cnstarz 26 Posted December 10, 2023 Posted December 10, 2023 So, my workcenter is manned 24/7/365, but we do have dull periods of time, like weekends, holidays, midnight hours, etc. For this reason, I created a shared account for us to watch movies and TV shows so that we can keep our sanity. However, people have been using the login on their TVs at home as well, and have even been sharing the credentials with their families. I want to prevent that from happening. What I imagine is in the User Setting settings page for an account, there are two fields called "Remote IP Address Filter" and "Remote IP Address Filter Mode", which work exactly like the two fields that already exist in the server settings page, except that these apply only to the specific user. This way you can set up basically kiosk-type accounts that can only be used on specific networks. 1
ebr 15554 Posted December 10, 2023 Posted December 10, 2023 Hi. Don't the device restrictions already allow you to accomplish what you want?
cnstarz 26 Posted December 10, 2023 Author Posted December 10, 2023 2 minutes ago, ebr said: Hi. Don't the device restrictions already allow you to accomplish what you want? No because there are about 40 people in my work center and the way the network proxy works across enterprise makes it impossible for me to utilize device restrictions. In the attached screenshot, there are literally hundreds of devices that say "Google Chrome Windows".
Luke 39400 Posted December 11, 2023 Posted December 11, 2023 OK it is certainly technically possible although it sounds like a lot of manual management.
cnstarz 26 Posted December 11, 2023 Author Posted December 11, 2023 3 minutes ago, Luke said: although it sounds like a lot of manual management. How so?
Luke 39400 Posted December 11, 2023 Posted December 11, 2023 2 hours ago, cnstarz said: How so? A lot of work for you as the server admin to manually manage ip addresses for every single one of your users.
cnstarz 26 Posted December 11, 2023 Author Posted December 11, 2023 (edited) If the field is blank, then it could use whatever is configured for the server. And if the server had no Remote IP Address Filter configured, then the user would have no network restrictions. The field can be optional. Edited December 11, 2023 by cnstarz 1
justinrh 208 Posted December 12, 2023 Posted December 12, 2023 I see this in my Network config page: Everyone at your workcenter would have the same WAN IP address (or range), right? Are you using a proxy for Emby - could you filter IPs there? Or even your router?
cnstarz 26 Posted December 12, 2023 Author Posted December 12, 2023 4 minutes ago, justinrh said: I see this in my Network config page: Everyone at your workcenter would have the same WAN IP address (or range), right? Are you using a proxy for Emby - could you filter IPs there? Or even your router? My server is also used by my own family members and a few friends that are overseas. I can't expect everyone to keep me updated with their IP addresses, especially my grandma.
darkassassin07 590 Posted December 12, 2023 Posted December 12, 2023 (edited) An option for now: Set the work account to a password only you know, uncheck 'allow this user to change their password and profile image'. Then you yourself sign that user into the devices that are authorized and check 'remember me' on them. If they lock themselves out, they're stuck without it until you re-auth for them. They'll learn to not lock themselves out if they want to use it. Another option is to use two seprate domains/subdomains pointed to the same proxy and have that proxy limit one of those to work ips only. Overall I think a user-specific ip whitelist is a good idea. Edited December 12, 2023 by darkassassin07
cnstarz 26 Posted December 17, 2023 Author Posted December 17, 2023 On 12/11/2023 at 8:29 PM, darkassassin07 said: An option for now: Set the work account to a password only you know, uncheck 'allow this user to change their password and profile image'. Then you yourself sign that user into the devices that are authorized and check 'remember me' on them. This is not feasible. We do not all work the same shifts on the same days. In fact, there are two crew shifts that I never see, so I will never log in for any of them. On top of that, the enterprise proxy is so finicky with a few sites that we use that our only workaround when we experience issues is to clear the browser cache, which would make all of that a moot point anyways. =/
darkassassin07 590 Posted December 17, 2023 Posted December 17, 2023 (edited) Guess that leaves you with using multiple domains. One locked down with an ip whitelist for work, and an open one for family use. Alternatively you could create a user for each coworker that uses the system, then remove access for those that abuse your generosity. Then everyone gets their own 'up next' watch list too. I've used this approach for years. /edit distribute login info by having each member email you a request for access. You can send back a new user+pass along with a basic ToS. I explicitly state users caught sharing accounts will be immediately removed, no exceptions. Edited December 17, 2023 by darkassassin07 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now