Console Reference Docs Detailed, technical information on the DrawBridge web interface. Essential Concepts Web Page Classification Web page classification analyzes the domain, URL, and most importantly, the words and phrases on every page load to tally a numerical score in one or more Categories for that page load . The filter Action configuration (Allow/Block/Ignore) for the top-scoring Category is then used to handle that particular page request. Traffic Visibility Prerequisites Webpage word and phrase analysis is only possible with full SSL/TLS decryption ( sslbump ), which is the default action for most 1 web requests on TCP ports 80 (HTTP) and 443 (HTTPS). And, for this to work without browser security errors, all endpoint devices connecting through the DrawBridge must have the DrawBridge Certificate Authority certificate installed. See the page SSL Certs under the Devices module for more information. 1 Note: for security reasons, banking and financial-related websites are not TLS-decrypted . It is assumed that these sites are safe from inappropriate content. You can verify a site is Not being TLS-decrypted by clicking the shield or padlock in your browser address bar and viewing the certificate. If the certicate is issued by a public Certificate Authority (and not your DrawBridge), you can know that the DrawBridge is Not intercepting the connection. Also Note: Certain web traffic (for example some cloud backup services and application traffic) that is not specification-compliant or is otherwise incompatible with content filtering are exempted at a firewall level from the traffic inspection on TCP ports 80 and 443. Example Visiting https://www.cabelas.com is most likely to score the most points in the Category Hunting and Fishing . If the Action assigned to Hunting and Fishing is Allow , the Cabelas page will load as if nothing happened. If the Action assigned to Hunting and Fishing is Block , a DrawBridge block page is loaded to inform the user that the request was blocked due to filter settings. If the Action assigned to Hunting and Fishing is Ignore , the next-to-top scoring Category action is selected to handle the page load. The option to `Ignore` is strongly discouraged except for special situations. If you decide to specify custom Actions for Categories, please only use `Allow` or `Block` to ensure most reliable filtering. Important Notes 1. About changing default Category Allow/Block settings The DrawBridge comes with a preset Action for each included (Built-in) Category. When you assign an Action (Allow/Block) to a Category, you're simply applying a change that gets higher priority than the default setting. 2. Default Category settings are Business-focused The default settings for the Built-in Categories are tightly scoped to business-usage needs. Depending on your usage expectations, you may want to set more categories to Allow in your Company Preferences Access Policy, or in a custom Access Policy. For more information on Built-In Categories, including how to view default Actions, see Content Filter: Categories: Built-In Categories Further Reading For more information on Categories and Actions, including how to change the Action for a Category, see page Overview and Essentials under the Content Filter module. For more information on Certificates and Certificate Authorities, this Wikipedia article on Public Key Infrastructure may be helpful. FAQ: Is TLS inspection "bad" or "breaking encryption" or "weakening security"? In a word, no (if implemented correctly) Despite much negative press, blog posts by both Cloudflare and US-CERT acknowledge that legitimate use-cases (and secure methods) of TLS inspection exist. Some of the concerns raised in the two articles linked above are very valid. However, the DrawBridge filter engine is designed to follow industry best-practices to ensure that it doesn't downgrade security or mask upstream security flaws. Much of this debate boils down to two things: Intention: Why is the TLS traffic being inspected? (legitimate or malicious?) Privacy: Are the end-users aware of the inspection? (visible/policy or invisible/spycraft?) For #1: The DrawBridge employs TLS inspection to ensure content filtering properly classifies page content For #2: Yes: DrawBridge account holders need to purchase the content filter service and need to install a Certificate Authority for the service to work correctly. (It is the responsibility of account holders to inform any user of the service of the content monitoring and inspection.) This discussion leads to an even deeper question: Who owns this device ? If you truly own a computer, for example, you should have the authority to decide what Certificate Authorities it will be allowed to trust, and with whom it will communicate. Thankfully, most platforms accomodate adding additional Certificate Authorities, enabling you to know and control the network traffic of your device. The notable exception is Android, because of an alleged "security" decision by Google . While there were threats they were able to prevent by taking a scorched-earth no-user-CA-trust position 1 , this implementation also conveniently prevents auditing of the traffic of third-party apps and bundled Google apps. 1 Exception: browser apps on Android will trust user-installed Certificate Authorities. Record Model - Tenancy and Hierarchy Record Tenancy The DrawBridge records are multi-tenanted . Tenancy is established by associating a record (such as Device Group, Access Policy, or Report) to a given tenant (see Types, below), and ensuring that other tenants cannot see those records. Four types of tenants are supported: Tenancy Type Visibility Permissions Company Just that Company Contacts assigned to this Company, contacts of the Accountability Policy associated with this Company Accountability Policy All Member Companies Contacts of the Accountability Policy Appliance All Companies on that DrawBridge Contacts of the Main Company Universal All Companies on all DrawBridges System Administrators In other words, the Tenancy Type of a record can be determined by looking at the association relationship(s): A record assigned to a Company belongs to that company A record assigned to an Accountability Policy is available to all Member companies A record assigned to a System/Appliance applies to all tenant companies A record with none of the above relationships is available to all companies everywhere. The Main Company All Companies on a DrawBridge are tenants, however, for proper record and configuration ownership, it is essential that one Company be the Main Company of a DrawBridge. The Main Company is the Owner of the DrawBridge, or the owner of the premise on which it is located. The Contacts on the Main Company are the only ones who can control System-wide settings, such as QoS, Firewall settings, DNS, and so forth. Record Hierarchy Certain types of records can have have a "Parent"/"Child" designation: Accountability Policy: An Accountability Policy can be a "Child" of another Accountability Policy, enabling the automatic inheritance of configuration settings at the "Parent" level, such as Report Presets. Category: Built-in Categories are members of "Parent" categories for easy classification into genres. For example, Parent Category Automotive contains the following child categories: Automotive and Trucks Automotive - Objectionable Metals / Welding Powersports Permissions and Relationships Permissions Permission Groups in the DrawBridge Console are analagous to User Groups in typical operating systems. 1 Permissions Groups are a way of assigning a particular Role to a Person: Adding a Person record to the Accountability permission group gives them the access and controls exclusive to Accountability and higher level permission groups. Person records are given the permissions by being added as a member of a particular Permissions Group. Permission Groups in the DrawBridge Console: Permission Group Required Relationship About Company Owner Company Owner The owner of a Company Appstore Access Company or Accountability Policy Allows Person to Enable App Store Access on a Company record Can Submit Autofix Requests Company Allows use of the Autofix reclassification function Can Submit Sites for Human Review Company Allows submission of a Classification Review support ticket Media Viewer Company Allows classification of a video in the Media Room Company Media Room Admin Company Allows administration of a company Media Room Report Viewer Company or Accountability Policy Allows viewing of web activity Reports System Owner Company Owner Allows visibility and control of all Tenant Companies on that DrawBridge ACL Pumpkineer Accountability Policy or Compass Foundation Staff Allows creation and modification of ACLs Accountablity Accountability Policy Allows visibility and control of member Company configurations and reports Device Detector Admin (?) (?) Realtime Log Viewer Company Owner of Main Company Allows access to the system-wide Realtime Log Viewer Reseller (?) Allows visibility and control of all Tenant Companies on that DrawBridge Sysadmin (?) (?) 1 For further advanced reading, see the POSIX specification documentation by The Open Group and IEEE. Relationships Records in the DrawBridge console, particularly Person records, can have one or more relationship associations. For an analogy, consider how individual people in real life have different relationships to others, depending on their role: Parent-Parent, Parent-Child, Brother-Sister, and so forth. Relationships in the Console A Person can have the following relationships to Companies : Owner Associate Tech Support General Contact A Person can have the following relationships to an Acountability Policy : Accountability Contact A Company can have the following relationship to an Accountability Policy : Member Examples Person fred_smith owns Company Eastwood Trading Co . He therefore is assigned a Company Owner Relationship, and added to the Company Owner Permissions Group. Company Eastwood Trading Co. has an on-premises DrawBridge, so fred_smith is also added to the System Owner Permissions Group. Person jack_miller is on the IT staff for Eastwood Trading Co . He is assigned a Tech Support Relationship, and added to the Sysadmin Permissions Group. Accountability The DrawBridge supports an Accountability model to facilitate voluntary, centrally-administered, usage report sharing and content filter configuration of Member Companies by specified administrators in a community context. An Accountabilility Policy provides: Central administration of Accountability-associated Report Presets and Access Policies for all Member Companies All Report Presets of a Policy automatically propagate to all Member Companies. Access Policies associated with an Accountability policy are made available to all Member Companies as a Policy Group that can be easily joined by Member Companies. Changes to that particular Access Policy (Group) automatically propagate to all Member Companies that are part of the Access Policy. Accountability Contacts associated to that Accountability Policy can access report information and view filter policy configuration for that Company (see Accountability Policy Roles below). Community Accountability-level Preference configurations to override Company-level Preference configurations (see Preferences page for more information). Record Relationships The following records can be associated with an Accountability Policy Record: Record Type About Person Accountability Contact: view reports and set configurations on Member Companies Company Accountability Member Company: enable features detailed below Policy Roles An Accountability Policy can be either type of Role: Role About Reviewer Accountability Contacts have read-only access to member Company settings Administrator Accountability Contacts have read-write access to member Company settings and diagnostic functions Role Features Administrator Designed for Accountability Policies who have members on the Policy with capable IT skills, understand the DrawBridge Console, and commit to remaining up-to-date with ongoing DrawBridge releases. Reviewer Designed for Accountability Policies who are primarily responsible for reviewing reports and Access Policies to confirm that settings are as expected. Company Opt-in A Company Owner assigned to an Accountability Policy with the Reviewer Role may want his Accountability Contacts to have the Administrator Role on his company. If so, he can add the him as Company Staff to grant the Administrator Role . Examples Administrator Role The people in the Golden Sands Christian Fellowship community want to have a uniform content filter policy across their brotherhood, as well as have specific individuals responsible to administer the policy and review all their web usage. To answer this need, the Golden Sands Christian Fellowship Accountability Policy is created with Administrator role, and several people are associated with it as Accountability Contacts (see Relationships page for more information). This Accountability Policy has several associations: The people that are designated as Accountability Contacts . A Church Preferences Access Policy that sets the Action on a number of Categories to Allow. A Summary Report configured that displays the genres of information being accessed by each Company, to be sent to the designated Accountability Contacts. Those Companies using DrawBridge filtering in this context add the Golden Sands Christian Fellowship policy to their Company record. This performs the following: Enables the specified Accountability Contacts to view the report data and filter configurations of all Member Companies in the DrawBridge Console. Makes the centrally-administered Church Preferences Access Policy available to them to apply to their Company. Each Company Owner then applies the Church Preferences Access Policy by assigning it to his alldevices Device Group. Automatically configures the Summary report to the member Company, with delivery to the Accountability Contacts. Reviewer Role The people in the Salem Christian Fellowship community want to have a uniform content filter policy across their brotherhood. Either outside IT provider or Compass Foundation will administrate the settings and provide technical support. The Salem Christian Fellowship policy is created with the Reviewer role. They will have Read-Only access to review Reports and Access Policy settings. Any required changes will be channeled by the Company to IT Provider or Compass Foundation. Preferences Preferences enable you to: configure minimum Permission Groups required to perform a specific action (see Permissions and Relationships page for more information), and, configure other feature thresholds and behaviors Preference Tenancy Preference record tenancy association is available to both Companies and Accountability Policies. Each Preference Record has a field indicating the associated Company or Policy, thus communicating the tenancy association. If a Preference detailed here is not present on your DrawBridge, simply create it with the + button in the upper right corner of the list view for that Section. Then you can assign the Records to that Preference as desired. Preferences associated with an Accountablity Policy override any conflicting preferences associated with a Member Company. Priority Relationship Override lower priority configuration 1 Accountability Policy Yes 2 Company Owner (NA) To clarify: if there is no Accountability Policy associated with a Company, the notes about Accountability Policy override do not apply. Preference Record Sections Heirarchy: Section Preference Record As implemented: Filter Console (Section) Access Valve Permissions (Preference) Widen Access Privileges (Record) and so forth App Store Settings Safe Search Settings Media Room Viewability Channels Block Page Overrides AutoFix Settings Human Review Settings Preferences, in detail Filter Console Access Valve Permissions Record Name Value About Widen Access Privileges Company Owner / Accountability Contact / Accountability or Filter Admin Set minimum Permission Group required to set a Category to Allow Restrict Access Privileges Company Owner / Accountability Contact / Accountability or Filter Admin Set minimum Permission Group required to set a Category to Block App Store Settings Record Name Value About Permission Group Company Owner / Accountability Contact / Accountability or Filter Admin Set minimum Permission Group required to "open" an App Store Safe Search Settings Record Name Value About Name of Service eg. Bing, YouTube, etc Yes / No Enable the platform-provided Adult content blocking Media Room Viewability Record Name Value Contents About Category Actions Always Block Categories / Always Allow Categories List of Categories Configure the Media Room action for specified Categories Viewability Status Allowed Categories Only / Allowed Category or Unclassified / Viewing Classified Media Disabled (N/A) Configure the "permissiveness" of the Media Room In detail: Category Actions: The Media Room will Allow or Block a video from playing based on the top-scoring category it scores/classifies as. The Category Actions records here allow you to set a list of Categories that will Always or Never play when a video has a top score in the category(ies) you specify. Viewability Status: Set the behavior of the Media Room: Allowed Categories Only : Only videos which have a top score in a Category set to Allow will play. Videos with a top score in a Category set to Ignore or Allow will not play. Allowed Category or Unclassified : In addition to the videos matching Allowed Categories, above, if a classification can not be automatically made, the video will still be allowed to play. This is the most permissive setting. Viewing Classified Media Disabled : The Media Room will not allow any videos to play, regardless of the classification. Channels Record Name Value About Permission Group Media Admin / Accountability Contact / Accountability or Filter Admin Set minimum Permission Group required to add a Channel for automatic classification Block Page Overrides AutoFix Settings Record Name Value Contents About Category Actions Always Allow Categories / Always Block Categories List of Categories Always Allow or Block the AutoFix request for specified categories Level 1 Enabled Yes / No (N/A) Enable AutoFix Level 1 behavior Level 2 Enabled Yes / No (N/A) Enable AutoFix Level 2 behavior Level 3 Enabled Yes / No (N/A) Enable AutoFix Level 3 behavior Skip Owner Confirmation Yes / No (N/A) Specify whether Company Owner contact confirmation is required for an Autofix request. If Owner Confirmation is required, an AutoFix request will email the Company Owner contact, who will need to sign-in and approve the request before it can proceed. Human Review Settings Record Name Value Contents About Category Actions Always Allow Categories / Always Block Categories List of Categories Always Allow or Block the AutoFix request for specified categories Skip Owner Confirmation Yes / No (N/A) Specify whether Company Owner contact confirmation is required for an Autofix request. If Owner Confirmation is required, a Human Review request will email the Company Owner contact, who will need to sign-in and approve the request before it can proceed. Preference Record View Create a preference record by clicking the + button in the upper right of the list view in any of the Sections above. Edit a Preference record by clicking the green pencil Edit button on the relevant line. View a Preference record by clicking on the blue navigate-symbol View Preference button on the relevant line. Each Preference record will display: Parameter About Company / Policy The tenancy association (Company or Accountability Policy) of the record Canonical ID The globally-unique identifier for the record Preference Setting What the record does Records which contain Category List views have these options: Add a Category with the + Add button above the list area Remove a Category with the red trashcan Delete button on the relevant Category line Accounts People A person entity is required to sign-in and use the DrawBridge web portal. Additionally, Person records are associated with Companies, and, optionally, Accountability Policies. View the Active People list by clicking Accounts , then People in the left menu bar. Click the Name of a Person in the list to view the Record for that person. Person Record View A Person record contains the following parameters: Parameter About Name Display Name Email Email address Mobile (Optional) Mobile phone number Canonical ID The global unique identifier Last Active Timestamp of last sign-in activity; see Sessions informational tab, below Person Record header buttons: Add a new Person record with the blue + Create Person button Edit this Person record with the green pencil Update Person button Delete this Person record with the red trashcan Delete Person button Impersonate User (take on the identity and permissions of this user in the DrawBridge; used for troubleshooting) Merge Person records with the blue picture-frame "Merge other Person records into this one" button Hamburger menu: Set Console Password : set a DrawBridge Console password for this Person Create Tabula account : see Additional Services: Tabula for more information Add Group Membership : add this Remote Device User to a Console Permission Group (see Informational Tabs: Permissions, below) View Realtime Log Lines : jump to the Realtime Log Viewer, with the data view limited to this device Today's Log Lines : jump to the the Reports module with the device pre-selected in data views Record Activity Stream : view the changelog for this Device record Bookmark this record with the ribbon Bookmark button Sync Menu (chain-link icon) Sync Mode (default is 2 Way - Push / Pull from Server ); click record sync information Push to Sync Publisher : initiate a record update push from this DrawBridge to the Sync Server Pull from Sync Publisher : initiate a record update pull to this DrawBridge from the Sync Server Mark to Resync : flag this record in the background to be included in the next sync run Informational Tabs Data associated with this Person: Bookmarks: List view of any console shortcuts Add a bookmark by clicking the Ribbon button on any record in the Console Delete a bookmark with the red trashcan Delete button on the relevant Bookmark line here Companies: List view of any associated Company relationships Add a Company relationship with the Add Company Staff Relationship button Edit a Company relationship with the green pencil Update button on the relevent line Delete a Company relationship with the red trashcan Delete button on the relevant line View Company Relationship history log with the blue Record Activity Stream button on the relevant line Policies: List view of any associated Accountability Policy relationships Add an Accountability Policy relationship with the Add Accountability Policy Relationship button Edit an Accountability Policy relationship with the green pencil Update button on the relevent line Delete an Accountability Policy relationship with the red trashcan Delete button on the relevant line View an Accountability Policy relationship history log with the blue Record Activity Stream button on the relevant line Devices: List view of any associated Devices Add a Remote Device relationship with the Add Remote Device button Edit a Remote Device relationship with the green pencil Update button on the relavant line Delete a Remote Device relationship with the red trashcan Delete button on the relevant line View a Remote Deice relationship history log with the blue Record Activity Stream button on the relevant line Permissions: List view of any associated Permission Groups and Proxy User Groups Add a Permission Group membership relationship with the Add Permission button Add a Proxy User Group membership relationship with the Add to Proxy Users Group button Edit a Group relationship with the green pencil Update button on the relevant line Delete a Group relationship with the red trashcan Delete button on the relevant line View a Group relationship history log with the blue Record Activity Stream button on the relevant line Sessions: List view of all active/signed-in Console sessions this User has on this DrawBridge. Fields: Last Updated: timestamp of last activity IP: IP Address of last activity Client: the User-Agent reported by the last activity Unrelated People Unrelated People are People records that have no Company or Accountability Policy relationship assigned. This list should generally be empty. Inactive Relationships This is a list of Person - Company or Person - Accountability Policy Relationships that have been set to Inactive . This list should generally be empty. Companies A Company record is essential to using the DrawBridge: all People records and Device records must be associated with a Company record (or an Accountability Policy) to enable full use of their functionality. If your Company is the only company present on your DrawBridge, clicking on Accounts: Companies will jump directly to your Company record view. If more than one Company is present on a DrawBridge, and your sign-in credentials are part of a System Owner permissions group or higher, a list view of the Company records will be displayed when Companies is clicked in the left menu bar. Click the Name of the company to view the Company Record. See Essential Concepts: Record Model - Tenancy and Hierarchy for further information about multi-tenancy. The Company record view is your headquarters for viewing important data on your account, and also for jumping to other places in the DrawBridge to make configuration changes for your Company. Record View Name of Company Parameter About Status This record is Active / Inactive Main Yes / No : indicates whether this Company record is designated as the Main Company for this DrawBridge. Log Server Account Optional: Account number on the Log Server; see Reports: Log Processing for more information Canonical ID The globally-unique identifier for this record Link: Log Batches -- jumps you to the list of Log Batches configured for this Company. See Reports: Log Processing for more information. Link: Sync Settings -- jumps you to the Appliance Companies record. See System: Configuration: Appliance Companies for more information. Company Record header buttons: Add a new Company record with the blue + Add Company button Edit this Company record with the green pencil Update Company button Delete this Company record with the red trashcan Delete Company button Hamburger menu: Today's Log Lines: jump to Reports: Browse by Loglines -- view web activity access logged today Report History: jump to Report Archives Record Activity Stream: view the changelog for this record Bookmark this page with the ribbon Bookmark button Sync Menu (chain-link icon) Sync Mode (default is 2 Way - Push / Pull from Server ); click record sync information Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server Mark to Resync: flag this record in the background to be included in the next sync run Informational Tabs Local Devices List of Local Device records on this DrawBridge. See Devices: Local Devices for more information. Create a new Local Device record with the New Local Device button. Manipulate existing Local Device records in the list view by clicking the desired button on the relevant line: Edit a record with the green pencil Update Record button Delete a record with the red trashcan Delete button View the record changelog with the blue Record Activity Stream button Remote Devices List of Remote Devices records on this DrawBridge. See Devices: Remote Devices for more information. Create a new Remote Device record with the New Local Device button. Manipulate existing Remote Device records in the list view by clicking the desired button on the relevant line: Edit a record with the green pencil Update Record button Delete a record with the red trashcan Delete Record button View the record changelog with the blue Record Activity Stream button Contacts List of Person records with a Relationship to the Company. See Accounts: People for more information. Add a new Person--Company relationship with the Add Company Staff Relationship button. Manipulate existing Relationship records in the list view by clicking the desired button on the relevant line: Edit a record with the green pencil Update Record button Delete a record with the red trashcan Delete Record button View the record changelog with the blue Record Activity Stream button Reports List of configured Reports associated with this Company. See Reports: Scheduled Reports for more information. Add a Report with the Schedule New Report button. Manipulate existing Scheduled Report records in the list view by clicking the desired button on the relevant line: Edit a record with the green pencil Update Record button Delete a record with the red trashcan Delete Record button View the record changelog with the blue Record Activity Stream button Appliances Displays the Appliance record associated with this Company. See System: Configuration: Appliance Companies for more information. Dashboard buttons Access Policies -- Access Policy Dashboard Jump to the Access Policy Dashboard for this Company, which displays all the Access Policies which apply to the devices of this Company. See Content Filter: Web Page Access for more information. Activity Viewers -- Loglines & Reports Jump to Report Activity Viewers. See Reports: Activitity Viewers for more information. Preferences -- Preferences Dashboard Jump to any Preferences associated with this Company. See Essential Concepts: Preferences for more information. Accountability Policy -- ("Policy Name" or "None") Jump to associated Accountability Policy (if applicable). If this Company is a Member of an Accountability Policy, the name will be displayed. If the Company is not a Member of any Accountability Policy, it will display "None". See Essential Concepts: Accountability and Accounts: Accountability Policies for more information. Inactive Companies Inactive Companies are Company Records which have had the Status changed from Active to Inactive. Accountability Policies As noted on the Accountability page under the Essential Concepts chapter: The DrawBridge supports an Accountability model to facilitate voluntary, centrally-administered, information sharing and content filter configuration of Member Companies by specified administrators in a community context. An Accountability Policy consists of the Accountability Policy name and contains Member Companies. Also, an Accountability Policy contains Preferences (specific controls over member companies) and configures Report Presets (default report settings and recipients) for member companies. Record view Link: Assigned Companies -- list view of Companies associated with this Accountability Policy Parameter Setting or Data About Parent The higher-on-the-heirarchy Policy, where applicable Include Parent Contacts Yes / No Include Parent-policy Contacts by default in this policy, where applicable (see Parent, above) Role Reviewer / Administrative The default scope of control associated Contacts have over member companies. See Essential Concepts for more info Appstore Company Owner / Accountability Contact / Accountabilty or Filter Admin The minimum permission level Preference assigned to the Policy permitted to open the App Store Send Logs Yes / No Send member-company traffic web usage data to the Log Server specified in Reports / Log Processing / Log Servers. Canonical ID The globally-unique identifer for this record. Accountability Policy Record header buttons: Add a new Accountability Policy record with the blue + Create Accountability Policy button Edit this Accountability Policy record with the green pencil Update Accountability Policy button Delete this Accountability Policy record with the red trashcan Delete Accountabilty Policy button View the changelog for this Accountability Policy with the blue Record Activity Stream button Bookmark this page with the ribbon Bookmark button Sync Menu Create on Sync Publisher (push this record to the Sync Server) Informational Tabs Contacts: List view of Contacts associated to this Policy Add an Accountability Contact association with the Add Accountability Policy Relationship button Edit the Relationship and Report Delivery options for that Contact with the green pencil Update button on the specific contact line in the list view Remove an Accountability Contact with the red trashcan Delete button on the specific contact line in the list view View the changelog for a particular Contact--Accountability Policy association with the View Record Activity Stream button on the specific contact line in the list view Report Presets: List view of Reports associated with this Policy (these Reports automatically apply to all Member Companies). Add a Report Preset with the New Report Preset button. Remove a Report Preset association by visiting the record page for that Report Preset and editing the Policy association there. Policy Groups: List view of Access Policy Groups associated with this Policy (these Access Policies are made available for all Member Companies to join). Add an Access Policy relationship with the New Access Policy Group button. Remove an Access Policy relationship by visiting the record page for the Access Policy and editing the Policy association there. Dashboard Buttons Preferences Dashboard Preferences configured on an Accountability Policy level override any Preferences specified on Member Companies. See Essential Concepts: Preferences for more information. Accountability Contacts List view of Person - Accountability Contact relationships. Record View An Accountability Contact Record has the following information: Parameter About Name Name of the associated Person record Email Email of the associated Person record Policy Name of the associated Accountability Policy record Canonical ID Globally-unique identifier of this Person - Accountability Contact relationship Contact CID Globally-unique identifier of the associated Person record Last Active Timestamp of the last recorded login Accountability Contact Record header buttons: Add a new Accountability Contact record with the blue + button Edit this Accountability Contact record with the green pencil Update Record button Delete this Accountability Contact record with the red trashcan Delete Record button Hamburger menu: Update Personal Details (edit the details on the associated Person record) Set Console Password Add Group Membership Impersonate User (take on the identity and permissions of this user in the DrawBridge; used for troubleshooting) Bookmark this page with the ribbon Bookmark button Sync Menu (chain-link icon) Sync Mode (default is 2 Way - Push / Pull from Server ); click record sync information Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server Mark to Resync: flag this record in the background to be included in the next sync run Informational tabs Companies: List view of the associated Companies Add a Company relationship with the Add Company Staff Relationship button Edit a Company relationship with the green pencil Update button on the specific company line in the list view Remove a Company relationship with the red trashcan Delete button on the specific company line in the list view View the changelog for a particular Company association with the View Record Activity Stream button on the specific company line in the list view Policies: List view of associated Accountability Policies Add an Accountability Policy relationship with the Add Accountability Policy Relationship button Edit an Accountability Policy relationship with the green pencil Update button on the specific Accountability Policy line in the list view Remove an Accountability Policy relationship with the red trashcan Delete button on the specific Accountability Policy line in the list view View the changelog for a particular Accountability Policy association with the View Record Activity Stream button on the specific accountability policy line in the list view Permissions: List view of Permission Group membership Add Permission Group membership with the Add Permission button Add to a Proxy User Group with the Add to Proxy Users Group button Remove a Permission Group membership with the red trashcan Delete Record button on the specific Permission Group line View the changelog for a particular Permission Group Membership with the View Record Activity Stream button Groups Permission Groups The DrawBridge console uses the model of Permission Groups: a Person record can be a member of a particular Permission Group, and thus gain the abilities allowed by that Permission Group. For more information, see Essential Concepts: Permissions and Relationships . People Groups Proxy User Groups A Proxy User Group is a group of People (similar to Device Groups being groups of Devices). People in the Proxy User Group are users on the local network which are authenticated to the DrawBridge via the DrawBridge Agent software installed on the endpoint. A Proxy User Group can have two origins: Created either by manually adding People records to a "standalone" Proxy User Group, or, An existing Directory Group designated as a Proxy User Group. Create a standalone Proxy User Group by clicking the + button in the upper right corner of the list view. Give the group a name, specify the minimum permissions required to add People to the group, select any Parent Group if applicable, and ensure that Proxy Users is toggled to Yes. Note that the list view in Proxy User Groups displays both "standalone" Proxy User Groups, as well as all Directory Groups that have been specified as a Proxy User Group; see below. Directory Groups A Directory Group is a group of People that has been synchronized from another server, for example, an Active Directory server. A Directory Group can be designated a Proxy User Group by Editing the Directory Group record and toggling the Proxy Users setting to Yes . The advantage of designating a particular Directory Group as a Proxy Users Group is that the (Person) members of that group can be managed on the AD Server; no ongoing people membership maintenance is needed in the DrawBridge. Changes in Directory Group membership made on the AD server are automatically synchronized via the regular AD--DrawBridge sync job. Implementation Concept Diagram This diagram illustrates how People Groups can be assigned to an Access Policy via association with a Device Group. See How To Guides: Assign a Proxy User Group to an Access Policy for further instructions. Authentication Integration The DrawBridge supports connection to an external user database for User and Group synchronization using the following database types: Active Directory OpenLDAP Purpose These features are intended to be used in conjunction with the DrawBridge Agent software (Windows computers only) to link the actual User signed-in on a Local Device to a specific Access Policy. See Accounts: Groups for further information on People Groups. See Content Filter: Web Page Access for further information on configuring Access Policies. See How To Guides: Assign a Proxy User Group to an Access Policy for further implementation details. Technical specifics The DrawBridge connects to external user databases either using plain-text LDAP communication on port 389, or using TLS (LDAPS) on port 636. A scheduled job perfomrs a background sychnronization with the database server four times a day. A username and password to access the user database must be provided to the DrawBridge. The only permissions that are needed for the user are read access to the user and group information on the server. Security Notes: The security-by-least-privilege principle dictates that the credentials provided to the DrawBridge to access the user database should not have any permissions beyond read-only access. When using LDAPS: The DrawBridge accepts any certificate presented by the server -- it does not perform verification/validity checks. Record View Both Active Directory and OpenLDAP server records have the following parameters: Parameter About Name User-assigned display name of the server Host Address of the server, eg. 192.168.250.66:636 (Active Directory) or ldap://127.0.0.1:636 (OpenLDAP) Server Type Active Directory or OpenLDAP Username Format Active Directory or OpenLDAP Status This record is Active or Inactive Search Base Examples: dc=local or ou=Accounts,dc=eastwoodtc,dc=lan User Object Class Examples: person (Active Directory) or exinetOrgPerson (OpenLDAP) Group Object Class Examples: group (Active Directory) or posixGroup (OpenLDAP) Device Object Class Example: computer (Active Directory) Record header menu buttons: Edit the Directory Server settings with the green pencil Update Directory Server button Delete the Directory Server record with the red trashcan Delete Directory Server button Hamburger menu: Verify Connection settings : test the provided authentication credentials. An alert will display the results of this test within seconds. Sync Directory Servers : trigger a manual sync job to run immediately. (Note: this routine does not provide any status information.) Bookmark this page with the ribbon Bookmark button Informational Tabs Field Maps Map DrawBridge database fields to the directory server fields. Add a new relationship with the Add Field Relationship button. Remove a field relationship with the red trashcan Delete button on the relevant line. Example configuration (Active Directory) Note: Your environment may be different. Console Field Directory Field first_name givenName last_name sn username cn cid objectGUID email userPrincipalName Company Maps (Active Directory only) Assign a Directory Group to a DrawBridge Company with the Add Group to Company Map button. Remove a Directory Group to DrawBridge Company relationship with the red trashcan Delete button on the relevant line. Devices Overview Create and manage Local and Remote Device records and corresponding Company and People associations, as well as static Device Groups Devices are the “target” of filter settings configured in Content Filter . Note: for proper network operation: all Devices need to have the DrawBridge CA Security Certificate installed. See Essential Concepts: Web Page Classification: Traffic Visibility Prerequisites for further information. Remote Devices must have the correct External Networks assigned to them. See page Remote Devices in this chapter for further information. Identifying Devices on the network The DrawBridge has several ways of identifying Devices Local Devices via either auto-created records via built-in network detection, or, auto-created records via the DrawBridge Agent software (Windows-only), or, manually created records by a user. Remote devices created by users; these authenticate with the DrawBridge username and password In this chapter: Devices Dashboard Local Devices Remote Devices Device Groups Apps: Device Configuration SSL Certificates External Networks Devices Dashboard Local Devices: devices on the network where your DrawBridge is located. For example, the desktop you have in your office. Remote Devices: devices that access your DrawBridge from “outside” your network; ie. from the public Internet. For example, a laptop that’s configured to connect to your DrawBridge for filtering whenever you’re out on the road using a hotspot. Device Groups: entities that contain Local and/or Remote devices Apps: Device Configuration SSL Certificates: mandatory SSL/TLS Certificate Authority security certificates for all devices connecting through a DrawBridge External Networks: list of external network information used for assisting Remote Device Authentication operations Local Devices A Local Device record is an an entity intended to represent one Device on the local network, no matter how many network interfaces the Device has. (Exception: special IP Range devices; see FAQ below) Devices are created by: Auto-detection: The DrawBridge monitors network traffic to detect local devices based on the IP address, and automatically creates a Local Device record if none exists for that address. A DrawBridge Console user: Click the + located in the upper right corner of the Local Devices list view to to create a new Local Device Record. The DrawBridge Agent: If the DrawBridge agent "calls home" with Device information that does not match an existing record, a new Local Device record will be created ( only if the MAC address can be validated; see FAQ below) Active Directory sync: If your DrawBridge is configure to sync with an Active Directory server, Devices listed in the AD server will be automatically created on the DrawBridge. Compass Portal Sync: (Remote Devices Only) In the Local Device list view, select any local device record by tapping the device name or IP address link shown in the Hostname column to see an individual device record. Record View A Local Device record contains the following parameters: Parameter About Company the Company associated with the Device; see Accounts: Companies for more information Auto Hostname the automatically-detected hostname of the device on the network, if available Platform the operating system of the device, if specified Type the type of hardware, such as Laptop, Smartphone, Tablet, and so forth Status this local device record is: Active or Inactive Source origin of the record information: auto-detected or User Entry Last Active the timestamp of the last filter traffic recorded for this device Reportable traffic from this device Is or Is Not included in Activity Reports Device Record header buttons: Add a new Local Device record with the blue + Create Local Device button Edit this Local Device record with the green pencil Update Local Device button Delete this Local Device record with the red trashcan Delete Local Device button Hamburger menu: Today's Log Lines: a shortcut to the the Reports module with the device pre-selected in data views Add Network Interface**: add an additional network interface to the device Reset DrawBridge Agent: reset the record association with the DrawBridge Agent Record Activity Stream: view the changelog for this Device record Bookmark this page with the ribbon Bookmark button Informational Tabs Network Interfaces : IP address(es) and Mac address(es) associated with the device. Keep in mind that a device can have multiple network interfaces and also multiple IP addresses, so multiple lines may be listed here. For example, a laptop may have a Wi-Fi network interface as well as a wired Ethernet interface. Both interfaces will have unique MAC/hardware addresses, so if you want to apply a filter policy to that particular Device, no matter how it is connected to your network, you’ll need to ensure both interfaces (WiFi and Ethernet) are specified here. Access Policies : a list of Access Policies that are applied to this device. (see Content Filter: Access Policies for further information) This list is generated based on the membership of the Device in a particular Device Group , a component of an Access Policy . The exact Access Policy can be visited by clicking the link in the list under the Name column, or, you can view all Access Policies for your company by clicking the Access Policies/Access Policy Dashboard button to the right. Device Group Membership A local device is always part of the alldevices Device Group of the associated Company. A local device can be associated with an unlimited number of Device Groups. See the Device Groups page for further information FAQs Q: Why aren't Local Devices automatically appearing on my account? A: Auto-generated Local Device records are only generated for the Main Company. Verify that your account is set as Main if you are not seeing Local Device records auto-populate. Q: Why doesn't the Local Device record display the MAC address of my device? A: Bogus/Randomized MAC addresses may be automatically discarded by the console to reduce the amount of auto-generated Local Device records. For more context and a resolution, see the Question "Why are there so many Local Devices listed?". Q: Why are there so many Local Devices listed? (I only have X number of devices on my network.) A: Several factors may result in a proliferation of Local Device records: “Network churn” : many new devices joining the network and old ones leaving. The DHCP server will do its job to utilize the limited address space available to it, which may involve assigning a previously-used address to a new device. This may result in the DrawBridge creating additional Local Device records or unexpectedly adding new MAC address associations to an existing IP Address / Hostname record. Countermeasure: configure address reservations in your network DHCP server (DrawBridge ClearOS webconfig panel or other network equipment, if applicable) to ensure that a specific MAC address may only ever be assigned a specific IP address. Operating system privacy features : randomized hardware interface addresses (also known as MAC addresses). Most operating systems now have functionality to generate a random hardware address for a particular network to prevent devices from being tracked across public WiFi hotspots. While most Operating Systems will maintain the same randomly-generated MAC address for a particular “remembered” network, if you reset your network settings or Forget the saved network, and re-join, the randomly-generated MAC will have changed. As above, this may result in the DrawBridge creating additional Local Device records or unexpectedly adding new MAC address associations to an existing IP Address / Hostname record. Countermeasures: Turn off physcial/MAC address randomization for your DrawBridge-protected network name (for example, for your WiFi network), and then set a DHCP reservation for the actual device hardware MAC address. Turn off hardware address randomization, by operating system: iOS: Settings/WiFi/ information icon/ toggle Private WiFi Address off Android: Settings/WiFi/ gear icon/Advanced/set Privacy to Use Device MAC Windows 10; All Networks: Settings/Network and Internet/WiFi/toggle Use random hardware addresses off Windows 10; Specific Network: Settings/Network and Internet/WiFi/Manage Known Networks/select /Properties/set Use random hardware addresses to off Windows 11: Settings/Network and Internet/WiFi/ gear icon/Advanced/Privacy/set Use device MAC Then add an address reservation in your DHCP server, as described above. Note: The DrawBridge console does perform a background cleanup of "dead" local device records on a regular basis. Q: Any type of "agent" software available for Windows computers to positively identify Local Devices on a network? A: Yes! See the page DrawBridge Agent Reference in this chapter for further information Q: Can I create an “entity” for an IP address range instead of making a bunch of Local Device records? A: Yes! Create a new Local Device, and in the Platform field, select Network IP / IP Range , then enter the IP address range. This special “Local Device” can be used in a Device Group just like an ordinary Local Device or Remote Device record. Remote Devices A Remote Device connects through your DrawBridge from "outside" your network -- from the public Internet. Remote Devices are created by: A DrawBridge Console user: Click the + located in the upper right corner of the Local Devices list view to to create a new Local Device Record. CF Odoo Portal sync: Devices created in the Portal are automatically synchronized either via a triggered sync run (Cloud Servers), or the scheduled sync job. In the Remote Device list view, select any remote device record by tapping the username shown in the Filter Username column to see an individual device record. Record View The individual Remote Device record contains the following parameters: Parameter About Company the Company associated with the Device; see the Accounts section for more information Console User the Person record associated with the Remote Device Filter Username the unique username this Device uses for authentication; this must either match or begin with the username of the associated Console User/Person Email the email address of the associated Person record Status this device record is: Active or Inactive Canonical ID the global unique identifier for this Remote Device; used for synchronization Contact CID the global unique identifier of the associated Person record; used for sychronization Last Active the timestamp of the last filter traffic recorded for this device Device Type the type of hardware, such as Laptop, Smartphone, Tablet, and so forth Remote Device Record header Buttons: Add a new Remote Device record with the blue + Create Remote Device button Edit this Remote Device record with the green pencil Update Remote Device button Delete this Remote Device record with the red trashcan Delete Remote Device button Hamburger menu: Update Personal Details: edit the information of the associated Person record Set Console Password: set a DrawBridge Console password for this Remote Device User Add Group Membership: add this Remote Device User to a Console Permission Group (see Informational Tabs: Permissions, below) View Realtime Log Lines: jump to the Realtime Log Viewer, with the data view limited to this device Today's Log Lines: jump to the the Reports module with the device pre-selected in data views Record Activity Stream: view the changelog for this Device record Impersonate User (take on the identity and permissions of this Remote Device user in the DrawBridge; used for troubleshooting) Bookmark this page with the ribbon Bookmark button Sync Menu (chain-link icon) Sync Mode (default is 2 Way - Push / Pull from Server ); click record sync information Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server Mark to Resync: flag this record in the background to be included in the next sync run Informational Tabs Authentication : Additional parameters used to identify the device to streamline authentication. See Why do I need to have a Port/Platform/ExternalNetwork set for a Remote Device? in the FAQ below. Also displayed are: User URL: a link that can be visited in a browser on the device to authenticate its public IP with the DrawBridge PAC URL: Proxy Auto-Configuration: a spec-compliant URL that can be used by major operating systems to programatically fetch proxy settings Auth Activity : A recent history view of public IP addresses that this device has successfully authenticated from, in addition to the associated reverse-DNS network name, when retreivable. Access Policies : a list of Access Policies that are applied to this device. (see Content Filter for more information on Access Policies) This list is generated based on the membership of the Device in a particular Device Group, a component of an Access Policy. The exact Access Policy can be visited by clicking the link in the list under the Name column, or, you can view all Access Policies for your company by clicking the Access Policies/Access Policy Dashboard button to the right. Permissions : a list of Console Permission Groups that this Remote Device User is a member of. (Permits or does Not Permit the submision of an AutoFix, for example) Device Group Membership A remote device is always part of the alldevices Device Group of the associated Company. A remote device can be associated with an unlimited number of Device Groups. See the Device Groups page for further information. FAQs Q: Why am I getting a Proxy Authentication Required popup on my mobile device? A: Your device is not properly authenticated with the DrawBridge. Visit the User URL for your device in a browser on that device, and ensure you get a Success message. If you continue to get these Proxy Authentication Required popups after a successful authentication event: Verify the proxy configuration on the device is correct (particularly the assigned port) Verify the network you are connecting from is listed in External Networks under the device. See the FAQ item below: How does setting Port + Platform + ExternalNetwork information assist Remote Device authentication? Q: Why does the Last Active timestamp not line up with the known usage of the Remote Device? A: This timestamp is the last recorded filter log activity for the device. There are several possibilities to explain why a device that is known to be in-use is not showing a current corresponding timestamp: The device does not have a data connection. Solution: Ensure the device has an active data plan and/or connect the device to an open WiFi network (not a captive-portal-controlled network, such as many public hotspots). Perform activities on the device that will generate log data, such as visiting a search engine in a browser. Verify while performing the activies that loglines are shown in the DrawBridge Realtime Log Viewer for the device. If loglines for that device are displayed in the Realtime viewer, wait at least 15 minutes for the logs to be processed. Refresh the Device Record page to see if the Last Active timestamp has been updated. The device is not properly authenticating with the DrawBridge, therefore, no web activity logs are being recorded. Solution: Follow the same steps as detailed above to verify there are loglines displayed in the Realtime Log Viewer for the device in question. If there are no loglines, and yet web resources can be accessed on the device, then the proxy software on the device is failing to properly proxy traffic. Verify the proxy settings/software on the device are correctly configured. Visit the device User URL in a browser on the device to trigger an authentication event while monitoring the DrawBridge Realtime Log Viewer Errors Log , with the Remote Device port entered in the Pattern field. You should see one or more lines indicating successful authentication. Note for Android devices: Android has a "fail-open" proxy design, so if authentication fails for any reason, Android will bypass the proxy. This can generally be resolved by re-authenticating the device with the DrawBridge. The only traffic that is getting recorded is considered "system activity" and is not considered reportable, and is therefore not saved, so the Last Activity timestamp is not updated. Solution: Follow the steps in #1 and #2 (if needed) to ensure the device is properly proxied and authenticating with the DrawBridge. Q: Why do Remote Devices need to be authenticated? A: It's critical for filtering and reporting purposes that the device that is connecting to the DrawBridge be postitively, unmistakably, identified. Beyond that, anything connected to the internet is potentially a target for misuse. For example, if no authentication (username/password) was required for a remote device, a hacker could route their activities unimpeded through your internet connection, therefore making their malicious traffic appear to be originating with you. You may be held legally responsible for what happens on your internet connection. Depending on the type of activities, you may receive a legal notice warning of a DMCA violation. ( Digital Millenium Copyright Act .) However, requiring authentication from all remote devices eliminates these concerns. Q: How does setting Port + Platform + ExternalNetwork information assist Remote Device authentication? A: As noted above, the DrawBridge requires authentication for Remote Devices. However, mobile operating system platforms (Android and iOS) are notorious for failing to always communicate the required credentials for authentication of each network session they establish. So, to smooth the user experience, the DrawBridge accomodates "assumed authentication" -- if a network request matches all three parameters: sent to the unique Port assigned to the device sent by the operating system Platform specified for the device originates from an External Network (mobile network) the device is known to be using ... then the DrawBridge will "assume" that the request is legitimate and consider the request authenticated. This prevents repeated Proxy Authentication Required popups on mobile devices as they roam cellular networks. Device Groups Device Group records are entities containing one or more Devices to which Access Policies can be applied. See Content Filter: Web Page Access for further information. In the Device Groups list view, click the drop-down arrow button to the left of a line name to display member devices and associated Access Policies. Depending on your Console Permission Group membership, and whether multiple Companies are present on your DrawBridge, you will be able to see all the Device Groups available on the system. See Essential Concepts: Record Model - Tenancy and Hierarchy for further information. Note: This panel only displays "static" device groups. For parameter-based "Smart Device Groups", see the Content Filter module. SSL Certs The DrawBridge CA certificate is required on all client devices for proper operation with the DrawBridge. Different operating systems require different certificate types or encoding types. This menu gives you the appropriate certificate for your operating system. Click the appropriate operating system for your use case and follow the instructions to install the certificate. Visit the SSL Certs page If you're on a DrawBridge-protected network, visit the SSL Certs dashboard at: http://draw.bridge/sslcerts/dashboard/ If you're not on a DrawBridge-protected network, visit the SSL Certs dashboard on one of our cloud servers, such as: http://whitespire.compassfoundation.io/sslcerts/dashboard/ http://sweetspire.compassfoundation.io/sslcerts/dashboard/ Linux systems As of this writing, a script to install the DrawBridge root CA certificate is available on all DrawBridge systems, however it is not visible in the user interface at this time. Installation instructions: Download the installer script here: http://draw.bridge/static/software/linux_installer.zip (Note: must be on a DrawBridge-protected network with DNS resolution properly configured.) Open a terminal and navigate to the directory where you saved the script. (eg. cd ~/Downloads/ ) Extract the script: unzip linux_installer.zip Run the script: sudo ./Linux_Installer.sh Recommended: restart your system, or, at a minimum, your web browsers External Networks External Networks are used to assist with remote device authentication. This list is managed by Compass and generally should not be edited. If you know of a new network that should be listed, please submit a support ticket to Compass (support@compassfoundation.io) to have the new External Network entry added to all DrawBridges. DrawBridge Agent Reference Overview The DrawBridge Agent positively identifies and links the device it is installed on to a Local Device record in the DrawBridge. At initial install time, it will attempt auto-registration based on the device Hostname. Once the initial registration has occured, further authentication events identify the device to the DrawBridge using the registered Canonical ID (CID). The DrawBridge Agent enables you to implement filter policies that follow a User around on your network, no matter what Device they are using, provided that the Windows User Name of the Person is known to the DrawBridge and matches a Person record present on the DrawBridge. While this Agent was devloped primarily for companies with a Windows Active Directory server, it will also function on any local network that is protected by an onsite Drawbridge. Note that only Local Devices are supported (not Remote Devices, which presumably will be managed by a separate MDM [Mobile Device Management] service). Notes regarding Active Directory Authentication Integration See Accounts: Authentication Integration for more information on Active Directory server setup. After initial Active Directory (AD) sync configuration, People records and Group associations can be exclusively managed in the AD server, and the DrawBridge will automatically synchronize that information over. The DrawBridge AD sync job automatically synchronizes over all Person and Directory Group records available in the AD infrastructure to the DrawBridge four times a day. (A manual sync can be triggered as well.) Directory Groups are entities pulled from an AD/LDAP server. A Directory Group must be designated as a Proxy User Group in the DrawBridge to be able to assign it to a Device Group for an Access Policy take effect on it. See documentation book How To Guides: Assign a Proxy User Group to an Access Policy for further information. Prerequisite Network Configuration draw.bridge must resolve to the local DrawBridge IP address on the local network. If the DrawBridge is not the DNS server, go to the network DNS server and create a new Forward Lookup Zone and create a new A record for draw.bridge to resolve it properly. Agent Software Installation Download the latest version of the Drawbridge Agent installer from https://www.compassfoundation.io/drawbridge_agent/releases/drawbridge_agent.exe . Run the installer to install the Drawbridge Agent. By default it will be installed into the C:\Program Files (x86)\Compass Foundation\DrawBridge Agent folder. After a successful installation you should see an icon in the system tray. It is also possible to run the installer silently with the following syntax. DrawbridgeAgentInstallerX.X.Xexe /exenoui /qn A prerequsite to running the Agent is that the .NET Desktop Runtime 6.0 or higher needs to be installed. The Drawbridge Agent installer will prompt the user to do this if it isn't already installed. In the case of a silent install, this will happen automatically if needed. Alternatively, the runtime can be manually downloaded and installed from Microsoft's Download Page . Operation After installation the user can click on the icon in the system tray. The Agent will first attempt to register with the Drawbridge by matching the device hostname with the hostname of a Local Device record in the DrawBridge, and if that is successful, it will attempt to authenticate with the Drawbridge. After this the Agent should automatically authenticate the currently logged in user at every Windows logon or unlock event. There will be toast messages shown to verify this, unless notifications are not turned on. It is possible for the user to request a manual authentication with the Drawbridge. This is done either by left clicking on the icon in the system tray, or by right clicking and selecting Authenticate User . Hovering over the icon in the system tray will show the currently logged in Windows user name. Selecting the About Version option from the right click context menu will show contact and version information. Selecting the More Info option from the right click context menu will open a dialog with some additional info that may be useful for debugging. Clicking on the hyperlink in the details page will open up the console page for the local device that is currently being used. (#1 in screenshot). The console user that is currently associated with this device is shown at #2. This Active User can also be clicked on to open the console page for the user. Selecting the Check for Updates option from the right click context menu will check to see whether there are any newer versions of the Agent available. If there are, the user can choose to update the Agent. Details After installation, when the user locks and unlocks the computer, or manually clicks on the icon in the system tray, the Drawbridge Agent will attempt to register the computer with the Drawbridge. If the registration is successful, the computer will be permanently linked to its associated local device in the console. This is a one time operation and will not be done again unless the user uninstalls and reinstalls the Agent. After the intial registration, or after any subsequent user logon, the Agent will then proceed to try to authenticate the current Windows user and link the Windows user to a console user. There will be a toast message displayed that shows the outcome of this authentication attempt. If for some reason a user is not able to register a computer with the Drawbridge, he should perform a Repair of the Agent by typing appwiz.cpl into the Windows start menu, then right clicking on the Drawbridge Agent item and selecting Uninstall/Change . This will then open another dialog where the user can confirm the repair. When a user uninstalls the Agent, the Agent sends a request to the console to remove the association between the local device on the console, and the user's computer. If this for some reason fails, the user will not be able to succesfully reinstall and register the Agent with the console in the future. It is possible to manually reset this association by logging onto the console, and selecting the option to Reset Drawbridge Agent as shown below. Troubleshooting Device Registration Failed - Unable to auto-register - partial match found In this case the local device on the console did not have the clb.local suffix so the Agent coudl not find a complete match. Upon further investigation, the local device record also had two interfaces defined, one with a MAC and IP, the other with only a MAC. Removing the interface with only the MAC address, and reinitializing the registration process fixed the problem. In summary, there will be an attempt made to match host names that only partially match local device names, but there will need to be a different definitive match found. Check Agent logs for more details The Agent records a log file in the C:\Program Files (x86)\Compass Foundation\DrawBridge Agent\ folder. The file name is Drawbridge Agent.log . The DrawBridge Agent reports that device Registration failed An important note: Randomized MAC addresses are not supported for the auto-creation of Local Device records in the DrawBridge. If you have an endpoint that is using a randomized MAC address, either turn off Randomized addresses, OR, if it's a Virtual Machine, for example, and that's not an option, manually create the Local Device record in the DrawBridge console and Make Sure the Hostname field matches the actual Device hostname exactly. Then, when the DrawBridge Agent does the "tap" authentication operation, it will match up with the Local Device record based on the hostname. Resolution: Search the Local Device list Interface column for the IP address of the device that's failing to register. Take note of the Auto-Hostname field and compare it to the actual Device hostname. These two must match for the registration to be successful. The DrawBridge Agent local device Registration fails after domain-joining the device If the DrawBridge Agent is deployed on a Local Device that is then joined to an AD domain at some future point, the Canonical ID for that Local Device record will then be in conflict because of the ID pulled from the Active Directory database. Resolution: Delete the existing Local Device record; the correct Local Device record should be automatically generated at next sync. Miscellaneous Tech Notes regarding AD Sync: AD Sync happens automatically 4 times a day, and can also be manually triggered. Both plain-text sync and encrypted sync are available. Encryption is strongly recommended: use port 636 to default to LDAPS. Usage Example Tommy is a user in an AD database. He's assigned to the Warehouse AD Directory Group. The Drawbridge has synced over both Tommy the person as well as the Warehouse AD Directory Group, AND Tommy's membership in the Warehouse AD Directory Group. An Access Policy assigned to the Warehouse Device Group (of which the Warehouse AD Directory Group is a Proxy Users Group member) only allows access to Shipping and related business categories. Then Tommy gets promoted as a manager to the Strategic Warehouse Development & Improvements Team. The network admin adds Tommy to the Managers AD Directory Group. The DrawBridge also knows about the Managers AD Directory group group, and a policy already configured for that group allows access to additional categories for research purposes. When the network admin adds Tommy to the Managers AD Directory group, the DrawBridge synchronizes that information over, and Tommy automatically gets the increased content filter access without anyone needing to touch filter settings in the DrawBridge. Content Filter Overview and Essentials As of November 2023, the Network Access module has been renamed to Content Filter . Create and manage rulesets to control the web content access of Local and Remote Devices. Important Notes: 1. About changing default Category Allow/Block settings The DrawBridge comes with a preset Action for each included Category. When you assign an Action (Allow/Block) to a Category, you're simply applying a change that gets higher priority than the default setting. This means: You don't need to re-specify your Action preference for every built-in Category -- you only need to include the Categories in your Access Policy that you wish to assign a different action to than is default. For example: built-in Category Sports is set to a default action of Block . If Block is the action you prefer, you do not need to add it to an Access Policy (eg. Company Preferences) with an action of Block -- the default setting is already doing this. If Allow is the action you prefer, then you do need to add it to an Access Policy (eg. Company Preferences) with an action of Allow to override the default action. In the event a custom Access Policy is removed, the filter will revert to the default Action for that Category. 2. Default Category settings are Business-focused The default settings for the Built-in Categories are tightly scoped to business-usage needs. Depending on your usage expectations, you will want to set more categories to Allow in your Company Preferences Access Policy, or in a custom Access Policy. Categories, Category Types, and Actions Categories contain Patterns : Pattern : a text string representing a domain or regular expression . Categories can be one of two types: Classifier category ACL (Access Control List) category Actions that can be assigned to a category, by type: Classifier category: Allow Block Ignore ACL category: Whitelist (allow in spite of Classifier score, above) Blacklist (block in spite of Classifier score, above) Blanketblock (block all requests Not matching these patterns) Understanding Classifier categories Classifier category patterns consist primarily of word and phrase lists (and also domains). The Redwood filter engine evaluates HTTP/S requests and responses and totals up a score for all categories with matching patterns. Then Redwood applies the action (Allow/Block) assigned to the top-scoring category. Built-in Category patterns are managed by Compass Foundation. If you have improvements you wish to have considered for inclusion in the Built-in Categories, please send a detailed email to support@compassfoundation.io. Understanding ACL actions & categories Background The Redwood filter engine analyzes all the components of a URL , including: Schema Top-level Domain (TLD), Domain, and Subdomains Path Query String Also, Redwood analyzes additional parameters of the HTTP request: Method Content Type User Agent Referrer and more Illustrated: In general, an ACL leverages one or more of these parameters to "tag" a specific action to a request, despite the Category score assigned to the request by the Classifier. (In other words, this prevents an "arms-race" situation wherein competing actions are assigned by various Classifier categories; an ACL action will always take effect when the parameters match, no matter what the Classifier score and associated Category Action is.) Note: for an ACL action to fire, the request must meet the minimum threshold score of 200 points. At that point, the action assigned by the ACL to the request is "authoritative", again, no matter the Classifier score. Redwood ACL Actions Action About allow permit the request block deny the request ignore do not factor in the score assigned by this category censor_words strip out profanity disable_proxy_headers strip out the X-FORWARDED-FOR header hash_image generate a mathmatical hash of this picture phrase_scan evaluate content for matching word phrases require_auth force HTTP 407 proxy authentication response/challenge sslbump intercept the SSL/TLS encrypted session sslbypass do Not intercept the SSL/TLS encrypted session virus_scan hand off response to external analysis engine For example, ACLs managed behind-the-scenes of the DrawBridge instruct Redwood to fire the SSL/TLS-inspection action on all requests (or not, in the case of SSLbypass/"Bypass Filter"). ACL Categories in the Console Categories of the the type ACL enable you to leverage the "authoritative" nature of ACLs in your filter configuration. In general, it is recommended to configure the desired content filter behavior by assigning Allow or Block to the built-in Classifier categories -- leveraging the "intelligence" built-in to these categories is a much less maintenance-intesive route to content control. However, perhaps you want to Always assign a specific action (eg. Block) to a specific website. ACL categories are your friend in such a case: by adding a domain to an ACL category with a Block action assigned, the website will always block, even if the action assigned to the Classifier category is Allow. The preset Always Allow and Always Block options in the Access Policy Dashboard are putting the domains in an ACL category that has the corresponding action assigned to it. These apply Company-wide. Note: the default score assigned to all ACL category patterns is "1500". Adjusting this number will have no impact on the outcome of the action taken for that pattern, so long as the number is over the minimum score threshold of 200 -- the key detail here is that the pattern is part of an ACL category, so the action assigned to the ACL category is what will happen. Advanced ACLs in the Console Advanced ACLs simply expose many more "knobs" to apply a specific action with more granularity. Perhaps, for example, you want to only sslbypass a specific website for a specific Device Group. Advanced ACLs give you the toolset to configure that. Filter Actions FAQ Q: What happens if I put a domain in both Always Allow and Always Block? Or what if I put a domain in two different ACL categories with competing actions assigned? A: Don't do that. :) In such a case, the outcome will be arbitrary. Decide what action you really want to have happen and adjust the policy accordingly. What is an Access Policy? An Access policy is the grouping of Devices, Actions, Times, (and, optionally, Applications) to create a customized DrawBridge content filter configuration. This diagram illustrates: The Drawbridge supports the "stacking" or "layering" of Access Policies, enabling you to tailor the content filter experience for your users. Access Policies by Type/Scope Tenancy Type Ruleset Scope Company Access Policy one Company Access Policy Group one Accountability Policy; available to apply to member Companies Universal Access Policy Group globally available to all DrawBridges System Access Policy a specific DrawBridge; applies to all tenant Companies on that system What is a Rating? The DrawBridge classifies text into categories. But what is the the tone of these categories? And what do they values do they represent? A Rating system should help answer that question, as well as offer visual clues for the report reader. But what kind of rating system? Unlike other filter projects, the DrawBridge does not rate content by who it's appropriate for - as in Everyone / Teens / Adults - but somewhat more like where it is appropriate. The rating names are drawn from the concept of particulate filtering - how fine or coarse is the filter mesh that would permit the content to traverse it. A key assumption here is that the Internet is most frequently being used in a workplace environment, facilitating the everyday tasks of research, transactions, and commerce. Usage reports are colorized according to the Category Ratings of the content that was accessed. Misc Rating The Misc Rating is used when no category of interest could be found. Perhaps the request incident was not text-based, or perhaps a category needs to be extended or created to for this type of situation. Base Rating The Base Rating is the most general grade, including categories like Search Engines or Technology Services. Any more specific category and rating would be preferred. For example, it's great to know that a body of text is about Search Engines, but it's better to know what is being searched for. Silt Rating The Silt Rating is expected usage in the workplace environment. While not every workplace will commonly access every category in the Silt Rating, any given user in the business environment will periodically need most categories found here. It is recommended that all categories in the Silt Rating be "allowed" in the workplace, although policies can be created to limit access to given devices. Sand Rating The Sand Rating will still be frequently used in the workplace environment, although the industry type will very much determine how much categories in Sand Rating are accessed. Categories in the Sand Rating can be "allowed" or "blocked" per the business owner's preferences or the preferences established by the Accountability Policy. Pebble Rating The Pebble Rating contains categories that generally fall outside the workplace, while remaining universally pertinent to other areas of life, such as Medical, News, Clothing, etc. Categories in the Pebble Rating can be "allowed" or "blocked" per the business owner's preferences or the preferences established by the Accountability Policy. Stone Rating The Stone Rating contains categories that are increasingly beyond the scope of any type of workplace, reaching more into popular culture and society at large. Categories in the Stone Rating will typically be blocked by most business owners and school administrators. Rock Rating The Rock Rating contains categories that tend to represent the rougher edges of popular culture and general society. Categories in the Rock Rating will typically be blocked by all business owners and school administrators. Boulder Rating The Boulder Rating categories that represent the "redlight" district of the Internet. These categories cannot be enabled in the Redwood Console even by administrators. Categories in the Boulder Rating are always blocked, and cannot be allowed in the DrawBridge. Actions for Classifier categories Action When this category is the top-scoring one on a web request: allow web request content loads as expected block web request is served a block page instead of the original destination webpage ignore web request action referred to next-to-top scoring category When to use the ignore Action In most situations, the category action should be allow or block , but in some situations the next-to-top scoring category is more meaningful. For example, an automotive shop may perform work that overlaps with the Racing category. If Racing is set to block , the shop's activities will be hampered. If Racing is set to allow , then access may be wider than desired. Solution - set Racing to ignore . If next-to-top-scoring category is Automotive, the page will be allowed, and if it's Sports, the page will be blocked as Sports. Filter processing flowchart: Category Filtering Actions for ACL categories Action About whitelist A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Allow, in spite of the content scores. Use with caution! blacklist A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Block, in spite of the content scores. blanketblock A Category consisting of domains (and/or regular expression patterns) to which the DrawBridge will apply regular category-based filtering and block access to all other sites not specified in the blanketblock category (or a linked category) See below for more information: Whitelist A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Allow, in spite of the content scores. Use with caution! Filter processing flowchart: Blacklist A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Block, in spite of the content scores. Filter processing flowchart: Blanketblock A Category consisting of domains (and/or regular expression patterns) to which the DrawBridge will apply regular category-based filtering and block access to all other sites not specified in the blanketblock category (or a linked category) Filter processing flowchart: Web Page Access Access Policies are grouped by Tenancy type: Company Policy Group Universal Appliance/System See Essential Concepts: Record Model - Tenancy and Hierarchy for more information. Click the type of Access Policy for a list view of that type. In the list view, view a specific Access Policy by clicking on the Name of the policy. This will display the Record view for its type, detailed below. Company Access Policy record Attribute About Company the associated Company Policy the associated Accountibility Policy (If there is none, this field will not appear) Status this record is Active or Inactive Canonical ID the global unique identifier for this Access Policy; used for synchronization Company Policy Dashboard [link] jump to the Access Policy Dashboard of the associated Company (above) Type the tenancy type of the Access Policy Hits Today a counter of how many times web traffic has triggered this policy today on this DrawBridge Device Group the associated Device Group: who the Access Policy is applied to Action Group the associated Action Group: what the Access Policy is enforcing Time Group the associated Time Group: when the Access Policy is effective. Optional : if no Time Group is configured, the Access Policy applies all the time. Application Group the associated Application Group: which application traffic the Access Policy acts upon. Optional : if no Application Group is configured, the Access Policy will apply to the traffic from all applications. Record menu header buttons: Action items in the upper right corner of the Access Policy record page: Create Access Policy with the + button Update Company Access Policy with the pencil Edit button -- make changes to this access policy. Delete Company Access Policy with the trashcan Delete button -- delete this access policy "Hamburger Menu" Record Activity Stream: view the changelog for this Access Policy record Bookmark the page with the ribbon Bookmark icon Trigger Sync actions with items in the the chain-link sync icon menu Informational Tabs Devices: List view of the member devices in the associated Device Group Categories: List view of the Categories contained in the associated Action Group. Add an additional Category to the Action Group with the Add Category Action Pair button, or add multiple Categories at once with the Bulk Assign Categories button. Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil Update Record button on the specific Category line desired. Remove a Category from the Action Group with the trashcan Delete button. Note: removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category). The Record Activity Stream button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action Times: List view of the Time Range(s) from the associated Time Group when this Policy is effective. Note: this tab only displays if a Time Group is assigned to the Policy. Add a Time Range with the Add Time Range button. Edit a Time Range with the pencil Update Record button on the time range line in focus Delete a Time Range with the trashcan Delete Record button on the time range line in focus The Record Activity Stream button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times. ACL Actions: Special access control list actions that are assigned to this access policy. Add an ACL action with the Add ACL Action button Edit an ACL Action with the pencil Update Record button on the ACL Action line in focus Delete an ACL action with the trashcan Delete Record button on the ACL Action line in focus Permissions: The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy. See the Permissions and Relationships in Essential Concepts for more information. Access Policy Group record Attribute About Policy the associated Accountibility Policy (If there is none, this field will not appear) Status this record is Active or Inactive Canonical ID the global unique identifier for this Access Policy; used for synchronization Type the tenancy type of the Access Policy Hits Today a counter of how many times web traffic has triggered this policy on this DrawBridge Device Group the associated Device Group: who the Access Policy is applied to Action Group the associated Action Group: what the Access Policy is enforcing Time Group the associated Time Group: when the Access Policy is effective. Optional : if no Time Group is configured, the Access Policy applies all the time. Application Group the associated Application Group: which application traffic the Access Policy acts upon. Optional : if no Application Group is configured, the Access Policy will apply to the traffic from all applications. Record menu header buttons: Create Access Policy with the + button Update Access Policy Group with the pencil Edit button -- make changes to this access policy. Delete Access Policy Group with the trashcan Delete button -- delete this access policy "Hamburger Menu" Add Device Group: assign an additional Device Group to this Access policy Group Record Activity Stream: view the changelog for this Access Policy record Bookmark the page with the ribbon Bookmark icon Trigger Sync actions with items in the the chain-link sync icon menu Informational Tabs Device Groups: List view of the member device groups in the associated Device Group collection. Categories: List view of the Categories contained in the associated Action Group. Add an additional Category to the Action Group with the Add Category Action Pair button, or add multiple Categories at once with the Bulk Assign Categories button. Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil Update Record button on the specific Category line desired. Remove a Category from the Action Group with the trashcan Delete button. Note: removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category). The Record Activity Stream button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action Times: List view of the Time Range(s) from the associated Time Group when this Policy is effective. Note: this tab only displays if a Time Group is assigned to the Policy. Add a Time Range with the Add Time Range button. Edit a Time Range with the pencil Update Record button on the time range line in focus Delete a Time Range with the trashcan Delete Record button on the time range line in focus The Record Activity Stream button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times. ACL Actions: Special access control list actions that are assigned to this access policy. Add an ACL action with the Add ACL Action button Edit an ACL Action with the pencil Update Record button on the ACL Action line in focus Delete an ACL action with the trashcan Delete Record button on the ACL Action line in focus Permissions: The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy. See the Permissions and Relationships in Essential Concepts for more information. Universal Access Policy Group record Attribute About Status this record is Active or Inactive Tenancy displays tenancy; this record is Universal Canonical ID the global unique identifier for this Access Policy; used for synchronization Type the tenancy type of the Access Policy Hits Today a counter of how many times web traffic has triggered this policy on this DrawBridge Device Group the associated Device Group: who the Access Policy is applied to Action Group the associated Action Group: what the Access Policy is enforcing Time Group the associated Time Group: when the Access Policy is effective. Optional : if no Time Group is configured, the Access Policy applies all the time. Application Group the associated Application Group: which application traffic the Access Policy acts upon. Optional : if no Application Group is configured, the Access Policy will apply to the traffic from all applications. Record menu header buttons: Create Access Policy with the + button Update Universal Access Policy with the pencil Edit button -- make changes to this access policy. Delete Universal Access Policy with the trashcan Delete button -- delete this access policy "Hamburger Menu" Add Device Group: assign an additional Device Group to this Access policy Group Record Activity Stream: view the changelog for this Access Policy record Bookmark the page with the ribbon Bookmark icon Trigger Sync actions with items in the the chain-link sync icon menu Informational Tabs Device Groups: List view of the member device groups in the associated Device Group collection. Categories: List view of the Categories contained in the associated Action Group. Add an additional Category to the Action Group with the Add Category Action Pair button, or add multiple Categories at once with the Bulk Assign Categories button. Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil Update Record button on the specific Category line desired. Remove a Category from the Action Group with the trashcan Delete button. Note: removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category). The Record Activity Stream button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action Apps: List view of the apps in the associated Application Group Note: this tab only displays if an Application Group is assigned to the Policy. Add an Application with the Add Application button. Edit a Application with the pencil Update Record button on the application line in focus Delete an Application with the trashcan Delete Record button on the application line in focus The Record Activity Stream button on each line provides an audit history log of changes to the association of this Application to the Appilcation Group, as well as the specified Applications. Times: List view of the Time Range(s) from the associated Time Group when this Policy is effective. Note: this tab only displays if a Time Group is assigned to the Policy. Add a Time Range with the Add Time Range button. Edit a Time Range with the pencil Update Record button on the time range line in focus Delete a Time Range with the trashcan Delete Record button on the time range line in focus The Record Activity Stream button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times. ACL Actions: Special access control list actions that are assigned to this access policy. Add an ACL action with the Add ACL Action button Edit an ACL Action with the pencil Update Record button on the ACL Action line in focus Delete an ACL action with the trashcan Delete Record button on the ACL Action line in focus Permissions: The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy. See the Permissions and Relationships in Essential Concepts for more information. System Access Policy record Attribute About Company the associated Company; this will be the Main Company on the DrawBridge Status this record is Active or Inactive Tenancy displays tenancy; this record is Universal Canonical ID the global unique identifier for this Access Policy; used for synchronization Type the tenancy type of the Access Policy Hits Today a counter of how many times web traffic has triggered this policy on this DrawBridge Device Group the associated Device Group: who the Access Policy is applied to Action Group the associated Action Group: what the Access Policy is enforcing Time Group the associated Time Group: when the Access Policy is effective. Optional if no Time Group is configured, the Access Policy applies all the time. Application Group the associated Application Group: which application traffic the Access Policy acts upon. Optional : if no Application Group is configured, the Access Policy will apply to the traffic from all applications. Record menu header buttons: Create Access Policy with the + button Update System Access Policy with the pencil Edit button -- make changes to this access policy. Delete System Access Policy with the trashcan Delete button -- delete this access policy "Hamburger Menu" Add Device Group: assign an additional Device Group to this Access policy Group Record Activity Stream: view the changelog for this Access Policy record Bookmark the page with the ribbon Bookmark icon Trigger Sync actions with items in the the chain-link sync icon menu Informational Tabs Device Groups: List view of the member device groups in the associated Device Group collection. Categories: List view of the Categories contained in the associated Action Group. Add an additional Category to the Action Group with the Add Category Action Pair button, or add multiple Categories at once with the Bulk Assign Categories button. Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil Update Record button on the specific Category line desired. Remove a Category from the Action Group with the trashcan Delete button. Note: removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category). The Record Activity Stream button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action Apps: List view of the apps in the associated Application Group Note: this tab only displays if an Application Group is assigned to the Policy. Add an Application with the Add Application button. Edit a Application with the pencil Update Record button on the application line in focus Delete an Application with the trashcan Delete Record button on the application line in focus The Record Activity Stream button on each line provides an audit history log of changes to the association of this Application to the Appilcation Group, as well as the specified Applications. Times: List view of the Time Range(s) from the associated Time Group when this Policy is effective. Note: this tab only displays if a Time Group is assigned to the Policy. Add a Time Range with the Add Time Range button. Edit a Time Range with the pencil Update Record button on the time range line in focus Delete a Time Range with the trashcan Delete Record button on the time range line in focus The Record Activity Stream button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times. ACL Actions: Special access control list actions that are assigned to this access policy. Add an ACL action with the Add ACL Action button Edit an ACL Action with the pencil Update Record button on the ACL Action line in focus Delete an ACL action with the trashcan Delete Record button on the ACL Action line in focus Permissions: The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy. See the Permissions and Relationships in Essential Concepts for more information. App Stores Allow access to platform App stores Access to operating system app stores is blocked by default because they cannot be internally content-filtered. Quick-access wizards to add Device Groups to preconfigured App Store Access Policy Groups, by platform: Apple (iPhoneOS/iPadOS/MacOS) Google Play (Vision phones, Android up to and including version 6, ChromeOS, Chrome Browser Extensions) Windows (Windows 8 and higher) Click the platform you wish to open. A wizard will open, prompting you for the following information: Parameter About Device Group select an existing Device Group for which you wish to open the Store Required select whether this configuration requires Accountability permissions to change Time length select the timeframe you wish this to apply Note about Android 7 and newer/ChromeOS Play Store access Android 7 and newer devices, as well as ChromeOS devices, may require bypassed access to all of google.com for the Play Store to work properly. Obviously, this suspends content filtering for all of Google. For this reason, there is a separate Access Policy Group to use: Android 7 and up AppStore -- Add the device group (for example alldevices ) to this Policy to enable the Play Store for these devices. Close access to the Store If you wish to Close the store access opened here, visit your Company Access Policy Dashboard and click the Actions menu on the relevant Access Policy line. Then click Details and Delete . Select Delete Everywhere to ensure it is turned off across your entire account (particularly if your account spans multiple DrawBridge sysytems). Important Notes As noted above, the Google Play Store needs to be opened to access the Chrome Extensions store on the Chrome Desktop browser (on all platforms). Because of backend services overlap, YouTube may begin working if the Google Play Store is enabled , even if the YouTube category is set to Block. Media Room The Media Room enables the classification of videos hosted on public video hosting websites, such as YouTube. For the Media Room to work, the YouTube and Vimeo category must be left at its default blocked setting on the access policy dashboard. * Manually setting the YouTube category to block will block the Media Room and setting the YouTube category to allow will bypass the Media Room Videos The Videos module displays a list view of all the videos the DrawBridge has classified. Click the title of a video in the list to view the video classification record. Video record view A video classification record has the following parameters: Parameter About Title The title of the video ID The unique hash identifier provided by the video platform (if available) Duration The length of the video Service The platform that is hosting the video Size The resolution of the video, expressed in a pixel ratio Channel The DrawBridge-classified Channel associated with the video, if any (see Channels, below) Category The top-scoring Category for this video, determined by the DrawBridge content classifier Rating The DrawBridge Classifier rating of the video, based on the top-scoring Category Record header buttons: Create a new video classification record with the blue + Create Video button Edit this video classification record with the green pencil Update Video button Delete this video classification record with the red trashcan Delete Video button Hamburger menu: Get Category review : jumps to a support ticket form to request clasification by a human Video Views by User : jump to Reports: Media Views module References to this video : jump to Content Filter: Media Room: Pages Linking to Media Bookmark this record with the ribbon bookmark button Sync Menu (chain-link icon) Mark to Resync : flag this record in the background to be included in the next sync run Video Permissions Jump to the Permissions record that applies to this video (see Permissions section, below). Displays lists views of people records with membership in the Media Admin and Media Viewer permission groups. Informational tabs Details The Details panel contains: If the origin platform is supported: thumbnail of the video will be displayed with a Play button below it (if the video passed the classifier configuration to be allowed to play) The Description of the video, fetched from the platform hosting this video The Genre(s) of the video, determined by the DrawBridge classifier The Tags associated with the video, fetched from the platform hosting this video Classification A list view of any Category Classifications for this video Classify a new video Click the + button (Tooltip: Create Classified Media ) in the upper right corner of the list view (or use the same + button on a video record page) Enter the direct URL of the video you wish to classify. Note that it must be a direct link, not a URL-shortened link. For YouTube, the link should start as follows https://www.youtube.com/watch?v= + the unique hash of the video in question. Channels Displays a list view of media channels that should be automatically polled and classified. Click the title of a channel to view the Channel record page Channel Record view A channel record has the following parameters: Parameter About Source URL of the channel Title Title of the channel Last Updated Timestamp of the last check of the channel for new videos Category Classifier category assigned to the channel by a Media Room administrator Rating Classifier rating, based on the assigned Category, above Record header buttons: Add a new channel to be classified with the blue + Create Channel button Edit this channel record with the green pencil Update Channel button Delete this channel record with the red trashcan Delete Channel button Hamburger menu: Get Category review : jumps to a support ticket form to request clasification by a human Channel Videos : jump to list view of the videos contained in this channel Channel Permissions : jump to a list view of the Permission Groups (with associated Company info) that may view/modify this Channel (see Permissions section, below) Bookmark this record with the ribbon bookmark button Sync Menu (chain-link icon) Sync Mode (default is 2 Way - Push / Pull from Server ); click record sync information Push to Sync Publisher : initiate a record update push from this DrawBridge to the Sync Server Pull from Sync Publisher : initiate a record update pull to this DrawBridge from the Sync Server Mark to Resync : flag this record in the background to be included in the next sync run Channel Videos Jump to a list view of all the videos in this channel that have been classified by the DrawBridge. Clicking an individual record will display a Video Record view, as described above. Channel Permissions Jump to the Company Channels permissions group list, which displays any Permission Group + associated Company information assigned to this channel. See Permissions, below. Informational tabs Details The Details panel contains: The Description of this channel, fetched from the platform hosting this channel The Tags associated with this channel, fetched from the platform hosting this channel Classification A list view of any Category Classifications for this video Permissions Video Permissions Set the Permission Group in which Users must be members to view a specific video. (If a video is in a Channel, the Video Permission Group overrides the Channel Permission Group.) Displays a list view of Media records and the corresponding Permission Group assigned by the associated Company. Click a Media record link in this view to view a Video Permission record. Record View A Video permission record view contains the following parameters: Parameter About Media The title of the video to which this Video Permission record applies Company The Company associated with this Video Permission record Permission Group The associated, Company-assigned, minimum Permission Group required to view this video Video Permission Record header buttons: Add a new Video Permission Record with the blue + Create Video Permission button Edit this Video Permission Record with the green pencil Update Video Permission button Delete this Video Permission Record with the red trashcan Delete Video Permission button Bookmark this record with the ribbon bookmark button Sync Menu (chain-link icon) Create on Sync Publisher : push this record to the Sync server (only visible for newly-created records) Mark to Resync : flag this record in the background to be included in the next sync run Informational Tabs Viewers List views of Person records which are members in the following Permission Groups: Company Media Room Admin Group Media Viewer Group Channel Permissions Set the Permission Group in which Users must be members to view all videos in a specific Channel. Record View A Channel permission record view contains the following parameters: Parameter About Channel The title of the Channel to which this Channel Permission record applies Company The Company associated with this Channel Permission record Permission Group The associated, Company-assigned, minimum Permission Group required to view videos in this channel Channel Permission Record header buttons: Add a new Channel Permission Record with the blue + Create Channel Permission button Edit this Channel Permission Record with the green pencil Update Channel Permission button Delete this Channel Permission Record with the red trashcan Delete Channel Permission button Bookmark this record with the ribbon bookmark button Sync Menu (chain-link icon) Create on Sync Publisher : push this record to the Sync server (only visible for newly-created records) Mark to Resync : flag this record in the background to be included in the next sync run Informational Tabs Viewers List views of Person records which are members in the following Permission Groups: Company Media Room Admin Group Media Viewer Group FAQs: Q: Why does the title of a video just display _ ? A: The title of the video was not able to be acquired. The video may have been embedded as part of another webpage. Categories Categories are grouped by type and origin: Builtin Categories Console Categories ACL Categories Parent Categories Click one of the Category Types displayed in the DrawBridge, and refer to the relevant section below for further information. Builtin Categories Classifier categories provided by the Redwood project. Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and ResCategories are grouped by type and origin: Builtin Categories Console Categories ACL Categories Parent Categories Click one of the Category Types displayed in the DrawBridge, and refer to the relevant section below for further information. Builtin Categories Classifier categories provided by the Redwood project. Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and Response. The patterns in Builtin Categories are managed by Compass and are not visible in the DrawBridge. A list view is provided of all the included Categories. Click an individual Category for more information. Record View A Built-in Category contains the following parameters: Parameter About Parent The parent Category of this record; see Parent Categories, below Rating The Classifier Rating assigned to this Category. See Content Filter: Overview and Essentials Description Display Name of the category Status This record is Active or Inactive Tenancy Visibility in the DrawBridge ecosystem. See Essential Concepts: Record Model - Tenancy and Hierarchy Canonical ID The globally-unique identifier for this record Synchronized Indicates if this record is handled by Synchronization: Yes / No Type Displays the type of this record: Builtin / Console / ACL / Parent System-wide Action The default action assigned to this Category on this DrawBridge Block Invisibly Sets whether a Block page is returned (or not) when this Category is set to Block Record header buttons: Console Categories Locally managed Classifier categories created on the DrawBridge. Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and Response. ACL Categories Locally managed ACL categories. ACL Categories only contain rules that match URLs, and therefore operate only on HTTP Requests. Parent Categories Parent Category list, grouping categories into genres. The only purpose of Parent Categories is to make it easier for people to navigate the category lists.ponse. The patterns in Builtin Categories are managed by Compass and are not visible in the DrawBridge. A list view is provided of all the included Categories. Click an individual Category for more information. Record View A Built-in Category contains the following parameters: Parameter About Parent The parent Category of this record; see Parent Categories, below Rating The Classifier Rating assigned to this Category. See Content Filter: Overview and Essentials Description Display Name of the category Status This record is Active or Inactive Tenancy Visibility in the DrawBridge ecosystem. See Essential Concepts: Record Model - Tenancy and Hierarchy Canonical ID The globally-unique identifier for this record Synchronized Indicates if this record is handled by Synchronization: Yes / No Type Displays the type of this record: Builtin / Console / ACL / Parent System-wide Action The default action assigned to this Category on this DrawBridge Block Invisibly Sets whether a Block page is returned (or not) when this Category is set to Block Record header buttons: Console Categories Locally managed Classifier categories created on the DrawBridge. Classifier categories contain both URL and phrase patterns, operating on both HTTP Request and Response. ACL Categories Locally managed ACL categories. ACL Categories only contain rules that match URLs, and therefore operate only on HTTP Requests. Parent Categories Parent Category list, grouping categories into genres. The only purpose of Parent Categories is to make it easier for people to navigate the category lists. Filter Configuration Configure various advanced components of the DrawBridge, including technical settings for the Redwood filter engine. ACLs and Auth Advanced ACL, Authentication, and Page Content Modification settings Advanced ACLs Advanced ACLs act on the network request (not the response). A list view is shown by default. Click the name of an ACL to view the individual ACL record. ACL Record View An ACL record contains the following parameters: Parameter Setting About Level Foundation , Standard , Override Defines the priority ruleset group of this rule Status Active or Inactive This record is available/functional Synchronized Yes or No This record is globally-available ( Yes ) or local-only ( No ). List views are shown for associated: Advanced ACL Patterns -- what triggers this ACL; rules to match traffic. Add a pattern with the Add button at the top of the list. Advanced ACL Actions -- what this ACL will do to matching traffic. Add an action with the Add button at the top of the list. Record header buttons: Add an Advanced ACL record with the blue + Create ACL button Edit an Advanced ACL record with the green pencil Update ACL button "Waterdrop" menu button: New ACL Pattern: Add a new ACL Pattern to this record New ACL Action: Add a new ACL Action to this record Bookmark this page with the ribbon Bookmark button Sync Menu (chain-link icon) Sync Mode (default is 2 Way - Push / Pull from Server ); click record sync information Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server Mark to Resync: flag this record in the background to be included in the next sync run Note that records wich are built-in/included with the DrawBridge cannot be edited or deleted, therefore those buttons are not available for those record types. Also note that only relevant Sync Menu items are displayed, which means fewer options may be visible than mentioned here. Page Pruners Custom page pruning rules enable the selective removal of certain elements on a webpage. This is an advanced feature; it is assumed that you are familar with CSS ( Cascading Style Sheets ). A list view is shown by default. Add a new Page Pruner rule with the blue + Create Page Pruners button in the upper right of the list view. Record View A Page Pruner record contains the following: Parameter About Status Active or Inactive Canonical ID The globally-unique identifier for this record Page Pruner Selectors ruleset list: Add a rule to this Page Pruners record with the Add button at the top of the record ruleset list view. Page Pruner Record header buttons: Create a new Page Pruner record with the blue + Create Page Pruner Edit this Page Pruner record with the green pencil Update Page Pruner button Delete this Page Pruner record with the red trashcan Delete Page Pruner button Add a Pruner CSS Selector rule to this record with the blue scissors Add Pruner CSS Selector button Bookmark this page with the ribbon Bookmark button Sync Menu (chain-link icon) Create on Sync Publisher Sync Mode (default is 2 Way - Push / Pull from Server ); click record sync information Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server Mark to Resync: flag this record in the background to be included in the next sync run Note that only relevant Sync Menu items are displayed, which means fewer options may be visible than mentioned here. Proxy PAC rules A few important notes: PAC stands for Proxy Auto Config Proxy PAC rules apply to only Remote Devices Rules instruct the recipient operating system to bypass specific traffic from the DrawBridge proxy: in other words, don't redirect X traffic to the DrawBridge to be filtered. Rules specified here are included in the response to All valid Proxy PAC requests made to this DrawBridge; i.e. there is no tenancy for these records -- they are system-wide. PAC bypass rules do not have individual record pages. However, each entry has the following parameters: Parameter Options About Function dnsDomainIs or isInNet or shExpMatch Designate type of pattern: domain name, IP address, or regular expression Scope Host or URL Set whether the pattern is to match only on the domain name or a full URL string Pattern The actual data you want to match. For example, if you selected dnsDomainIs and Host , then you might enter example.com Subnet Subnet for address entered in Pattern when isInNet is selected (not used for other Functions) Rule line buttons: Edit a rule with the green pencil Update Record button on the relevant line Delete a rule with the red trashcan Delete Record button on the relevant line View the changelog with the blue Record Activity Stream button on the relevant line Redwood Config Advanced Redwood configuration file directives Filter Parameters Filter parameters are advanced, low-level configuration settings for the DrawBridge Redwood content classification engine. These settings are generally managed by Compass and should not be changed unless directed by Compass Foundation support staff. Directives Directives are additional advanced, low-level configuration settings for the DrawBridge Redwood content classification engine. These settings are generally managed by Compass and should not be changed unless directed by Compass Foundation support staff. Safe Search Safe Search is the enforcement of the Adult Content Blocking made available by various platforms, including YouTube, Bing, and Google. It is recommended that this generally stay enabled for the cleanest browsing experience. However, with SafeSearch enabled, YouTube livestreams will not be available. It is nessesary to set the YouTube SafeSearch settings to Disabled to view livestreams on that platform. The burden for responsible use lies with the user in such cases. Safe Search settings are managed at a Company level via the Preferences application. See Essential Concepts: Preferences for further information. Troubleshooting Realtime Log Viewer View live filter traffic data on this DrawBridge, system-wide. Use requires System Owner or higher permission levels. Individual Remote device Realtime Logs may be viewed by the Company Owner permission-level by visiting the Remote Device record , and clicking View Realtime Log Lines in the record hamburger menu. Display Filters Userip applies to the Access Log and TLS Log only Pattern applies to any of the three logs Actions Allow , Block , Block Invisible , and SSLBump only apply to the Access Log Log Types Access Log: Live web traffic classification activity TLS Log: Live information TLS sessions handled by the DrawBridge, including errors when the session establishment was not successful. Traffic that is SSLbypassed will not be visible here, because the DrawBridge is not intercepting and handling those sessions. Errors Log: Live errors and remote device authentication data Explaining the Filter Actions Filter Action About Allow The DrawBridge allowed the request after analysis Block The DrawBridge blocked the request after analysis, and served a block page Block Invisible The DrawBridge blocked the request after analysis, and served an invisible pixel (used primarily when blocking advertisements) SSLBump The DrawBridge intercepted the initiation of a TLS session and took over as Man-in-the-Middle. Note for troubleshooting: When diagnosing a strange connection issue with a particular website or service, be sure to toggle on the SSLBump display filter -- sometimes a web server will abandon a connection when the DrawBridge intercepts the session. In such cases, you'll see one or more sslbump loglines, but no subsequent, allow or block lines as would typically be the case. If the service must work , then the best solution is to put the domain in the Bypass Filter policy for the Company in question. Note that this does disable DrawBridge filtering on that domain, so use responsibly. System Update Regenerate Config Files Filter changes are normally saved to disk when clicking the Reload button in the banner in DrawBridge. Manually running this command should only be done when the filter behavior does not match current settings in DrawBridge, such as when output from the Realtime Log Viewer indicates that policy changes have not yet taken effect. Restart Redwood Filter adjustments take effect after clicking the Reload button in DrawBridge. Reloading the config files is significantly faster than restarting the filter process, and does not disrupt active network connections. Use this option if you've changed the Port number for a Remote Device record, or if there's configuration setting that doesn't seem to match your expectations. Update Classifier Patterns Redwood receives periodic classification updates throughout the day to enhance accuracy in filtering and reporting. Click below to manually check for updates. Any available updates will automatically take effect. This command is useful only if your filter administrator requests that it be run. Content Scanners Antivirus Scanner Optional anti-virus file scanning. Contact Compass Foundation support to purchase this add-on. Reports Activity Viewers Live Drilldown Dive deep into logged activity data. Important Note: Data in Live Drilldown will have at least a 3 minute delay from actual occurance. If you need realtime traffic information, use the Realtime Log Viewer, accessed as follows: Specific device: Select View Realtime Log Lines in the hamburger menu of a Remote Device record Entire system: Select Realtime Log Viewer under Content Filter / Troubleshooting Browse by Company View all the traffic of a particular Company. (Most value in multi-tenant use-cases.) Presents a list-view of all available Company records on the DrawBridge. After selecting a Company, the user is presented with the Browse by Request Type ; see below for more information. Browse by Category View traffic statistics aggregated by Category. Manipulate the data view with the following Select fields: Timerange Company Category Rating Parent Category List view displays: Name of the Category Cumulative number of hits in the selected timerange Cumulative bandwidth in the selected timerange Browse by Request Type Note: Menu items (listed below), are basically automatic Traffic Type filters for the Browse by Loglines option, mentioned further below. Request Types menu: Page Views Media Views API Activity Application Files Erased Activity Shredded Activity Manipulate the data view with the following Select fields: Timerange Company Category Rating Parent Category List views display: Column About Domain Base domain of the request Device Origin username or IP address of the request Hits Counter: displays the number of times this request was made Bandwidth Total bandwidth consumed by this request Time Timestamp of this request Type Ads/Avatars/Cruft , API Calls , Audio/Video , General Files , Page Assets , Page Visuals , Programs/Applications , Web Page Category What the request was classified as Browse by Searches View search queries entered by users on popular search and ecommerce sites. Manipulate the data view with the following Select fields: Timerange Company Category Rating Parent Category List view displays: Column About Search term The search query entered by a user Device Origin username or IP address of the request Allow Counter of how many time the request triggered this action Block Counter of how many time the request triggered this action Domain Site the request occured on Category Classification determined by the DrawBridge Search Activity within the specified timerange by: Search Term Device Domain Browse by Media Views View Media Classification requests for media hosted on popular video hosting platforms Manipulate the data view with the following Select fields: Timerange Company Category Rating List view displays: Column About Title Title of the video Service Platform hosting the video Hits Counter of how many times this request was performed Search the data within the specified timerange by: Name/Title Service/Hosting platform Browse by Page Titles View title information for all visited websites. (The title is what displays in a browser tab.) Manipulate the data view with the following Select fields: Timerange Company Rating Parent Category Category List view displays: Column About Title Title of the website Device Device making the request Domain Base domain of the request Category Classification of the request Search the data within the specified timerange by: Name/Title Device Domain Browse by Antivirus Hits Events logged by the optional Antivirus protection service Manipulate the data view with the following Select fields: Timerange Company List view displays: Column About Name Name of event Domain Domain of the request File Name of the file that was examined Hits Counter: number of times this file was requested Bandwidth Bandwidth consumed by this request Search the data within the specified timerange by: Name Browse by Applications View traffic that originated from Applications/programs (not necessarily browsers). Manipulate the data view with the following Select fields: Timerange Company Application App Type List view displays: Column About Name Name of the Application Type Type of Application Hits Counter: Number of requests mapped to this Application Bandwidth Bandwidth consumed by this Application Time Estimated cumulative period of time this application generated requests Search the data within the specified timerange by: Name Browse by Domains View all traffic sorted by domain. Manipulate the data view with the following Select fields: Timerange Company Action Category Rating List view displays: Column About Domain Domain name of the request Device Origin of the request Hits Counter: number of times requested Bandwidth Bandwidth consumed by this domain Time Estimated cumulative period of time this domain was visited Type Ads/Avatars/Cruft , API Calls , Audio/Video , General Files , Page Assets , Page Visuals , Programs/Applications , Web Page Category Classification of the request Search the data within the specified timerange by: Name/Domain Device Browse by Loglines View all traffic logged and classified. Manipulate the data view with the following Select fields: Timerange Company Request Type Filter Action Category Rating Match data with the following free text fields: Devices domain Important: This view requires clicking the blue magnifying-glass Search button to apply filters to the data; it does not update "live" as the other views do. List view displays: Column About Date Timestamp of the logline Device Origin of the logline Action Filter action taken on the logline Method HTTP method of the logline Mimetype Type of request Length Size/Length of the HTTP response body Rating Classification rating of the logline Category Classification rating of the logline URL Exact URL of this logline; click for further details Record view Each logline entry has a Record view with more details that is accessed by clicking the URL displayed in the logline row. Technical data is displayed under the following headers: URL Details Application Details Filter Details Device Details Client Details Classification data is shown under the following headers: Rating Details Category Details Rule Details History Report History List of printable, regularly scheduled Usage Reports for past report periods. Displays a list view of all report file archives. Column About Report Name of the report Start Date Beginning of the timeperiod covered by the report Layout Data visualization preset used by the report Company Company associated with the report Filter the view with the following search/select fields: Name Timeframe Interval Company Record View Parameter About Sections Data Visualization preset(s) included in this report Schedule/Details Link: Name of the scheduled job that ran this report Report Type Alert/Notification or Usage Report Date Range Timeperiod covered by this report Generated on Timestamp of report creation Status Succeeded or Failed Time Taken Amount of time it took to crunch the data to generate this report Report Record Header buttons: Delete this report record with the red trashcan Delete Report Archive button Resend this report file with the green airplane Resend Report button Hamburger menu: Report Settings: Jumps to the corresponding Report Schedule record Scheduled/Active Reports Informational Tabs Report Files Presents a link to access the HTML report file Recipients Displays Current Recipients and Available Recipients in two lists. Move people from one list to the other one with the appropriate - or + buttons. Add a Company Recipient with the Add Company Recipient button: pops up a form window to add the recipient Note that available recipients are the contacts associated with the Company, and also any Accountability Contacts if the Company is associated with an Accountability Policy. Autofix History List of Autofixes and details for each incident. List View displays: Column About Date Date of the Autofix request User / IP Remote Device Username, Person (Active Directory), or IP address that requested the Autofix Domain The web link requested to be analyzed by Autofix Filter the view with the following search/select fields: Time Range Company Name View an individual Autofix Record by clicking the URL displayed in the Domain column. Autofix Record View Parameter About Date Timestamp of the request Expiration When the filter policy changes made by the AutoFix will revert to the original settings Block Details URL that was blocked Company Associated company of the User or Device that requested the Autofix Remote / Local Device Remote Device User, Person, or IP address which requested the Autofix Device User Associated Person record of the Remote Device, when applicable Comments Information entered by the person requesting the Autofix Blocking Category The Classification initially determined by the DrawBridge Score Score of the Blocking Category for this web request Tier Level1 , Level2 , or Level3 ; see Essential Concepts: Preferences for more information Explanation Observations of the Autofix reclassification operation Autofix Permitted Autofix is permitted (True) or not (False) for this category. See Essential Concepts: Preferences for more information Device Group Device Group membership of the Remote / Local Device requesting the Autofix Send for Human Review button: sends technical data of this event to Compass Foundation support staff for further analysis. Be sure to click Send for Human Review if the Autofix request was used to access content that was genuinely misclassified. Compass Foundation support staff will review the technical data sent over in the background and, if needed, release a permanent fix that benefits all DrawBridge users. Human Review List of blocked URLs submitted for Human Review. List View displays: Column About Date Date of the Human Review request User / IP Remote Device Username, Person (Active Directory), or IP address that requested the Human Review Domain The web link requested to be analyzed Filter the view with the following search/select fields: Time Range Company Name View an individual Human Review Record by clicking the URL displayed in the Domain column. Human Review Record View Parameter About Date Timestamp of the request URL URL that was blocked Company Associated company of the User or Device that requested the Human Review User The filter username, where applicable, that requested the Human Review Device User Associated Person record of the requesting Remote Device, when applicable Comments Information entered by the person requesting the Human Review Blocking Category The Classification determined by the DrawBridge Permitted by Preferences Preferences settings allow ( Yes ) Human Review requests for this Category or not ( No ) Score Score of the Blocking Category for this web request Submitted The Human Review request was sent ( Yes ) to Compass Foundation support or not ( No ) Autofixed Yes or No -- indicates whether the request was triggered from an Autofix request Device Group Device Group membership of the Remote / Local Device requesting the Autofix Report Settings Scheduled Reports List view of all scheduled report jobs. Filter the view with the following search/select fields: Interval Report (Type) Company List View displays: Column About Report Type of report that is scheduled Layout Data Visualization Template preset selected for the scheduled report Company Associated Company of the scheduled report View a Scheduled Report record by clicking the link in the Report column Scheduled Report Record view Parameter About Report Report type Company Associated Company of this schedule record Delivery Email report files, email report links, or save to DrawBridge only (no email) Recipients Groups of recipients Report Detail Combined - all usage in one file or Detailed - One File per User / IP Report Type Usage Report , Alert/Notification , DNS Firewall , or Access Policy Report Report Scope All Users/IPs in the Company or Manually Specified Users/IPs Scheduled Report record header menu: Add a scheduled report with the blue + Create Report button Edit this scheduled report with the green pencil Update Report button Delete this scheduled report with the red trashcan Delete Report button Bookmark this report with the blue ribbon Bookmark this Page button Hamburger menu: Report History: Jump to the report archives for this scheduled report Add New Schedule: Add an additional schedule line for this report Scheduled Reports: Jump to Scheduled Reports Inactive Reports: Jup to Inactive Reports Record Activity Stream: View the changelog for this scheduled report record Sync menu ( blue chain icon ) Create on Sync Publisher: Push this record to the Sync Server Informational Tabs Schedules: List view of scheduled runtime(s); Delete with the red trashcan Delete Report Schedule button Recipients: List views of Current Recipients and Available Recipients; Add Company Recipients and Add (Accountability) Policy Recipients with buttons of the same name. Remove recipients with the red - button available on each Current Recipient line. Report Layouts List view of all available Report Layouts (preset data visualization templates) that can be applied to Scheduled Reports. Column About Name Name of the Layout Sections Preset data visualization sections included in the layout Company Associated Company, if applicable Policy Associated Accountability Policy, if applicable Report Layout record view Parameter About Builtin Layout This preset was included with the DrawBridge ( True ) or was user created ( False ) Type Usage Report , Alert/Notification , DNS Firewall , or Access Policy Report Report Sections List; preset data visualizations included in this layout (see below) Report Layout record header menu: Add a new report layout with the blue + Create Report Layout button Clone this report layout with the yellow Clone Report Layout button View changes to this record with the blue Record Activity Stream button Bookmark this page with the blue ribbon Bookmark this Page button Sync menu ( blue chainlink icon ) 2 Way - Push / Pull from Server: call a sync run for this record Push to Sync Publisher: send this record to the sync server Pull from Sync Publisher: fetch this record from the sync server Mark to Resync: flag this record for inclusion in the next sync server run Report Sections Layouts contain one or more of the following Sections: Section About accesspolicy api List of domains that are likely to have been visited programatically by an operating system or other software autofixes List of Autofix requests, including the requesting user/IP address, the timestamp, URL requested, action taken, and additional information categories Overview graph of all most popular Categories visited, by percentage disinfected erased List of "background traffic" domains that were most likely linked to by websites (not visited directly by a user graphs Time-of-day Usage graph and also graphs of Page View and Search ratings and actions taken mediaviews List of videos loaded in a browser; only major hosting platform supported: YouTube, Vimeo pagetitles Full-text of the Title every single page loaded in a browser. The "Title" is what displays in a browser tab. Extremely detailed. pageviews List of domains that are likely to have been visited in a browser by a human searches Full-text of search queries entered on major search and ecommerce platforms shredded List of domains that were denied on every request; origin may be system/program or human Report Presets List view of all Report presets, and Policy ownership, where applicable Filter the view with the following search/select fields: Preset (Name) Template (Name) (Accountability) Policy List View displays: Column About Report Name of the Report Layout Data Visualization Template preset selected for the scheduled report Policy Associated (Accountability) Policy of the Report Preset, where applicable View a Report Preset record by clicking the link in the Report column Report Preset record view Parameter About Preset Name of the preset Policy Associated Accountability Policy, if applicable Layout Layout used by this Preset Schedule Default schedule interval assigned to this Preset Delivery Email Report files, Email Report Links, or Save Only (no email) Recipients Default recipients of this Preset Report Layout record header menu: Add a Report Preset with the blue + Create Report Preset button Edit this Report Preset with the green pencil Update Report Preset button Clone this Report Preset with the yellow Clone Report Preset button Delete this Report Preset with the red trashcan Delete Report Preset button View the record changelog with the blue Record Stream Activity button Bookmark this record with the blue ribbon Bookmark this Page button Sync menu ( blue chainlink icon ) Create on Sync Publisher: push this record to the sync server 2 Way - Push / Pull from Server: call a sync run for this record Push to Sync Publisher: send this record to the sync server Pull from Sync Publisher: fetch this record from the sync server Mark to Resync: flag this record for inclusion in the next sync server run Note: Built-in (included with the DrawBridge) report presets are not editible, or deletable, and therefore won't have all the record header menu options shown above. Log Processing Logline Filters are employed to ensure only relevant human activity is stored in the DrawBridge web activity database. Log Servers + Log Sender Batches together are an optional function used for export of DrawBridge filtering logs to an external web traffic log analysis service. When configured: a device is filtered by the DrawBridge, which logs all the web traffic of that device. Then, on a schedule, the DrawBridge uploads those web traffic logs to a separate log analysis/Reporter server for additional operations to be performed. Important Note: The Log Server/Sender system is inactive unless the following two conditions are met: A Log Server is configured. (See below) A Log Server Account Number is configured on one or more Company records. See Accounts: Companies for more information. Logline Filters Remove unwanted Log Lines before saving them to Reporter database. Displays a list view of rulesets which apply to loglines prior saving them in the DrawBridge log database. List view displays: Column About Sequence Priority of rule when processing is performed Filter Name of rule Scope Defines operations of the rule Field Parameter of Logline database field to which the rule applies Operator Data matching parameter ( In , Contains , Starts With , and so forth) Logline Filter Record view Parameter About Name Details Name of the rule Notes Comments about the rule, where applicable Matches If Expressions which trigger the rule data list Exact text that is referenced in the expression. Logline Filter Record header buttons: Add a Logline Filter record with the blue + Create Logline Filter button Edit this Logline Filter record with the green pencil Update Logline Filter button Delete this Logline Filter record with the red trashcan Delete Logline Filter button Sync menu ( blue chainlink icon ) 2 Way - Push / Pull from Server: call a sync run for this record Push to Sync Publisher: send this record to the sync server Pull from Sync Publisher: fetch this record from the sync server Mark to Resync: flag this record for inclusion in the next sync server run Scope options: A rule can apply with the following scope of action: Skip All Logging -- Discard/Don't Save or Upload traffic matching this rule Log Summary Details Only -- Skip detailed logging data for traffic matching this rule DNS Log Lines -- Discard/Don't Save or Upload traffic containing these domain names Log Servers Uploaded Log Lines to compatible Report Server for further processing. Displays a list view of configured Log Servers. List View displays: Column About Name Display name of the log server URL Web address of the log server Log Server Record View Parameter About Name Display name of the Log Server Status This record is Active or Inactive URL Web address of the log server Log Server Record header buttons: Add a Log Server record with the blue + Create Log Server button Edit this Log Server record with the green pencil Update Log Server button Delete this Log Server record with the red trashcan Delete Log Server button Bookmark this record with the blue ribbon Bookmark This Page button Sync menu ( blue chain icon ) Create on Sync Publisher: Push this record to the Sync Server Log Sender Batches Log Sender Batch Details Displays a list view of all configured Log Sender batches for Company records which have a Log Server Account number specified. Filter the data with the following Select field: Company List View displays: Column About Name Display name of batch job Company Associated company of the batch job Date Timestamp of last batch job run event Uploaded To Timestamp of most recent data uploaded Results What the Log Processor job did Log Sender Batches is informational-only and does not have a record view. FAQ: Q: Why does the Log Sender Batch indicate 0 lines uploaded, even though devices on the Company are being used? A: Either the devices are not properly connecting to the DrawBridge, or, any data that was recorded was considered system activity, not human activity, and was therefore discarded. See Logline Filters above for more information. Device Detection Detect network devices by analyzing traffic. User Agents A User Agent (UA) text string identifies the software making a web request in HTTP. For example, a browser may identify as a particular version of Chrome. List view displays: Column About User Agent The exact text string of the UA Device Device type assigned to the UA App Application type assigned to the UA Click the User Agent name link to view an individual User Agent record. User Agent Record View Parameter About Device The Device Type contained in the UA Application The Application contained in the UA OS The Operating System contained in the UA Canonical ID The globally-unique identifier in the DrawBridge ecosystem Device Type The device type assigned to the UA Application Type The Application type assigned to the UA User Agent Record header buttons: Add a new User Agent record with the blue + Create User Agent Record button Edit this User Agent record with the green pencil Update User Agent Record button Delete this User Agent record with the red trashcan Delete User Agent Record button Bookmark this User Agent record with the blue ribbon Bookmark This Page button Ja3 Hashes Ja3 hashes can be used to positively identify an application based on a TLS fingerprint. Read more about the standard on the official Github page . List view displays: Column About Hash Ja3 Hash Notes Information about the hash Ja3 Hash Record View Parameter About Name Exact Ja3 hash Notes Further information about this particular hash Canonical ID Globally-unique record identifier in the DrawBridge ecosystem List: Application -- displays Applications associated with this particular Ja3 hash. Add an Application to the hash record with the Add TLS Fingerprint button above the Application list view in the record. **Ja3 Hash Record header buttons: Add a new Ja3 Hash record with the blue + Create J A3 Hash button Edit this Ja3 Hash record with the green pencil Update J A3 Hash button Delete this Ja3 Hash record with the red trashcan Delete J A3 Hash button Bookmark this Ja3 Hash record with the blue ribbon Bookmark This Page button Sync menu ( blue chain icon ) Create on Sync Publisher: Push this record to the Sync Server Devices Specific hardware identity records. List view displays: Column About Model The model of the Device Brand The manufacturer of the Device Type The device type, eg. Smartphone , Desktop PC , and so forth Locate a specific record with the following search/select fields: Name Device record view Parameter About Name Name of the specific hardware Type Device type, eg. Smartphone , Desktop PC , and so forth OS Operating System of the Device Canonial ID Globally-unique record identifier in the DrawBridge ecosystem Brand Manufacturer of the Device Device Record header buttons: Add a new Device record with the blue + Create Device button Edit this Device record with the green pencil Update Device button Delete this Device record with the red trashcan Delete Device button Bookmark this Device record with the blue ribbon Bookmark This Page button Sync menu ( blue chainlink icon ) 2 Way - Push / Pull from Server: call a sync run for this record Push to Sync Publisher: send this record to the sync server Pull from Sync Publisher: fetch this record from the sync server Mark to Resync: flag this record for inclusion in the next sync server run Applications Comprehensive listing of Mobile Device and Desktop applications List view displays: Column About Name Name of the Application Type Type of application, if known. Eg. Browser , Mobile App , and so forth Locate a specific record with the following search/select fields: Name Application record view Parameter About Name Name of the Application Type Type of application, if known. Eg. Browser , Mobile App , and so forth Canonial ID Globally-unique record identifier in the DrawBridge ecosystem Application Record header buttons: Add a new Application record with the blue + Create Application button Edit this Application record with the green pencil Update Application button Delete this Application record with the red trashcan Delete Application button Bookmark this Application record with the blue ribbon Bookmark This Page button Sync menu ( blue chainlink icon ) 2 Way - Push / Pull from Server: call a sync run for this record Push to Sync Publisher: send this record to the sync server Pull from Sync Publisher: fetch this record from the sync server Mark to Resync: flag this record for inclusion in the next sync server run Informational Tabs App Store IDs -- List view of unique App Store identifiers; Add an ID with the Add App Store ID button above the list UA Patterns -- List view of User Agent regular expressions to match this Application; Add a UA pattern with the Add UA Pattern button JA3 Hashes -- List view of Ja3 Hashes of this Application; add a new hash with the Add TLS Fingerprint button User Agents -- List view of User Agent strings associated with this Application Applications (ACL-ready) Accessed as a sub-menu item under Applications in the left sidebar menu. Appstore IDs Accessed as a sub-menu item under Applications in the left sidebar menu. Brands Operating Systems System Console Sync Compass Foundation maintains a record synchronization infrastructure with a master publisher server to facilitate the interoperation of various systems. Synced Records Complete list view of all synchronized records. List view displays: Column About Name The name of the record Table The database table in which the record exists Sync Server The name of the sync server for this record List View header buttons: Add a new Synced Record with the blue + Create Synced Record button Click the Record name link to view an individual Synced Record record. Record View Parameter About (Name) The name of the record CID (Canonical ID) The globally-unique record identifier in the DrawBridge ecosystem Local Record The local name of the record Table The database table in which the record exists Sync Mode State: 1/2-way Push/Pull from Server details Sync Status Status of this record with the Publisher server Sync Server The configured sync publisher server for this record User Agent Record header buttons: Pull from Sync Publisher : initiate a record sync from the master server (origin) to this DrawBridge Push to Sync Publisher : initiate a record sync from this DrawBridge (origin) to the master server Bookmark : this User Agent record with the blue ribbon Bookmark This Page button Additional information: Fields to Update -- Information on any data for this record pending synchronization Tenant Changes -- Status of local changes to the record Sync Errors -- Information regarding errors on the synchronization of this record Sync Batches List view of the Batches in which Record Sync is performed. List view displays: Column About Sync Batch The name of the batch Batch Type Details regarding the batch type Sequence Priority of the batch when Sync occurs Server Configured server that the sync mechanism will communicate for this batch List View header buttons: Add a new Sync Batch Record with the blue + Create Sync Batch button Bookmark this list view with the blue ribbon Bookmark This Page button Click the Batch name link to view an individual batch record. Batch Record View Parameter About Name The name of the batch record Type Details regarding the batch type Server The configured sync publisher server for this record Comments Additional information relevant to this batch Last Run Timestamp of the last time this batch was run (Red circular arrow button: Reset this timestamp to sync all records) Next Run Timestamp of the next scheduled sync batch run User Agent Record header buttons: Trigger a "dry run" (test run / no actual record changes) of sync batch with the green target Trigger Sync Batch - Dry Run button Trigger a sync batch run with the red target Trigger Sync Batch button Add a new sync batch with the blue + Add Sync Batch button Edit the sync batch with the green pencil Update Sync Batch button Bookmark this sync batch with the blue ribbon Bookmark This Page button Additional information: Tables to Sync Column About Table Database table Sequence Priority of the database table when Sync occurs Comments Additional informatin relevant to this batch Mode State: 1/2-way Push/Pull from Server details Individual record buttons in list view: Edit the table record with the green pencil button Delete the table record with the red trashcan button Sync Servers Synchronize Configuration Technical DrawBridge system configuration settings. (Does not contain filter settings; see Content Filter for content filter settings.) Local Settings DrawBridge system identity details, specific to this system. Parameter About Name Globally-unique name of this DrawBridge Local Yes/No -- this record belongs to this hardware Admin URL The URL and port number for the management interface (if no port is displayed, the default is 443) Cloud Server Yes/No -- this system is/is-not a "cloud filter" Rebranded Yes/No Project Name Brand information Console Name Brand information Filter Name Brand information Hostname Brand information Slogan Brand information Phone Brand information Email Brand information Canonical ID Globally-unique identifier for this DrawBridge Sync Role Publisher/Subscriber -- role of this DrawBridge in the Synchronization ecosystem Appliance Companies List view of all tenant Company records; displays Company-Appliance/DrawBridge relationship. Typically only relevant in the context of the Synchronization ecosystem. Backups List view of system database backups. (Database backups are automatically uploaded to Compass Foundation offsite storage.) Email Settings Configuration details regarding email alerts. Managed by Compass Foundation. Parameter About Host Mail Server domain Port Port for SMTP Use TLS Yes/No Verify TLS Yes/No From Address Brand information Username Username to use with email server for authentication Certificate Authority Information regarding the Certificate Authority, SSL Certificates, and Software (Client SSL Cert Installers) in-use on the DrawBridge. Relevant primarily when Rebranded = Yes (see Local Settings, above). DrawBridge Terminal Applicable only to systems running DrawBridgeOS. Does not apply to ClearOS-based systems. (See the Platform field in your DrawBridge System Overview page to see which operating system your DrawBridge is running.) Modes of operation More information coming soon. Hardware & Processes Note: Requires System Owner permissions. Docs coming soon. DNS Firewall Docs coming soon. In the screenshot below objects.githubusercontent.com got added to the firehollevel3 DNS firewall, presumably at the upstream FireHOL project. For a domain with that broad of usage, it was probably legitimately being abused somewhere, and hence ended up on that list. But obviously it has a massive impact then on everything else hosted on that domain. To resolve the issue, you'll have to add objects.githubusercontent.com to the DNS Firewall local whitelist on Whitespire Make sure that you are not connected to the Tech VPN when testing. Help Help Care Center View classification tickets automatically generated by AutoFix and Human Review procedures. Create new support tickets to be automatically submitted to Compass Foundation support. Change Logs View software changelogs. API Documentation View DrawBridge API documentation. Additional Services Passageway Passageway is a full-featured password management database and sync service that is hosted on the DrawBridge. Please visit https://help.passageway.id for the Passageway documentation. Note: Passageway is only available to on-premises DrawBridge accounts (not cloud DrawBridge accounts), and the DrawBridge must be running a currently-supported base Operating System. (Passageway is not supported on ClearOS 6 systems.) Tabula (deprecated) Tabula is a contact records database + sync service hosted on the DrawBridge. Domain: tabula..myvision.id Tabula must be initialized on a per-user basis by going to the Person record and using the record header button menu option to Create Tabula Account . Compass Foundation Infrastructure Network Addresses Network Administrators: please ensure unrestricted access to the following addresses: US & Global services: IPv4 Equivalent CIDR notation 8.33.19.221 - 8.33.19.226 (not a CIDR block) 63.150.19.74 - 63.150.19.79 63.150.19.72/29 65.152.194.73 - 65.152.194.78 65.152.194.72/29 104.218.187.15 - 104.218.187.18 (not a CIDR block) 108.24.40.122 - 108.24.40.126 (not a CIDR block) 173.161.228.229 173.161.228.229/32 199.224.68.177-199.224.68.189 199.224.68.176/28 204.111.143.225 - 204.111.143.238 204.111.143.224/28 IPv6 pending Canada services: IPv4 Address Equivalent CIDR notation 69.41.195.98 - 69.41.195.102 69.41.195.97/29 205.203.220.163 - 205.203.220.166 205.203.220.162/29 216.46.150.2 - 216.46.150.6 216.46.150.1/29 IPv6 N/A Abuse/Security Contact Abuse/Security concerns: please email support@compassfoundation.io or call 856-974-5335 Access Policy Dashboard Report The Access Policy Dashboard Report is based very closely on the layout of the live Dashboard page for a specific company ( example report ). Reading the Report Header Details The Report calls out areas of special interest, such as: A count of changes made Person performing the change Date and time the change was performed Access Policy Lines Each Access Policy line that was changed is marked with a Categories Changed badge. Click the Down Arrow to reveal more details about the change. Report Delivery By default, this report is a Daily notification that only is delivered when changes have been made in the prior 24 hours. The report can also be manually delivered to recipients by navigating to the Company's Access Policy Dashboard and clicking "Deliver Access Policy Report" in the Context menu.