logs may be viewed by the `Company Owner` permission-level by visiting the Remote Device record , and clicking **View Realtime Log Lines** in the record hamburger menu. #### Display Filters * `Userip` applies to the Access Log and TLS Log only * `Pattern` applies to any of the three logs * Actions `Allow`, `Block`, `Block Invisible`, and `SSLBump` only apply to the Access Log #### Log Types * **Access Log:** Live web traffic classification activity * **TLS Log:** Live information TLS sessions handled by the DrawBridge, including errors when the session establishment was not successful. Traffic that is `SSLbypassed` will not be visible here, because the DrawBridge is not intercepting and handling those sessions. * **Errors Log:** Live errors and remote device authentication data #### Explaining the Filter Actions Filter Action | About --- | --- `Allow` | The DrawBridge allowed the request after analysis `Block` | The DrawBridge blocked the request after analysis, and served a block page `Block Invisible` | The DrawBridge blocked the request after analysis, and served an invisible pixel (used primarily when blocking advertisements) `SSLBump` | The DrawBridge intercepted the initiation of a TLS session and took over as Man-in-the-Middle. **Note for troubleshooting:** When diagnosing a strange connection issue with a particular website or service, **be sure** to toggle on the `SSLBump` display filter -- sometimes a web server will abandon a connection when the DrawBridge intercepts the session. In such cases, you'll see one or more `sslbump` loglines, but no subsequent, `allow` or `block` lines as would typically be the case. If the service *must work*, then the best solution is to put the domain in the **Bypass Filter** policy for the Company in question. Note that this does disable DrawBridge filtering on that domain, so use responsibly. # System Update ### Regenerate Config Files Filter changes are normally saved to disk when clicking the Reload button in the banner in DrawBridge. Manually running this command should only be done when the filter behavior does not match current settings in DrawBridge, such as when output from the Realtime Log Viewer indicates that policy changes have not yet taken effect. ### Restart Redwood Filter adjustments take effect after clicking the Reload button in DrawBridge. Reloading the config files is significantly faster than restarting the filter process, and does not disrupt active network connections. Use this option if you've changed the Port number for a Remote Device record, or if there's configuration setting that doesn't seem to match your expectations. ### Update Classifier Patterns Redwood receives periodic classification updates throughout the day to enhance accuracy in filtering and reporting. Click below to manually check for updates. Any available updates will automatically take effect. This command is useful only if your filter administrator requests that it be run. # Content Scanners ## Antivirus Scanner Optional anti-virus file scanning. Contact Compass Foundation support to purchase this add-on. # Reports # Activity Viewers ## Live Drilldown Dive deep into logged activity data. #### Important Note: Data in Live Drilldown will have at least a **3 minute delay** from actual occurance. If you need realtime traffic information, use the Realtime Log Viewer, accessed as follows: * **Specific device:** Select `View Realtime Log Lines` in the hamburger menu of a Remote Device record * **Entire system:** Select `Realtime Log Viewer` under Content Filter / Troubleshooting ### Browse by Company View all the traffic of a particular Company. (Most value in multi-tenant use-cases.) Presents a list-view of all available Company records on the DrawBridge. After selecting a Company, the user is presented with the **Browse by Request Type**; see below for more information. ### Browse by Category View traffic statistics aggregated by Category. Manipulate the data view with the following Select fields: * Timerange * Company * Category * Rating * Parent Category List view displays: * Name of the Category * Cumulative number of hits in the selected timerange * Cumulative bandwidth in the selected timerange ### Browse by Request Type **Note:** Menu items (listed below), are basically automatic Traffic Type filters for the **Browse by Loglines** option, mentioned further below. Request Types menu: * **Page Views** * **Media Views** * **API Activity** * **Application Files** * **Erased Activity** * **Shredded Activity** Manipulate the data view with the following Select fields: * Timerange * Company * Category * Rating * Parent Category #### List views display: Column | About --- | --- Domain | Base domain of the request Device | Origin username or IP address of the request Hits | Counter: displays the number of times this request was made Bandwidth | Total bandwidth consumed by this request Time | Timestamp of this request Type | `Ads/Avatars/Cruft`, `API Calls`, `Audio/Video`, `General Files`, `Page Assets`, `Page Visuals`, `Programs/Applications`, `Web Page` Category | What the request was classified as ### Browse by Searches View search queries entered by users on popular search and ecommerce sites. Manipulate the data view with the following Select fields: * Timerange * Company * Category * Rating * Parent Category #### List view displays: Column | About --- | --- Search term | The search query entered by a user Device | Origin username or IP address of the request Allow | Counter of how many time the request triggered this action Block | Counter of how many time the request triggered this action Domain | Site the request occured on Category | Classification determined by the DrawBridge Search Activity within the specified timerange by: * Search Term * Device * Domain ### Browse by Media Views View Media Classification requests for media hosted on popular video hosting platforms Manipulate the data view with the following Select fields: * Timerange * Company * Category * Rating #### List view displays: Column | About --- | --- Title | Title of the video Service | Platform hosting the video Hits | Counter of how many times this request was performed Search the data within the specified timerange by: * Name/Title * Service/Hosting platform ### Browse by Page Titles View title information for all visited websites. (The title is what displays in a browser tab.) Manipulate the data view with the following Select fields: * Timerange * Company * Rating * Parent Category * Category #### List view displays: Column | About --- | --- Title | Title of the website Device | Device making the request Domain | Base domain of the request Category | Classification of the request Search the data within the specified timerange by: * Name/Title * Device * Domain ### Browse by Antivirus Hits Events logged by the optional Antivirus protection service Manipulate the data view with the following Select fields: * Timerange * Company #### List view displays: Column | About --- | --- Name | Name of event Domain | Domain of the request File | Name of the file that was examined Hits | Counter: number of times this file was requested Bandwidth | Bandwidth consumed by this request Search the data within the specified timerange by: * Name ### Browse by Applications View traffic that originated from Applications/programs (not necessarily browsers). Manipulate the data view with the following Select fields: * Timerange * Company * Application * App Type #### List view displays: Column | About --- | --- Name | Name of the Application Type | Type of Application Hits | Counter: Number of requests mapped to this Application Bandwidth | Bandwidth consumed by this Application Time | Estimated cumulative period of time this application generated requests Search the data within the specified timerange by: * Name ### Browse by Domains View all traffic sorted by domain. Manipulate the data view with the following Select fields: * Timerange * Company * Action * Category * Rating #### List view displays: Column | About --- | --- Domain | Domain name of the request Device | Origin of the request Hits | Counter: number of times requested Bandwidth | Bandwidth consumed by this domain Time | Estimated cumulative period of time this domain was visited Type | `Ads/Avatars/Cruft`, `API Calls`, `Audio/Video`, `General Files`, `Page Assets`, `Page Visuals`, `Programs/Applications`, `Web Page` Category | Classification of the request Search the data within the specified timerange by: * Name/Domain * Device ### Browse by Loglines View all traffic logged and classified. Manipulate the data view with the following Select fields: * Timerange * Company * Request Type * Filter Action * Category * Rating Match data with the following free text fields: * Devices * domain **Important:** This view requires clicking the blue magnifying-glass Search button to apply filters to the data; it does not update "live" as the other views do. #### List view displays: Column | About --- | --- Date | Timestamp of the logline Device | Origin of the logline Action | Filter action taken on the logline Method | HTTP method of the logline Mimetype | Type of request Length | Size/Length of the HTTP response body Rating | Classification rating of the logline Category | Classification rating of the logline URL | Exact URL of this logline; click for further details #### Record view Each logline entry has a Record view with more details that is accessed by clicking the URL displayed in the logline row. Technical data is displayed under the following headers: * URL Details * Application Details * Filter Details * Device Details * Client Details Classification data is shown under the following headers: * Rating Details * Category Details * Rule Details ## History ### Report History List of printable, regularly scheduled Usage Reports for past report periods. Displays a list view of all report file archives. Column | About --- | --- Report | Name of the report Start Date | Beginning of the timeperiod covered by the report Layout | Data visualization preset used by the report Company | Company associated with the report Filter the view with the following search/select fields: * Name * Timeframe * Interval * Company ##### Record View Parameter | About --- | --- Sections | Data Visualization preset(s) included in this report Schedule/Details | Link: Name of the scheduled job that ran this report Report Type | `Alert/Notification` or `Usage Report` Date Range | Timeperiod covered by this report Generated on | Timestamp of report creation Status | `Succeeded` or `Failed` Time Taken | Amount of time it took to crunch the data to generate this report **Report Record Header buttons:** * **Delete** this report record with the red trashcan Delete Report Archive button * **Resend** this report file with the green airplane Resend Report button * Hamburger menu: * **Report Settings:** Jumps to the corresponding Report Schedule record * **Scheduled/Active Reports** #### Informational Tabs * **Report Files** * Presents a link to access the HTML report file * **Recipients** * Displays **Current Recipients** and **Available Recipients** in two lists. * Move people from one list to the other one with the appropriate **-** or **+** buttons. * Add a Company Recipient with the `Add Company Recipient` button: pops up a form window to add the recipient Note that available recipients are the contacts associated with the Company, and also any Accountability Contacts if the Company is associated with an Accountability Policy. ### Autofix History List of Autofixes and details for each incident. List View displays: Column | About --- | --- Date | Date of the Autofix request User / IP | Remote Device Username, Person (Active Directory), or IP address that requested the Autofix Domain | The web link requested to be analyzed by Autofix Filter the view with the following search/select fields: * Time Range * Company * Name View an individual Autofix Record by clicking the URL displayed in the Domain column. #### Autofix Record View Parameter | About --- | --- Date | Timestamp of the request Expiration | When the filter policy changes made by the AutoFix will revert to the original settings Block Details | URL that was blocked Company | Associated company of the User or Device that requested the Autofix Remote / Local Device | Remote Device User, Person, or IP address which requested the Autofix Device User | Associated Person record of the Remote Device, when applicable Comments | Information entered by the person requesting the Autofix Blocking Category | The Classification initially determined by the DrawBridge Score | Score of the Blocking Category for this web request Tier | `Level1`, `Level2`, or `Level3`; see Essential Concepts: Preferences for more information Explanation | Observations of the Autofix reclassification operation Autofix Permitted | Autofix is permitted (True) or not (False) for this category. See Essential Concepts: Preferences for more information Device Group | Device Group membership of the Remote / Local Device requesting the Autofix **Send for Human Review** button: sends technical data of this event to Compass Foundation support staff for further analysis. Be sure to click **Send for Human Review** if the Autofix request was used to access content that was genuinely misclassified. Compass Foundation support staff will review the technical data sent over in the background and, if needed, release a permanent fix that benefits all DrawBridge users. ### Human Review List of blocked URLs submitted for Human Review. List View displays: Column | About --- | --- Date | Date of the Human Review request User / IP | Remote Device Username, Person (Active Directory), or IP address that requested the Human Review Domain | The web link requested to be analyzed Filter the view with the following search/select fields: * Time Range * Company * Name View an individual Human Review Record by clicking the URL displayed in the Domain column. #### Human Review Record View Parameter | About --- | --- Date | Timestamp of the request URL | URL that was blocked Company | Associated company of the User or Device that requested the Human Review User | The filter username, where applicable, that requested the Human Review Device User | Associated Person record of the requesting Remote Device, when applicable Comments | Information entered by the person requesting the Human Review Blocking Category | The Classification determined by the DrawBridge Permitted by Preferences | Preferences settings allow (`Yes`) Human Review requests for this Category or not (`No`) Score | Score of the Blocking Category for this web request Submitted | The Human Review request was sent (`Yes`) to Compass Foundation support or not (`No`) Autofixed | `Yes` or `No` -- indicates whether the request was triggered from an Autofix request Device Group | Device Group membership of the Remote / Local Device requesting the Autofix # Report Settings # Scheduled Reports List view of all scheduled report jobs. Filter the view with the following search/select fields: * Interval * Report (Type) * Company List View displays: Column | About --- | --- Report | Type of report that is scheduled Layout | Data Visualization Template preset selected for the scheduled report Company | Associated Company of the scheduled report View a Scheduled Report record by clicking the link in the Report column #### Scheduled Report Record view Parameter | About --- | --- Report | Report type Company | Associated Company of this schedule record Delivery | Email report files, email report links, or save to DrawBridge only (no email) Recipients | Groups of recipients Report Detail | `Combined - all usage in one file` or `Detailed - One File per User / IP` Report Type | `Usage Report`, `Alert/Notification`, `DNS Firewall`, or `Access Policy Report` Report Scope | `All Users/IPs in the Company` or `Manually Specified Users/IPs` **Scheduled Report record header menu:** * **Add** a scheduled report with the blue **+** Create Report button * **Edit** this scheduled report with the green pencil Update Report button * **Delete** this scheduled report with the red trashcan Delete Report button * **Bookmark** this report with the blue ribbon Bookmark this Page button * Hamburger menu: * **Report History:** Jump to the report archives for this scheduled report * **Add New Schedule:** Add an additional schedule line for this report * **Scheduled Reports:** Jump to Scheduled Reports * **Inactive Reports:** Jup to Inactive Reports * **Record Activity Stream:** View the changelog for this scheduled report record * Sync menu (**blue chain icon**) * **Create on Sync Publisher:** Push this record to the Sync Server ##### Informational Tabs * **Schedules:** List view of scheduled runtime(s); Delete with the red trashcan Delete Report Schedule button * **Recipients:** List views of Current Recipients and Available Recipients; Add Company Recipients and Add (Accountability) Policy Recipients with buttons of the same name. Remove recipients with the red **-** button available on each Current Recipient line. # Report Layouts List view of all available Report Layouts (preset data visualization templates) that can be applied to Scheduled Reports. Column | About --- | --- Name | Name of the Layout Sections | Preset data visualization sections included in the layout Company | Associated Company, if applicable Policy | Associated Accountability Policy, if applicable #### Report Layout record view Parameter | About --- | --- Builtin Layout | This preset was included with the DrawBridge (`True`) or was user created (`False`) Type | `Usage Report`, `Alert/Notification`, `DNS Firewall`, or `Access Policy Report` Report Sections | List; preset data visualizations included in this layout (see below) **Report Layout record header menu:** * **Add** a new report layout with the blue **+** Create Report Layout button * **Clone** this report layout with the yellow Clone Report Layout button * **View changes to this record** with the blue Record Activity Stream button * **Bookmark** this page with the blue ribbon Bookmark this Page button * Sync menu (**blue chainlink icon**) * **2 Way - Push / Pull from Server:** call a sync run for this record * **Push to Sync Publisher:** send this record to the sync server * **Pull from Sync Publisher:** fetch this record from the sync server * **Mark to Resync:** flag this record for inclusion in the next sync server run #### Report Sections Layouts contain one or more of the following Sections: Section | About --- | --- `accesspolicy` | `api` | List of domains that are likely to have been visited programatically by an operating system or other software `autofixes` | List of Autofix requests, including the requesting user/IP address, the timestamp, URL requested, action taken, and additional information `categories` | Overview graph of all most popular Categories visited, by percentage `disinfected` | `erased` | List of "background traffic" domains that were most likely linked to by websites (not visited directly by a user `graphs` | Time-of-day Usage graph and also graphs of Page View and Search ratings and actions taken `mediaviews` | List of videos loaded in a browser; only major hosting platform supported: YouTube, Vimeo `pagetitles` | Full-text of the Title *every single page* loaded in a browser. The "Title" is what displays in a browser tab. Extremely detailed. `pageviews` | List of domains that are likely to have been visited in a browser by a human `searches` | Full-text of search queries entered on major search and ecommerce platforms `shredded` | List of domains that were denied on every request; origin may be system/program or human # Report Presets List view of all Report presets, and Policy ownership, where applicable Filter the view with the following search/select fields: * Preset (Name) * Template (Name) * (Accountability) Policy List View displays: Column | About --- | --- Report | Name of the Report Layout | Data Visualization Template preset selected for the scheduled report Policy | Associated (Accountability) Policy of the Report Preset, where applicable View a Report Preset record by clicking the link in the Report column #### Report Preset record view Parameter | About --- | --- Preset | Name of the preset Policy | Associated Accountability Policy, if applicable Layout | Layout used by this Preset Schedule | Default schedule interval assigned to this Preset Delivery | Email Report files, Email Report Links, or Save Only (no email) Recipients | Default recipients of this Preset **Report Layout record header menu:** * **Add** a Report Preset with the blue **+** Create Report Preset button * **Edit** this Report Preset with the green pencil Update Report Preset button * **Clone** this Report Preset with the yellow Clone Report Preset button * **Delete** this Report Preset with the red trashcan Delete Report Preset button * **View the record changelog** with the blue Record Stream Activity button * **Bookmark** this record with the blue ribbon Bookmark this Page button * Sync menu (**blue chainlink icon**) * **Create on Sync Publisher:** push this record to the sync server * **2 Way - Push / Pull from Server:** call a sync run for this record * **Push to Sync Publisher:** send this record to the sync server * **Pull from Sync Publisher:** fetch this record from the sync server * **Mark to Resync:** flag this record for inclusion in the next sync server run Note: **Built-in** (included with the DrawBridge) report presets are not editible, or deletable, and therefore won't have all the record header menu options shown above. # Log Processing **Logline Filters** are employed to ensure only relevant human activity is stored in the DrawBridge web activity database. **Log Servers** + **Log Sender Batches** together are an optional function used for export of DrawBridge filtering logs to an external web traffic log analysis service. When configured: a device is filtered by the DrawBridge, which logs all the web traffic of that device. Then, on a schedule, the DrawBridge uploads those web traffic logs to a separate log analysis/Reporter server for additional operations to be performed. **Important Note:** The Log Server/Sender system is inactive unless the following two conditions are met: * A Log Server is configured. (See below) * A Log Server Account Number is configured on one or more Company records. See **Accounts: Companies** for more information. # Logline Filters Remove unwanted Log Lines before saving them to Reporter database. Displays a list view of rulesets which apply to loglines prior saving them in the DrawBridge log database. List view displays: Column | About --- | --- Sequence | Priority of rule when processing is performed Filter | Name of rule Scope | Defines operations of the rule Field | Parameter of Logline database field to which the rule applies Operator | Data matching parameter (`In`, `Contains`, `Starts With`, and so forth) ### Logline Filter Record view Parameter | About --- | --- *Name* Details | Name of the rule Notes | Comments about the rule, where applicable Matches If | Expressions which trigger the rule *data list* | Exact text that is referenced in the expression. **Logline Filter Record header buttons:** * **Add** a Logline Filter record with the blue **+** Create Logline Filter button * **Edit** this Logline Filter record with the green pencil Update Logline Filter button * **Delete** this Logline Filter record with the red trashcan Delete Logline Filter button * Sync menu (**blue chainlink icon**) * **2 Way - Push / Pull from Server:** call a sync run for this record * **Push to Sync Publisher:** send this record to the sync server * **Pull from Sync Publisher:** fetch this record from the sync server * **Mark to Resync:** flag this record for inclusion in the next sync server run ##### Scope options: A rule can apply with the following scope of action: * `Skip All Logging` -- Discard/Don't Save or Upload traffic matching this rule * `Log Summary Details Only` -- Skip detailed logging data for traffic matching this rule * `DNS Log Lines` -- Discard/Don't Save or Upload traffic containing these domain names # Log Servers Uploaded Log Lines to compatible Report Server for further processing. Displays a list view of configured Log Servers. List View displays: Column | About --- | --- Name | Display name of the log server URL | Web address of the log server #### Log Server Record View Parameter | About --- | --- Name | Display name of the Log Server Status | This record is `Active` or `Inactive` URL | Web address of the log server **Log Server Record header buttons:** * **Add** a Log Server record with the blue **+** Create Log Server button * **Edit** this Log Server record with the green pencil Update Log Server button * **Delete** this Log Server record with the red trashcan Delete Log Server button * **Bookmark** this record with the blue ribbon Bookmark This Page button * Sync menu (**blue chain icon**) * **Create on Sync Publisher:** Push this record to the Sync Server # Log Sender Batches Log Sender Batch Details Displays a list view of all configured Log Sender batches for Company records which have a Log Server Account number specified. Filter the data with the following Select field: * Company List View displays: Column | About --- | --- Name | Display name of batch job Company | Associated company of the batch job Date | Timestamp of last batch job run event Uploaded To | Timestamp of most recent data uploaded Results | What the Log Processor job did Log Sender Batches is informational-only and does not have a record view. ##### FAQ: * **Q:** Why does the Log Sender Batch indicate 0 lines uploaded, even though devices on the Company are being used? **A:** Either the devices are not properly connecting to the DrawBridge, or, any data that was recorded was considered system activity, not human activity, and was therefore discarded. See **Logline Filters** above for more information. # Device Detection Detect network devices by analyzing traffic. # User Agents A [User Agent](https://en.wikipedia.org/wiki/User_agent) (UA) text string identifies the software making a web request in HTTP. For example, a browser may identify as a particular version of Chrome. List view displays: Column | About --- | --- User Agent | The exact text string of the UA Device | Device type assigned to the UA App | Application type assigned to the UA Click the User Agent name link to view an individual User Agent record. #### User Agent Record View Parameter | About --- | --- Device | The Device Type contained in the UA Application | The Application contained in the UA OS | The Operating System contained in the UA Canonical ID | The globally-unique identifier in the DrawBridge ecosystem Device Type | The device type assigned to the UA Application Type | The Application type assigned to the UA **User Agent Record header buttons:** * **Add** a new User Agent record with the blue **+** Create User Agent Record button * **Edit** this User Agent record with the green pencil Update User Agent Record button * **Delete** this User Agent record with the red trashcan Delete User Agent Record button * **Bookmark** this User Agent record with the blue ribbon Bookmark This Page button # Ja3 Hashes Ja3 hashes can be used to positively identify an application based on a TLS fingerprint. Read more about the standard [on the official Github page](https://github.com/salesforce/ja3). List view displays: Column | About --- | --- Hash | Ja3 Hash Notes | Information about the hash #### Ja3 Hash Record View Parameter | About --- | --- *Name* | Exact Ja3 hash Notes | Further information about this particular hash Canonical ID | Globally-unique record identifier in the DrawBridge ecosystem List: **Application** -- displays Applications associated with this particular Ja3 hash. Add an Application to the hash record with the `Add TLS Fingerprint` button above the Application list view in the record. **Ja3 Hash Record header buttons: * **Add** a new Ja3 Hash record with the blue **+** Create J A3 Hash button * **Edit** this Ja3 Hash record with the green pencil Update J A3 Hash button * **Delete** this Ja3 Hash record with the red trashcan Delete J A3 Hash button * **Bookmark** this Ja3 Hash record with the blue ribbon Bookmark This Page button * Sync menu (**blue chain icon**) * **Create on Sync Publisher:** Push this record to the Sync Server # Devices Specific hardware identity records. List view displays: Column | About --- | --- Model | The model of the Device Brand | The manufacturer of the Device Type | The device type, eg. `Smartphone`, `Desktop PC`, and so forth Locate a specific record with the following search/select fields: * Name #### Device record view Parameter | About --- | --- *Name* | Name of the specific hardware Type | Device type, eg. `Smartphone`, `Desktop PC`, and so forth OS | Operating System of the Device Canonial ID | Globally-unique record identifier in the DrawBridge ecosystem Brand | Manufacturer of the Device **Device Record header buttons:** * **Add** a new Device record with the blue **+** Create Device button * **Edit** this Device record with the green pencil Update Device button * **Delete** this Device record with the red trashcan Delete Device button * **Bookmark** this Device record with the blue ribbon Bookmark This Page button * Sync menu (**blue chainlink icon**) * **2 Way - Push / Pull from Server:** call a sync run for this record * **Push to Sync Publisher:** send this record to the sync server * **Pull from Sync Publisher:** fetch this record from the sync server * **Mark to Resync:** flag this record for inclusion in the next sync server run # Applications Comprehensive listing of Mobile Device and Desktop applications List view displays: Column | About --- | --- Name | Name of the Application Type | Type of application, if known. Eg. `Browser`, `Mobile App`, and so forth Locate a specific record with the following search/select fields: * Name #### Application record view Parameter | About --- | --- *Name* | Name of the Application Type | Type of application, if known. Eg. `Browser`, `Mobile App`, and so forth Canonial ID | Globally-unique record identifier in the DrawBridge ecosystem **Application Record header buttons:** * **Add** a new Application record with the blue **+** Create Application button * **Edit** this Application record with the green pencil Update Application button * **Delete** this Application record with the red trashcan Delete Application button * **Bookmark** this Application record with the blue ribbon Bookmark This Page button * Sync menu (**blue chainlink icon**) * **2 Way - Push / Pull from Server:** call a sync run for this record * **Push to Sync Publisher:** send this record to the sync server * **Pull from Sync Publisher:** fetch this record from the sync server * **Mark to Resync:** flag this record for inclusion in the next sync server run ##### Informational Tabs * **App Store IDs** -- List view of unique App Store identifiers; Add an ID with the `Add App Store ID` button above the list * **UA Patterns** -- List view of User Agent regular expressions to match this Application; Add a UA pattern with the `Add UA Pattern` button * **JA3 Hashes** -- List view of Ja3 Hashes of this Application; add a new hash with the `Add TLS Fingerprint` button * **User Agents** -- List view of User Agent strings associated with this Application ## Applications (ACL-ready) Accessed as a sub-menu item under Applications in the left sidebar menu. ## Appstore IDs Accessed as a sub-menu item under Applications in the left sidebar menu. # Brands # Operating Systems # System # Console Sync Compass Foundation maintains a record synchronization infrastructure with a master publisher server to facilitate the interoperation of various systems. ## Synced Records Complete list view of all synchronized records. List view displays: Column | About --- | --- Name | The name of the record Table | The database table in which the record exists Sync Server | The name of the sync server for this record **List View header buttons:** * **Add** a new Synced Record with the blue **+** Create Synced Record button Click the Record name link to view an individual Synced Record record. #### Record View Parameter | About --- | --- (Name) | The name of the record CID | (Canonical ID) The globally-unique record identifier in the DrawBridge ecosystem Local Record | The local name of the record Table | The database table in which the record exists Sync Mode | State: 1/2-way Push/Pull from Server details Sync Status | Status of this record with the Publisher server Sync Server | The configured sync publisher server for this record **User Agent Record header buttons:** * **Pull from Sync Publisher**: initiate a record sync from the master server (origin) to this DrawBridge * **Push to Sync Publisher**: initiate a record sync from this DrawBridge (origin) to the master server * **Bookmark**: this User Agent record with the blue ribbon Bookmark This Page button ##### Additional information: * **Fields to Update** -- Information on any data for this record pending synchronization * **Tenant Changes** -- Status of local changes to the record * **Sync Errors** -- Information regarding errors on the synchronization of this record ## Sync Batches List view of the Batches in which Record Sync is performed. List view displays: Column | About --- | --- Sync Batch | The name of the batch Batch Type | Details regarding the batch type Sequence | Priority of the batch when Sync occurs Server | Configured server that the sync mechanism will communicate for this batch **List View header buttons:** * **Add** a new Sync Batch Record with the blue **+** Create Sync Batch button * **Bookmark** this list view with the blue ribbon Bookmark This Page button Click the Batch name link to view an individual batch record. #### Batch Record View Parameter | About --- | --- Name | The name of the batch record Type | Details regarding the batch type Server | The configured sync publisher server for this record Comments | Additional information relevant to this batch Last Run | Timestamp of the last time this batch was run (Red circular arrow button: **Reset** this timestamp to sync all records) Next Run | Timestamp of the next scheduled sync batch run **User Agent Record header buttons:** * **Trigger a "dry run"** (test run / no actual record changes) of sync batch with the green target **Trigger Sync Batch - Dry Run** button * **Trigger a sync batch run** with the red target **Trigger Sync Batch** button * **Add** a new sync batch with the blue **+** **Add Sync Batch** button * **Edit** the sync batch with the green pencil **Update Sync Batch** button * **Bookmark** this sync batch with the blue ribbon **Bookmark This Page** button ##### Additional information: Tables to Sync Column | About --- | --- Table | Database table Sequence | Priority of the database table when Sync occurs Comments | Additional informatin relevant to this batch Mode | State: 1/2-way Push/Pull from Server details Individual record buttons in list view: * Edit the table record with the green pencil button * Delete the table record with the red trashcan button ## Sync Servers ## Synchronize # Configuration Technical DrawBridge system configuration settings. (Does not contain filter settings; see **Content Filter** for content filter settings.) ## Local Settings DrawBridge system identity details, specific to this system. Parameter | About --- | --- Name | Globally-unique name of this DrawBridge Local | Yes/No -- this record belongs to this hardware Admin URL | The URL and port number for the management interface (if no port is displayed, the default is 443) Cloud Server | Yes/No -- this system is/is-not a "cloud filter" Rebranded | Yes/No Project Name | Brand information Console Name | Brand information Filter Name | Brand information Hostname | Brand information Slogan | Brand information Phone | Brand information Email | Brand information Canonical ID | Globally-unique identifier for this DrawBridge Sync Role | Publisher/Subscriber -- role of this DrawBridge in the Synchronization ecosystem ## Appliance Companies List view of all tenant Company records; displays Company-Appliance/DrawBridge relationship. Typically only relevant in the context of the Synchronization ecosystem. ## Backups List view of system database backups. (Database backups are automatically uploaded to Compass Foundation offsite storage.) ## Email Settings Configuration details regarding email alerts. Managed by Compass Foundation. Parameter | About --- | --- Host | Mail Server domain Port | Port for SMTP Use TLS | Yes/No Verify TLS| Yes/No From Address | Brand information Username | Username to use with email server for authentication ## Certificate Authority Information regarding the Certificate Authority, SSL Certificates, and Software (Client SSL Cert Installers) in-use on the DrawBridge. Relevant primarily when `Rebranded` = `Yes` (see Local Settings, above). ## DrawBridge Terminal Applicable only to systems running DrawBridgeOS. Does not apply to ClearOS-based systems. (See the Platform field in your DrawBridge [System Overview](https://draw.bridge/accounts/system/) page to see which operating system your DrawBridge is running.) ### Modes of operation More information coming soon. # Hardware & Processes Note: Requires `System Owner` permissions. Docs coming soon. # DNS Firewall Docs coming soon. In the screenshot below `objects.githubusercontent.com` got added to the firehollevel3 DNS firewall, presumably at the upstream FireHOL project. For a domain with that broad of usage, it was probably legitimately being abused somewhere, and hence ended up on that list. But obviously it has a massive impact then on everything else hosted on that domain. To resolve the issue, you'll have to add `objects.githubusercontent.com` to the DNS Firewall local whitelist on [Whitespire](https://whitespire.compassfoundation.io/firewall/rpz/detail/1ea72ea4-8d53-625c-a1df-7085c27cfb9b/) [![image (1).png](https://books.compassfoundation.io/uploads/images/gallery/2023-11/scaled-1680-/image-1.png)](https://books.compassfoundation.io/uploads/images/gallery/2023-11/image-1.png) Make sure that you are not connected to the Tech VPN when testing. # Help # Help # Care Center View classification tickets automatically generated by AutoFix and Human Review procedures. Create new support tickets to be automatically submitted to Compass Foundation support. # Change Logs View software changelogs. # API Documentation View DrawBridge API documentation. # Additional Services # Passageway Passageway is a full-featured password management database and sync service that is hosted on the DrawBridge. Please visit [https://help.passageway.id](https://help.passageway.id) for the Passageway documentation. Note: Passageway is only available to on-premises DrawBridge accounts (not cloud DrawBridge accounts), and the DrawBridge must be running a currently-supported base Operating System. (Passageway is not supported on ClearOS 6 systems.) # Tabula (deprecated) Tabula is a contact records database + sync service hosted on the DrawBridge. Domain: `tabula..myvision.id` Tabula must be initialized on a per-user basis by going to the Person record and using the record header button menu option to `Create Tabula Account`. # Compass Foundation Infrastructure # Network Addresses Network Administrators: please ensure unrestricted access to the following addresses: ### US & Global services: |IPv4 | Equivalent CIDR notation| |---|---| | 8.33.19.221 - 8.33.19.226 | (not a CIDR block) | 63.150.19.74 - 63.150.19.79 | 63.150.19.72/29| | 65.152.194.73 - 65.152.194.78 | 65.152.194.72/29 | | 104.218.187.15 - 104.218.187.18| (not a CIDR block)| | 108.24.40.122 - 108.24.40.126 | (not a CIDR block) | | 173.161.228.229|173.161.228.229/32| | 199.224.68.177-199.224.68.189 | 199.224.68.176/28 | | 204.111.143.225 - 204.111.143.238 | 204.111.143.224/28 | |IPv6| |---| |pending| ### Canada services: |IPv4 Address| Equivalent CIDR notation| |---|---| | 69.41.195.98 - 69.41.195.102 | 69.41.195.97/29 | 205.203.220.163 - 205.203.220.166 | 205.203.220.162/29 | | 216.46.150.2 - 216.46.150.6 | 216.46.150.1/29 | |IPv6| |---| |N/A| # Abuse/Security Contact Abuse/Security concerns: please email support@compassfoundation.io or call 856-974-5335 # Access Policy Dashboard Report The Access Policy Dashboard Report is based very closely on the layout of the live Dashboard page for a specific company ([example report](https://willow.compassfoundation.io:1525/static/examples/access_policy_dashboard.html)). ## Reading the Report ### Header Details The Report calls out areas of special interest, such as: - A count of changes made - Person performing the change - Date and time the change was performed [![ap-report-header.png](https://books.compassfoundation.io/uploads/images/gallery/2023-01/scaled-1680-/ap-report-header.png)](https://books.compassfoundation.io/uploads/images/gallery/2023-01/ap-report-header.png) ### Access Policy Lines Each Access Policy line that was changed is marked with a **Categories Changed** badge. Click the Down Arrow to reveal more details about the change. [![ap-line.png](https://books.compassfoundation.io/uploads/images/gallery/2023-01/scaled-1680-/ap-line.png)](https://books.compassfoundation.io/uploads/images/gallery/2023-01/ap-line.png) ## Report Delivery By default, this report is a Daily notification that only is delivered when changes have been made in the prior 24 hours. The report can also be manually delivered to recipients by navigating to the Company's Access Policy Dashboard and clicking "Deliver Access Policy Report" in the Context menu. [![ap-deliver.png](https://books.compassfoundation.io/uploads/images/gallery/2023-01/scaled-1680-/ap-deliver.png)](https://books.compassfoundation.io/uploads/images/gallery/2023-01/ap-deliver.png)