Remote IP Address Filter on a Per-User Basis

[cnstarz 19]

So, my workcenter is manned 24/7/365, but we do have dull periods of time, like weekends, holidays, midnight hours, etc. For this reason, I created a shared account for us to watch movies and TV shows so that we can keep our sanity. However, people have been using the login on their TVs at home as well, and have even been sharing the credentials with their families. I want to prevent that from happening.

What I imagine is in the User Setting settings page for an account, there are two fields called "Remote IP Address Filter" and "Remote IP Address Filter Mode", which work exactly like the two fields that already exist in the server settings page, except that these apply only to the specific user.

This way you can set up basically kiosk-type accounts that can only be used on specific networks.

[ebr 14917]

Hi.  Don't the device restrictions already allow you to accomplish what you want?

[cnstarz 19]

2 minutes ago, ebr said:

Hi.  Don't the device restrictions already allow you to accomplish what you want?

No because there are about 40 people in my work center and the way the network proxy works across enterprise makes it impossible for me to utilize device restrictions. In the attached screenshot, there are literally hundreds of devices that say "Google Chrome Windows".

[Luke 37089]

OK it is certainly technically possible although it sounds like a lot of manual management.

[cnstarz 19]

3 minutes ago, Luke said:

although it sounds like a lot of manual management.

How so?

[Luke 37089]

2 hours ago, cnstarz said:

How so?

A lot of work for you as the server admin to manually manage ip addresses for every single one of your users.

[cnstarz 19]

If the field is blank, then it could use whatever is configured for the server.  And if the server had no Remote IP Address Filter configured, then the user would have no network restrictions.

The field can be optional.

Edited December 11, 2023 by cnstarz

[justinrh 174]

I see this in my Network config page:

Everyone at your workcenter would have the same WAN IP address (or range), right?

Are you using a proxy for Emby - could you filter IPs there?  Or even your router?

[cnstarz 19]

4 minutes ago, justinrh said:

I see this in my Network config page:

Everyone at your workcenter would have the same WAN IP address (or range), right?

Are you using a proxy for Emby - could you filter IPs there?  Or even your router?

My server is also used by my own family members and a few friends that are overseas. I can't expect everyone to keep me updated with their IP addresses, especially my grandma.

[darkassassin07 423]

An option for now:

Set the work account to a password only you know, uncheck 'allow this user to change their password and profile image'. Then you yourself sign that user into the devices that are authorized and check 'remember me' on them.

If they lock themselves out, they're stuck without it until you re-auth for them. They'll learn to not lock themselves out if they want to use it.

 

Another option is to use two seprate domains/subdomains pointed to the same proxy and have that proxy limit one of those to work ips only.

 

Overall I think a user-specific ip whitelist is a good idea.

Edited December 12, 2023 by darkassassin07

[cnstarz 19]

On 12/11/2023 at 8:29 PM, darkassassin07 said:

An option for now:

Set the work account to a password only you know, uncheck 'allow this user to change their password and profile image'. Then you yourself sign that user into the devices that are authorized and check 'remember me' on them.

This is not feasible. We do not all work the same shifts on the same days. In fact, there are two crew shifts that I never see, so I will never log in for any of them. On top of that, the enterprise proxy is so finicky with a few sites that we use that our only workaround when we experience issues is to clear the browser cache, which would make all of that a moot point anyways. =/

[darkassassin07 423]

Guess that leaves you with using multiple domains. One locked down with an ip whitelist for work, and an open one for family use.

 

Alternatively you could create a user for each coworker that uses the system, then remove access for those that abuse your generosity. Then everyone gets their own 'up next' watch list too. I've used this approach for years.

/edit distribute login info by having each member email you a request for access. You can send back a new user+pass along with a basic ToS. I explicitly state users caught sharing accounts will be immediately removed, no exceptions.

Edited December 17, 2023 by darkassassin07