Getting Started with Relay
Welcome to Relay. Our goal is to provide you with tools that help you monitor and secure web activity on your network. But before you jump into the Relay interface, follow these three simple steps to get started:
- 1. Verify network access to Relay
- 2. Import users and groups
- 3. Deploy Relay software to devices
Of course, you need to log in to Relay before getting started.
Minimum OS Version
Before deploying Relay to any devices on your network, ensure that the device(s) is running this version of the operating system:
Step 1- Verify network access to Relay
The following ports and domains need to be opened in order for Relay to function correctly.
- lsrelay-config-production.s3.amazonaws.com (needed for Classroom)
- lsrelay-extensions-production.s3.amazonaws.com (needed for Classroom)
Step 2- Import users and groups
Add (or import) users and groups into Relay. Select one of the following import methods:
Choose an import method
Step 3- Deploy Relay software to devices
After you’ve imported users and created your filtering policy, you are ready to deploy Relay to your devices (Chrome, Mac, Windows, and iOS).
Open the Google Admin console and navigate to Device Management.
Click Chrome Management from the left-side menu (Device Settings), then click User Settings.
Choose your organization from the left menu (Organizations), then scroll down to Apps and Extensions > Force-installed Apps and Extensions. Click on Manage force-installed apps. Click on Specify a Custom App.
Enter your organization-specific App ID and URL in the ID and URL fields. Then click Add.
For Relay and Analytics Powered by Relay (Step 3), or you can also find your organization-specific App ID and URL on Relay’s Settings > Chrome Extension page. For Classroom (Step 2) Getting Started page and click Details for the App ID and URL.
Once added, the App ID is listed in the Total to force install list. Click Save to push the extension.
When running Relay in Google Chrome, we recommend enabling these settings (if not already) to prevent users from bypassing or compromising the web-filtering service:
Caution:Make sure you select the correct organization from the list of Organizational groups (User Settings left-menu) when making these changes.
Add Chrome Flags & Inspect Tools to the URL Blacklist
Google Chrome Flags (list of experimental features) provide savvy users the ability to bypass web filtering in Chrome. Disable any opportunity to bypass web filters by adding these pages to your list of blocked URLs in Google’s Admin console.
To add the Chrome Flags and Inspect Tool URLs to the URL Blacklist from the Google Admin console, navigate to the URL Blacklist settings (Device Management > Chrome > User settings > Content > URL Blocking > URL Blacklist) enter the URLs in the image below into the URL Blocking Field. Click Save to apply this setting.
Ensure Extensions are Allowed
Our web-filtering services (for Chrome) are deployed to devices via a Chrome Extension. By default, Extensions should be allowed, but if you have issues pushing the extension to a device, ensure that this setting is enabled.
To verify that extensions are allowed from the Google Admin console, navigate to the list of Allowed Types of Apps and Extensions (Device Management > Chrome > User settings > Apps and Extensions > Allowed types of Apps and Extensions) and ensure that the box next to Extension is marked. Click Save to apply this setting.
Disallow Incognito Mode
Chrome’s Incognito Mode allows users to browse the Internet privately. While user activity isn’t hidden in Incognito Mode, it’s best to disallow this feature when setting up your web-filtering service.
To disallow Incognito Mode from the Google Admin console, navigate to Incognito Mode (Device Management > Chrome > User settings > Security > Incognito Mode) and select Disallow Incognito Mode from the drop-menu. Click Save to apply this setting. Click Save to apply this setting.
Never Allow Developer Tools
Chrome’s built-in developer tools give users access to the browser’s (and other web applications) internal code. It’s best to never allow users access to the browser’s built-in developer tools.
To never allow access to Chrome’s built-in developer tools, from the Google Admin console, navigate to Development Tools (Device Management > Chrome > User settings > User Experience > Developer Tools) and select Never allow use of built-in developer tools from the drop-menu. Click Save to apply this setting.
Mac OS Devices
To install a Smart Agent on a Mac, follow these steps:
- 1. Obtain your .dmg file in one of the following ways:
- a. From Getting Started under Deploy Relay software to devices, click the macOS tab. Then click the SmartAgent.dmg link.
- b. Navigate to Settings > Software using the left-side navigation of Relay and click the macOS tab. Then click the SmartAgent.dmg link.
- 2. Working from the target workstation (as an Administrator), make a local copy of your Smart Agent .dmg file accessible (for future installations).
- 3. Open SmartAgent.dmg and launch the SmartAgent.pkg.
Note: Installing the Smart Agent requires the admin password for the target workstation.
If you are installing the macOS Smart Agent to a machine running macOS 10.14+, add the following URLs to your list of Exclude from Decryption
Enabling High Sierra Security and Privacy
You can bypass this step by following the instructions in this Apple article
under the How This Affects Enterprise App Distribution
section. Use Team ID ZAGTUU2342
if you elect to boot into Recovery OS and use the spctl kext-consent command approach.
After installing the Relay Smart Agent, enable security and privacy preferences. This step only needs to be done once for every device.
Navigate to System Preferences > Security & Privacy. Click on the lock icon at the bottom left to unlock changes and enter your password. Click the Allow button to authorize software initiation.
Before installing the Windows Smart Agent, ensure that your antivirus software is set to exclude the following locations:
- C:\Program Files\Lightspeed Systems\Smart Agent\lsproxy.exe
- C:\Program Files\Lightspeed Systems\Smart Agent\*
- C:\Program Files\Lightspeed Systems\Smart Agent\PolicyData\*
- C:\Program Files\Lightspeed Systems\Smart Agent\Driver\*
- C:\ProgramData\Lightspeed Systems\Smart Agent\*
To install a Smart Agent on a Windows machine, follow these steps:
- 1. Obtain your .msi file in one of the following ways:
- a. From Getting Started under Deploy Relay software to devices, click the Windows tab. Then click the appropriate link to the Smart Agent .msi file.
- b. Navigate to Settings > Software in the left-side navigation of Relay and click the Windows tab. Then click the Smart Agent .msi link.
- 2. Working from the target workstation as a Local Administrator, make a local copy of your Smart Agent .msi file accessible.
- 3. From an administrator command prompt, navigate to the folder where your SmartAgentx64.msi file is saved and launch it using this command: msiexec /i [File Name.msi]
Note: If you are using LANDesk to deploy the Windows Smart Agent, add a 5 min delay to the deployment to give the agent enough time to receive it’s policy.
If you are using Sophos AV
, disable the
software’s web filter feature, or else the Smart Agent will not filter the device properly.
iOS Specific Prerequisites
- Device cannot be running any other iOS filtering software and cannot have a global proxy configured.
- Device must be enrolled in a mobile device manager and owned by the user that you are filtering with Relay.
Note: You do not have to launch the app if you are running iOS 12+, however, iOS 11 users may need to launch the app once (in single-app mode).
You should install the Smart Agent iOS app using Managed Distribution. For more information on Managed Distribution, click here.
Following installation, you need to configure the Web Content Filter settings within your MDM.
Lightspeed Systems Mobile Manager
Follow these instructions to configure the Web Content Filter settings in Lightspeed Systems Mobile Manager.
- Click Policies in the main navigation menu.
If your Relay interface is integrated with Mobile Manager, click Device Management
to open the Mobile Manager policies page.
- Click Web Content Filter in the Policies list.
- In the Web Content Filter policy, set Filter Type to Plug-In and Vendor to Lightspeed (Relay).
If you’re using a third-party MDM, you’ll need to configure the following settings:
||Provided by Customer (ex: Relay – Content Filter)
||email address – must match the email address in Relay/Launch
|Filter WebKit Traffic
|Filter Socket Traffic
||UDID of the device
||Lightspeed Customer ID
Here’s an example of the settings using Apple Configurator as a third-party MDM:
Cisco Meraki MDM
solutions do not support our Relay Smart Agents for iOS. Refer to our FAQ to learn more