User Agents Basics

What are User Agents?

User Agents are one method of user authentication, in which an agent is installed on each device to transparently communicate user information with the Web Filter to deliver appropriate policies. User resolution supplies the Web Filter with the user credentials in order to provide the end user with the proper policy assignment and reporting. Learn more about other types of user resolution here. 

User Agents may be the best method for you if:

  • You want transparent authentication (without the need for users to identify themselves through web authentication)
  • You need to provide the filter with complete IP information for devices with multiple IP addresses
  • You want the most complete and reliable web traffic reporting
  • You have primarily school-owned mobile devices rather than student-owned

When Should you use User Agents?

The User Agent is often the most accurate (especially in environments where a single device might have multiple IPs) and the most seamless for the user (avoiding the need for web authentication) method of user resolution. Agent-less user resolution can inaccurately report tracking when a device has multiple or changing IPs (the Rocket only knows the IP that was in use when the user logged in).

The one downside to clientside agents is that they need to be installed on every machine; however, we have solutions to streamline that installation.

Agents interact with the server using a special TCP protocol that runs on port 1306. Naturally, this port needs to be accessible through firewalls and any other devices that might be in between the agents and the server. Reports are sent to the server over this protocol to keep it up to date and accurately reflect who is logged on to each IP address.

Types of User Agents

User agents are available for the following. Click on each category to learn more about that particular user agent and specific installation procedures.

Downloads and Hardware/Software Requirements

You can access User Agent downloads here.

You can learn more about User Agent software requirements here.

User Agent - Hardware and Software Requirements

User Agents

This software, with versions for Macs, and Linux, provides complete user/machine name reporting to the Rocket appliance.

Mac (MUA) Linux (LUA) Windows
Software MacOS 10.12.x (Sierra)
Mac OS 10.11.x (El Capitan)
Mac OS 10.10.x (Yosemite)
Mac OS 10.9.x (Mavericks)
Mac OS 10.8.x (Mountain Lion)
Mac OS 10.7.x (Lion)
Mac OS 10.6.x (Snow Leopard)
Mac OS 10.5.x (Leopard)
Mac OS 10.4.x (Tiger)
Dialog Windows XP and above
Hardware Macintosh Intel and Power PC (Universal Binary) No Hardware requirements No Hardware requirements


Mac User Agent: The current Lion-compatible versions (v3.1) will continue to function on any Mountain Lion (OSX 10.8) or higher upgrade. However, if you are installing on OSX 10.8 or higher, you will need to download a newer installation package to handle the new Gatekeeper requirements (to only allow software from the App store and known developers). Download the installer at Agents and Downloads

MSI Transform


Download the latest UserAgent MSI and MsiTransform.exe at the following links:

Looking for other downloads? Click here.


When mass deploying the User Agent via Active Directory’s Group Policy Object (GPO) or Novell’s ZENworks, a transform (MST) file is needed. This file will preset the update server for each agent. Without it any form of mass deployment would be pointless as the Agents would not report anywhere, and would require a manual registry change on each machine.

Building a User Agent .MST file
Download the latest UserAgent MSI and MsiTransform.exe from the download links above.

Open a command prompt and navigate to the folder containing the downloaded files
Execute the utility using the following command format:

  • MsiTransform.exe -i UserAgentx64.msi –s

Where –

  • -i, –input <original .MSI package, for example, UserAgent.msi (in working directory) or c:\TempSoftwareStore\UserAgent.msi (in alternate storage location)>
  • -s, –server <IP Address or network host name for the ‘Identification’ server>
  • -d, –debug <Debug mode>
  • -?, -h, –help <Show help and exit>

The output file will be within into the current directory that the utility was executed from and will be named “UserAgentIDServer.mst”. Use this file to build the AD-GPO or the ZENworks distribution process for installing the TTC User Identification Agent on your network.

Mac User Agent

Mac OS Version Link
10.12 (Sierra) – 10.14 (Mojave) v4.1.8 MacUserAgent_4.1.8.dmg

Installation Instructions

Looking for other downloads? Click here.



Verify that you are running OS X 10 or higher.

Note: In a multi Rocket environment the user agents should point to the parent server.

The steps for local and remote installations are listed below. Please note the following bindings are supported.

  • Native binding to AD or AOD

Ensure you’ve followed the Mac User Agent Install article before proceeding. Please note admin access is required for installation on the client workstations and a reboot will be required at the end of the installer routine.

Local Install – Version 4.x (for Yosemite, El Capitan, and Sierra only)

    • 1. Download the installer from Lightspeed Systems
    • 2. From your Mac workstation open and mount the UserAgent.dmg file.
    • 3. Run the Lightspeed Systems UserAgent.pkg file to start the installer and click Continue on the warning.
    • 4. On the Introduction page click Continue.
    • 5. On the Installation Type page click Install to proceed with the installation. Please note you will be prompted to enter the admin password in order to install.
    • 7. Open a Terminal window and send the following command to set the server:
sudo defaults write useragent IdentServer -string "" (your FQHN)
    • 8. Once complete click Close, reboot and ‘You’re Done!’

Mac User Agent Installer Log File

The Mac User Agent version 4.x installer writes to the file /private/var/log/system.log with ‘useragent’ before each line. You can use this file to help you understand installation issues or to help Lightspeed Systems Support help you in solving any installation issues.

Remote Install

    • 1. Download the installer from Lightspeed Systems
      • Inside the install .dmg is the .pkg file needed to deploy to clients via Apple Remote Desktop (ARD) or another remote desktop application.


You can use the free Packages application or Apple’s built-in pkgbuild and productbuild utilities to create .pkg files.

    • 2. Deploy the User Agent package using Apple Remote Desktop or another remote desktop application. Refer to the documentation for your deployment tool on how to remotely install the agent.

Please note once the User Agent is installed, you will need to configure the Identification Server. Be sure to replace the IP address below with the IP address or the FQDN of your Rocket appliance. Also please note the command requires admin access.

Version 3.x (for older Mac OSX versions)

Clients running older versions of Mac OSX will have to use Web Authentication, RADIUS or other authentication method that does not rely on an agent.

Configuring the User Agent

After installing the User Agent for Mac OS, use the deployed useragent.plist file to configure the Identification Server.

Important: Save this .plist file to a network location that is accessible by other computers, and if needed, use a program like Xcode to edit the file.

Configure the Mac User Agent on a Local Computer

  1. Navigate to the location where the useragent.plist is saved.
  2. Open a Terminal window then enter this command (and admin password): sudo defaults import useragent useragent.plist. This command applies the .plist file’s settings to the local User Agent.
Note: Use the same command (above) if you’re creating and running a script to configure User Agents on additional computers..


The Mac User Agent can be installed directly over top of an existing version, no different than if it were a brand new install. Thus please follow Mac User Agent Install for new installs and upgrades.

Mac User Agent Installer Log File

The Mac User Agent installer writes to the file /private/var/log/system.log with ‘useragent’ before each line. You can use this file to help you understand installation issues or to help Lightspeed Systems Support help you in solving any installation issues.


You must have the LightspeedUserAgent.dmg file in order to perform an uninstall

  • 1. From your Mac workstation open and mount the LightspeedUserAgent.dmg file.
  • 2. Run the uninstall file to start the uninstall process.
  • 3. You will be prompted for the ‘admin’ password before uninstall commences.

PC User Agent

With the release of Web Filter Longhorn (3.2.1) we have updated our LMA agent to handle user identification. If you are running 3.2.1 or higher, we recommend that you update your computers to use the LMA rather than the Windows User Agent (Windows User Agent is still supported and is not required as part of the Longhorn upgrade process.)
OS Bit Version # Link Web Filter version
64 bit 3.1.6 LMA_Setupx64.msi Web Filter 3.2.1 or higher
32 bit 3.1.6 LMA_Setupx86.msi Web Filter 3.2.1 or higher
If you are using Web Filter 3.2, 2.x, or anything lower than 3.2.1 then you should continue to use the Windows User Agent for identification. In addition, if you are running Windows XP or lower, you MUST use the Windows User Agent.

The Windows user agent works with Windows 10/8/7/Vista/XP/2000 and Windows Server 2003

OS Bit Version # Link Web Filter version
32 bit 2.1.14 UserAgentx32_V2.1.14.msi Web Filter 3.2, 2.x and below
64 bit 2.1.14 UserAgentx64_V2.1.14.msi Web Filter 3.2, 2.x and below

Installation Instructions

If you want to allow the installer to specify an ‘Update Source’ for the User Agent, as part of an automated or remote install you can use our MsiTransform.exe tool. Learn how to install here.

Looking for other downloads? Click here.

Recommended: Set the User Agent Service recovery options to “Restart the Service”
In order to ensure the User Agent Service is always running and to help facilitate error recording in the event of a service crash please set the User Agent Service recovery options to “Restart the Service” as shown below.


This behavior can be set with a Group Policy Object (GPO) to avoid manually editing the preferences on each workstation. See the Microsoft Windows Server help page “Configure a Service Item” for information about configuring a GPO.


  • Windows machine running Windows XP or later
With the release of Web Filter Longhorn (3.2.1) we have updated our LMA agent to handle user identification. If you are running 3.2.1 or higher, we recommend that you update your computers to use the LMA rather than the Windows User Agent (Windows User Agent is still supported and is not required as part of the Longhorn upgrade process.)

Read more on UA-Win…

Note: In a multi-Rocket environment the User Agents should point to the parent server.

Do you want to install the Windows User Agent as part of a base image?

Learn more about Win User Agent Image Install

Installing the Win User Agent via Active Directory

You can use Group Policy Objects (GPOs) to assign and install software to computers in a domain, and it can be useful to deploy this software based on group membership or OUs. This section describes how to have your User Agent software deployed across multiple OUs.

Tip:For more information on the basics of assigning software to specific groups by using a GPO, refer to Microsoft Knowledge Base article 302430.

Install the Win User Agent

  • 1. Create a network share folder to hold the deployment MSI and MST files. Set the security on this folder to allow AD users and computers (“Everyone” group) to have ‘read and execute’ privileges. Build, copy or move the required MSI and MST files into this location.
  • 2. Log into your network’s Active Directory server as a domain administrator, and then launch the Active Directory Users and Computers snap-in.
  • 3. Though you can apply group policies to an entire domain and multiple OU’s, it is highly recommended, that when planning the installation of the User Agent software that you apply the group policy to ONLY the lowest common workstation OU, not at a Domain level.
  • 4. From the Active Directory ‘Users and Computers’ snap-in, locate the OU that you want to have the GPO linked to. Right-click that OU, click Properties, and then click on the Group Policy tab.
  • 5. Click the New button to create a new GPO for installing the User Agent MSI package. Enter a descriptive name for this new Group Policy, such as “Deployment of User Agent” and click Enter.
  • 6. Select the new GPO name that you just created and click Edit. This starts the Group Policy Editor.
  • 7. Expand the Software node of the Computer Configuration set, then right-click ‘Software Installation’. Select the ‘New -> Package’ option to open the browse dialog for selecting the User Agent MSI.
  • 8. Navigate to the network location that contains the User Agent installer files. Click on the ‘User Agent(x86 or x64).msi’ file, and then click Open.
      If the installer files reside on a local hard drive, do not use a local path provided by the browser – instead, use a UNC path (such as servernamesharenamepathfilename.msi) for the local PC to universally indicate the location of the installation files.
  • 9. If you allow the Group Policy to be created with the file location specified as ‘local’, client computers that attempt to install the package will look in their LOCAL hard drive folders, and will not find the installation files and the installation will fail.
  • 10. In the Deploy Software options dialog, click and select the Advanced option, which will allow you to specify modifications (MST files) for the software installation then click Enter to move to the installation properties dialog.
  • 11. Click on the Deployment tab and make sure that the ‘Uninstall this application when it falls out of the scope of management’ option is NOT ENABLED.
  • 12. Click on the Modifications tab, then click the Add button to browse for the associated MST file. This file should have been labeled “UserAgentServerID.mst” and should be in the common file share where the “User Agent(x86 or x64).msi” file is located. Select this file and click the Open button to add it to the modifications list.
    Click the OK button when all properties are complete. This will save and assign the GPO to the selected OU. Click on the Software Installation node to refresh and display the completed/assigned policy.
Note: Changes to a GPO are not immediately imposed upon the target computers, but are applied in accordance with the currently valid group-policy refresh interval. This gpupdate command with the /force flag should be effective on any currently supported Windows OS.

Do you want to install the Windows User Agent with Zenworks?

Learn more about: Installing the Win User Agent with Zenworks

Do you want to install the Windows User Agent Manually?

Learn more about Manually Installing the Windows User Agent


The PC User Agent can be installed directly overtop an existing version, no different than if it were a brand new install.


Follow either of the processes below to remove the User Agent.

Option 1: GUID

Open Add or Remove Programs
Click Remove next to Lightspeed Systems User Agent
Select Yes to confirm removal.
Click Yes to complete the uninstall.

Option 2: Command Line

Run MSIEXEC /uninstall UserAgent(x86 or x64).msi with /passive or /quiet
Requires the UserAgent(x86 or x64).msi to be in the same directory.

OpenLDAP Configuration

The User Agent supports native OpenLDAP user resolution. Using the WinLDAP implementation, an LDAP server is communicated with and queried to obtain the base search path, the user’s DN and the user’s groups. Note: Unlike AD and Novell environments, an OpenLDAP environment requires UA registry configuration.

In order to communicate with the OpenLDAP server, configure the following under HKLMSoftwareLightspeed SystemsUserAgent:

  • Set “Network Type” to “LDAP”
  • Add “LDAP Server” (REG_SZ), then set to either the IP address or FQDN name
  • Optional registry values may be required for some OpenLDAP environments. (Please contact support should the current implementation not work properly in your environment.)
    • LDAP Base Search Path (REG_SZ) – optional, the base path of the LDAP directory (default: dynamically obtained)
    • LDAP Group Class (REG_SZ) – optional, objectclass for a group (default: posixGroup)
    • LDAP User Attribute (REG_SZ) – optional, the LDAP attribute that defines a user in the directory (default: uid)
    • LDAP Member Attribute (REG_SZ) – optional, the LDAP attribute that defines a member of a group (default: memberUid)
    • LDAP Bind User DN (REG_SZ) – optional, a full DN of a user that has access to the LDAP directory (no default)
    • LDAP Bind User Password (REG_SZ) – optional, the password for the user above (no default)

Chrome Extension User Agent

You should push the Lightspeed User Agent for Chrome via the G-Suite Admin Console.

Lightspeed User Agent

Installation Instructions

Note: If the Captive Portal is enabled in your environment you will need to add a Destination Exemption for the domain from which we host our custom User Agent extension (


The User Agent extension for Chrome provides seamless single sign-on capabilities for ChromeOS devices and Chrome browsers when they are used on a network that is both

  • filtered by a Rocket Web Filter running version 3.5.0 or greater, and
  • set up with a Google domain as an authentication source

When both are true, this User Agent extension transparently authenticates users within your tier address space to your tier’s Google Authentication source. Please note users must be valid members of your Google Auth domain.

Note: The Chrome Extension User Agent requires a Web Filter license from Lightspeed Systems.

Current Limits
Devices with multiple interfaces and/or IPv6 and IPv4 enabled will be authenticated using only the IP address that hits the Rocket API. The other addresses will still be considered unknown.

Deploying the Chrome User Agent

Chrome version 74+ is required

Note: Google may change their UI without warning, causing these steps to no longer be accurate. If that is the case, please notify us through the Was This Helpful link (click No and a form to notify us will pop up) at the bottom of the page and we will immediately update the steps.

  1. Open the Google Admin console and navigate to Devices.

  2. Click Chrome Management from the left-side menu (Device Settings), then click User & browser settings.
  3. Choose your organization from the left menu (Organizations), then scroll down to Apps and extensions section >  apps & extensions page > Yellow Plus > Grid Icon (Add Chrome app or extension by ID) > Click Dropdown > Select From a custom URL
  4. Enter the following App ID and URL in the Extension ID and From a custom URL fields.
  5. ID: eodeiibdcpipgedfgkolnhajjdokejdh
  6. URL:
  7. Then click Save.
  8. Make sure to set FORCE INSTALL on the extension and Save the changes:

Linux User Agent


Looking for other downloads? Click here.

The Linux User Agent allows user resolution for many flavors of Linux. A current list is available on the Downloads page. Upon installation and configuration, the User Agent will send the user login name, IP address, and host name of the machine to the defined Identification Server. This information will then display in Web Filter reports.

The login is captured at a shell login, and when someone either manually or automatically signs into GNOME Display Manager X Windows. Sign out happens within a minute of the user logging off. If someone signs back in before sign out is detected, the new user’s login overwrites the older login name immed



Ensure your system satisfies the Hardware and Software Requirements

Download the latest package for your system architecture at Agents and Downloads

Install the “dialog” package for your system. SuSE comes with it, Ubuntu and Fedora Core don’t. This will allow you to run the menu-based configuration tool as a full-screen console.

Note: In a multi Rocket environment the user agents should point to the parent server.


  • 1. Double click the downloaded file and let your package manager install it.
  • 2. Options and menu screen may vary depending on Linux distribution.
  • 3. After installation is complete, open a terminal window.
  • 4. Gain root privileges either through sudo su or just su.
  • 5. Type in /bin/ which will allow you to configure:
    • Hostname/IP address of the Identification Server
    • Default network interface from which the local IP address will be read (such as eth0)
    • Optional advanced-user settings to subscribe other services to the Lightspeed Systems User Agent PAM module
    • In most cases, the preselected services will work best.


To uninstall the Linux User Agent, with root permissions at a terminal, select and run the executable appropriate for your Linux distribution.

RPM (.rpm) uninstall: rpm -e linuxua
Debian (.deb) uninstall: dpkg -r linuxua

Domain Controller Agent


Looking for other downloads? Click here.

This feature does not require a client on every workstation; however, it requires the agent to be on every single domain controller on the network. If installing the User Agent on every device isn’t a viable solution, the Domain Controller Agent may be useful. Depending on your network, the Domain Controller Agent may not be as effective if you have any of the following situations:

  1. Terminal Services, nComputing or Citrix servers – With thin clients, there is no way to differentiate at the domain controller level the identity of the user performing the web browsing functionality on the server. Because of this, the last person that logs into the server is registered as the person for all users on that system. So, if you use these types of servers, the domain controller agent by itself is not an effective solution for your network.
  2. Dual Internet connection devices – When laptops switch between wired and wireless access, the user is not required to log in again, so the Domain Controller agent would not know who you are at this point and it will not be effective as a solution.
  3. Mobility devices – When a device goes off-campus and back on, the network is re-logging the device into its previous session, so the domain controller is not notified that the user is on the device with that particular IP address.
  4. BYOD – If you are supporting the option for users to bring their own devices on the network, then these devices are not members of the directory network; therefore, the user never logs into the domain itself.

The Active Directory Domain Controller Agent ( DCUA ) can be installed on Microsoft Active Directory Domain Controllers to supply the Rocket Web Filter with user information when a user logs into the network.

Agents are available for download here.

In order for the Domain Controller User Agent (DCUA) to be able to “see” logons and logoffs, the security policy for the domain must be configured to audit those events.

2008 Server Configuration

    • 1. From the Administrative Tools menu, choose Group Policy Management:


    • 2. Expand the Domains folder under the Forest to be configured.
    • 3. Expand the Group Policy Objects folder under the domain to be configured.
    • 4. Right-click Default Domain Controllers Policy and select Edit:


    • 5. Open the Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy folder:


    • 6. Double-click Audit account logon events:


    • 7. Check the Success box and click OK.
    • 8. Double-click Audit logon events:


    • 9. Check the Success box and click OK.
    • 10. Double-click Audit logon events:


2003 Server Configuration

    • 1. From the Administrative Tools menu, choose Domain Security Policy:


    • 2. Open the Security Settings →Local Policies →Audit Policy folder:


    • 3. Double-click Audit account logon events:


    • 4. Check the Success box and then click OK.
    • 5. Double-click Audit logon events:


  • 6. Check the Success box and then click OK.


The Domain Controller User Agent is installed using a Windows installer MSI package file. See the User Agents Agents and Downloads page to download this installation file.

The msiexec command-line to install the product is:

  • msiexec /i DCUserAgent.msi /l*v <log path> SERVER="<server name>"


  • <log path> is the path to a log file that the Windows installer will create
  • <server name> is the name of the Lightspeed Systems Rocket server that logons and logoffs will be reported to.

The log path switch (/l*v) and path are optional.


If installation occurs without the use of the SERVER parameter the Identification Server registry key will need to be update with the Lightspeed Rocket Server IP address providing this service.

64 bit machine it is located under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Lightspeed Systems\DC User Agent\IdentServer

32 bit machine it is located under HKEY_LOCAL_MACHINE\SOFTWARE\Lightspeed Systems\DC User Agent\IdentServer
Enable Logging for troubleshooting:



Logging of DCUA events must be set through the Windows Services management console.

  1. Open the Windows services console (services.msc)
  2. Locate Lightspeed Domain Controller User Agent and stop the service
  3. Open the properties of the Lightspeed Domain Controller User Agent service
  4. In Start Parameters add /o /d /dump_pertinent
  5. Start the service


DCUserAgent.log will be located in

64 bit – C:\Program Files (x86)\Lightspeed Systems\Domain Controller User Agent

32 bit – C:\Program Files\Lightspeed Systems\Domain Controller User Agent

LMA - Prerequisites, Installation, and Upgrades


Lightspeed Management Agent (LMA)

Web Filter Mobile Manager

The LMA Agent gives you the power to control certain device features that would be otherwise un-controllable.

OS Bit Version # Link
64 bit 3.1.6 LMA_Setupx64.msi
32 bit 3.1.6 LMA_Setupx86.msi
Note: Starting with Web Filter 3.x, the LMA Agent replaces the PC User Agent as your all-purpose method of user resolution. Customers who are upgrading to or using Rocket Web Filter 3.2 need to use the Lightspeed Management Agent (LMA) as their PC user agent.
Note: Customers who have previously installed the Windows User Agent must first uninstall the Windows User Agent before installing the LMA. You should also make sure any methods you used for installing the User Agent are disabled.

Customers who only require the LMA agent and want to add in the Rocket identification server during installation can use the following switch to install the LMA agent on their devices without bounding it to other Lightspeed products, such as Mobile Manager.

msiexec /i LMA_Setupx64.msi UA=1 CO=0 MM=0 ID_SERVER="" /qn

Learn how to install the LMA from .bat over GPO here.


  • Current Lightspeed Systems Customer Account – You will need to provide it during installation if you are installing Classroom Orchestrator, Mobile Manager, or both.
  • Mobile Manager Enrollment Code for Mobile Manager Installation – You will need to provide it during installation only if you are installing Mobile Manager. If you are only installing Classroom Orchestrator then you do not need it. The enrollment code can be found by clicking Enroll Device under your organization in Mobile Manager.


  • Client PCs Running Windows 7, 8, 8.1, or 10
  • The LMA Client PC Setup File – LMA_Setupx64.msi or LMA_Setupx86.msi, which can be downloaded at the above links.
  • .NET Framework – Your .NET Framework needs to be at version 4.5.2 or later. You can update your .NET Framework here.


Note: The LMA is only required for clients with Web Filter 3.x who have users running Windows devices.

Standard Install

  • 1. Log into the client PC.
  • 2. Download the LMA_Setupx64.msi or LMA_Setupx86.msi file onto the PC.
  • 3. Open a command prompt and navigate to the directory that the LMA_Setupx64.msi orLMA_Setupx86.msi is in. Then enter msiexec /i
  • 4. At the command prompt enter LMA_Setup.msi CUSTOMER_ID= followed by your Lightspeed Systems customer number. You also need to provide an enrollment code if you are installing Mobile Manager (ENROLLMENT_CODE= followed by your Mobile Manager enrollment code), an optional associate user setting (ASSOCIATE_USER=1), and the portions of the product you would like to install (entering MM=1 enables the Mobile Manager service.
  • And the example below installs Mobile Manager only.

The LMA Client switches are defined below:

  • MM: Indicates that you are installing the Mobile Manager. If present, it must be set to 1. Omit this parameter if you don’t want to enable Mobile Manager.
  • CO: Indicates that you are installing the Classroom Orchestrator. If present, must be set to 1. Omit this parameter if you don’t want to enable Classroom Orchestrator.
Note: You must provide at least one of the above values (CO or MM), or both.
    • CUSTOMER_ID: Your organization’s customer number as assigned by Lightspeed Systems. This is a required value.
    • ENROLLMENT_CODE: The enrollment code for installing Mobile Manager, which can be found by clicking Enroll Device under your organization in Mobile Manager.
    • ASSOCIATE_USER: Optional. Set to 1 to enable this. Please note the ASSOCIATE_USER parameter can be set to 1 (true) or 0 (false). If true, it will bind that device to a particular user in Mobile Manager. This way you can apply policies to a user that will propagate to various devices.


Note: You will not be able to proceed without your customer number, enrollment code, associate user, and Mobile Manager.
    • Once the installation process starts the following license prompt will be displayed.


    • 5. Check (select) I accept the terms in the License Agreement.
    • 6. Click Install. The installation status will be displayed as shown below.


    • 7. Click Finish to complete the installation process.

    Silent Install

    To perform a silent install open a command prompt on the client PC and enter the following (x64 version shown):

    msiexec /i LMA_Setupx64.msi CUSTOMER_ID=12-3456-A000 ASSOCIATE_USER=1 MM=1 CO=1 /qn

    Device Registration Portal

    You can also use the Device Registration Portal to manage devices. This can be used with the Windows Mobile Filter.

    Do you want to learn more about the Device Registration Portal?

    Learn more about: Managing websites with the DRP
    Learn more about: Intalling the Windows Mobile Filter

Installing LMA using Mobile Manager

To install the LMA using Mobile Manager, you will need to use the an MSI converter to change the MSI file a .lsmdm file.

Note: This requires use of a command-line utility to preprocess the MSI file to include necessary information for the installation. You can download that utility (Windows only) from this link:

You can learn how to install MSI files on enrolled Windows 10 devices through Mobile Manager here. 

When installing the LMA, you can now skip adding the switches for Customer_ID, Mobile Manager (MM), and Classroom Orchestrator (CO), as long as your Domain, Public IP Range, or MAC address of the device is entered in the Device.

Other Installation Methods

You can also install the LMA via GPO and via Boot Script.

Learn more about: Installing the LMA from .bat via GPO
Learn more about: Installing the LMA via Boot Script

Installation Troubleshooting

Follow these troubleshooting tips in case on installation issues:

1. Commonly, the LMA is installed without any parameters mistakenly and the result is no identification. If this happens, it is relatively easy to correct the installation. The information is stored in the registry under HKLM/Software/Lightspeed Systems/LMA/User Agent. Check that the Identification Server key is set properly. If not you can change it here and restart LMA_Service with the net stop and net start commands.

2. If the installation appears to have been successful, but you are still not seeing identification information on the Rocket and/or getting the wrong filtering Rule Set, check that the ID server is correct and reachable. Check the setting in the registry and try to ping that name or IP from a terminal window. If it responds then basic communication is possible.

3. If you are able to ping your Rocket, the next thing to check is to see if the proper ports are open between the workstation and the Rocket. This is a common problem on restricted VLANS that some administrators use for student device. Check with the person in charge of network security and ask them to check that ports 1305 and 1306 TCP and UDP are open.

4. Lastly, check the lsidentd service on the Master/Parent Rocket. If this service is not running, then agents will not work properly.


Upgrades and uninstallation of the LMA now require a customer to have their organization registered with Device Registration Portal. During installation, an LMA will register with DRP, where it will then be attributed with an uninstallation password. There is the option to choose auto updating the LMA when a new version becomes available. Additionally, through DRP a customer is also able to enable/disable the MM and CO functionality of the LMA.

Standard Upgrade

To upgrade the LMA Client, simply install over the top of the old one. Open a command prompt on the client PC and enter (x64 version shown):

msiexec /i LMA_Setupx64.msi

The settings from the previous installation will be saved.

Silent Upgrade

To silently upgrade the LMA Client, open a command prompt as an administrator on the client PC and enter (x64 version shown):

msiexec /i LMA_Setupx64.msi /qn

Settings from the previous install will be maintained.

Note: Imaged Agent Install Settings in the Device Registration Portal can affect the registry of devices where the LMA is installed. Learn more here.


Uninstalls require Internet access to and a corresponding uninstall password. This is required for the built-in safeguard to prevent unauthorized persons from uninstalling the software. In addition, devices must have their MAC address registered to This is so that we can tie them to an organization to verify the password.

The LMA can also be uninstalled with the following command line:

msiexec /x LMA_Setupx86_v3.1.1.0.msi PASSWORD=theconfiguredpassword /qn

Note: You can find the uninstall password within the Device Registration Portal.


Installing the LMA from .bat over GPO for User Resolution

These instructions illustrate how to install the Lightspeed Management Agent from .bat over GPO as user agent for user resolution. All customers who have Rocket 3.x or higher need to use the LMA agent as their PC user resolution method.


1. Download the required agents.

Lightspeed Management Agent (LMA)

Web Filter Mobile Manager

The LMA Agent gives you the power to control certain device features that would be otherwise un-controllable.

OS Bit Version # Link
64 bit 3.1.6 LMA_Setupx64.msi
32 bit 3.1.6 LMA_Setupx86.msi
Note: Follow the installation instructions on this page in order to install the LMA over GPO.


2. Create a batch script that does the following:

@echo off
msiexec /i "%~dp0LMA_Setupx64.msi" co=0 mm=0 ua=1 /q

*Note: %~dp0 ensures the .msi is ran from the network directory the agent is hosted.
id_server=Fully Qualified Domain Name resolving to the internal Rocket NIC.

Example: =

To locate the FQDN section on your rocket, navigate to Settings > Network Interfaces > Hostname

Ensure that the hostname resolves to your Rocket’s IP.

Figure 1: Network Interfaces, FQDN



3. Create a network directory to hold the LMA agent and .bat script.
*Note: Ensure only ‘read’ access is granted to your end-user security groups for this directory. Check out figure 1 for more information. Check out figure 2 for additional details.

Figure 2: Directory Rights. Directory example: \\server\Lightspeed Agents


4. Create the GPO inside you user OU.

  • a) From your Windows server, open up Group Policy Management and Active
    Directory Users and Computers.
  • b) From Group Policy Management, right click the OU where the agent will be
    deployed and select Create a GPO in this domain, and link it here…
  • c) Title the GPO, right click it and select Enforced.
  • d) All user accounts the GPO should apply towards will be in this OU. Figure 2 is how the Group Policy Management should look. Figure 3 displays the user accounts from AD Users and Computers pertaining to this tutorial.

*Note: For this scenario, we are testing on the Student OU using the “David” account.

Figure 3: Group Policy Management


Figure 4: Active Directory Users and Computers4

5. Configuring the GPO to run a login script.

  • a) From group policy management, right click the GPO you created in step 4 and
    select Edit.

Figure 4 – Edit GPO


  • b) From the user configuration, open Policies > Windows Settings > Scripts
    > Logon

Figure 5: Open Logon Settings


  • c) Click the Add button and navigate to the .bat script you created earlier. Select the .bat script and select OK and then  OK again.

Figure 6: Deploy Login Script from Network Directory


*Note: Ensure the .bat is being pushed out from a network directory.


1. On a test machine, login on the machine. Upon login, the script will run silently installing the user agent. Check the install directory and the registry to validate installation.

2. Validate that the install files and ID Server value are both present.

x64 install directory: C:\Program Files\Lightspeed Systems\LMA\Bin
Registry path: HKEY_LOCAL_MACHINE > Software > Lightspeed Systems > LMA
> User Agent

Figure 7: Install Files


Figure 8: Registry Keys


Pushing Lightspeed Agents to Google Users

  • 1. Navigate to 
  • 2. Click Chrome Management
  • 3. Click User settings.
  • 4. Scroll down to Apps and Extensions and click Manage force-installed apps.
  • 5. Under Chrome Web Store, download the extensions you need. Click Add to add each extension. Click Save after you’ve added all your necessary extensions.
Note: Certain extensions, such as the Chrome User Agent and the Lightspeed Chrome Mobile Filter need to be pushed manually instead of through the Chrome Web Store.
Extensions Chrome Webstore Link/Manual Push Link
Lightspeed Management for Chrome View
Lightspeed Broadcast for Chrome View
Lightspeed User Agent Push Manually
Web Filter Extension for Google Chrome (Replaces Chrome Mobile Filter) Push Manually


Once you push the Lightspeed user agent extensions to your devices, these devices will auto-populate in your Chrome Bundle. You can view a list of your devices in the Mobile Manager Devices tab.



Note: Customers who currently use SSL certificates generated by a Certificate Authority (CA) with their Rocket appliance MUST push the new Chrome Lightspeed S-Mobile Filter and not the Lightspeed Mobile Filter to devices. Learn more here.
Note: Customers who have devices other than Chromebooks (Windows or iOS devices) will need to install those specific user agents on their devices. Learn more about Windows and iOS user agents.

Rock 3.x and User Agents

The recent release of Rocket 3 has many of our users asking if they can still use their old user agents. While most of the user agents will still work, any customer running version 3 of the Rocket needs to upgrade to the LMA (Lightspeed Management Agent) User Agent for Windows for their user resolution purposes. Lightspeed Systems will no longer support the PC User Agent for Windows devices connected to a Rocket 3 interface.

You can download the latest LMA User Agent here.

Why Are We Doing This?

The Windows LMA User Agent uses a new secure protocol to communicate with the Rocket. In the new protocol all data between the client machine and the Rocket appliance is encrypted. This makes the LMA User Agent safer and more effective than previous versions.

How About Customer With Rocket 2.x?

Customers with Rocket 2.x should run the PC User Agent for Windows user resolution.

You can find the PC User Agent, as well as other user agents, here.