Welcome to Relay. Our goal is to provide you with tools that help you monitor and secure web activity on your network. But before you jump into the Relay interface, follow these three simple steps to get started:
- 1. Add Users and Groups
- 2. Create your filtering policy
- 3. Deploy Relay software to devices
Of course, you need to log in to Relay before getting started.
Minimum OS Version
Before deploying Relay to any devices on your network, ensure that the device(s) is running this version of the operating system:
- Windows– Windows 10 (x64- builds 1703+) and Windows 7 (x64)
Note: Support for Windows 10 (x32) will be available in future releases.
- Mac– High Sierra, x64
Note: Support for macOS Sierra and El-Capitan will be available in future releases.
- iOS– 11.2
Required Open (Unblocked) URLs
Ensure that the following ports and domains/hosts are unblocked by your network filter.
The following outbound ports must be open on your network:
The following domains/hosts should be allowed on your network:
Step 1- Add Users and Groups
Start by adding (importing) users and groups into Relay. Select one of the following import methods:
Step 2- Create your filtering policy
The second step in this Getting Started process is to create your filtering policy. We suggest reviewing Relay’s default internet access categories to begin crafting your internet policy.
Relay classifies websites into various categories. By default, most of these categories are blocked.
Navigate to Internet Access > Default Rules section and scroll through the list of Categories. Determine which categories need to be blocked or unblocked. Each category provides a brief description of the type of sites within it. Click on the on/off icon to the left of the category name to toggle a category on or off.
- – indicates the category is on and accessible.
- – indicates the category is off and blocked.
Search for a Site’s Category
To search for a site’s category, scroll to the top of the Rules page and enter the website URL in the Enter a website to check… search bar, then click Check.
Example: In the following example we searched for www.facebook.com and the results show that Facebook is blocked and categorized as forums.social_networking. Click on the icon to the left of the category name to make the category (and Facebook) accessible.
Step 3- Deploy Relay software to devices
After you’ve imported users and created your filtering policy, you are ready to deploy Relay to your devices (Chrome, Mac, Windows, and iOS).
Open the Google Admin console and navigate to Device Management.
Click Chrome Management from the left-side menu (Device Settings), then click User Settings.
Choose your organization from the left menu (Organizations), then scroll down to Apps and Extensions > Force-installed Apps and Extensions. Click on Manage force-installed apps. Click on Specify a Custom App.
Enter your organization-specific App ID and URL in the ID and URL fields. Then click Add.
Note: Refer to the Relay (Step 3) or Classroom (Step 2) Getting Started page and click Details for the App ID and URL. You can also find your organization-specific App ID and URL on Relay’s Settings > Chrome Extension page.
Once added, the App ID is listed in the Total to force install list. Click Save to push the extension.
When running Relay in Google Chrome, we recommend enabling these settings (if not already) to prevent users from bypassing or compromising the web-filtering service:
Caution:Make sure you select the correct organization from the list of Organizational groups (User Settings left-menu) when making these changes.
Add Chrome Flags & Inspect Tools to the URL Blacklist
Google Chrome Flags (list of experimental features) provide savvy users the ability to bypass web filtering in Chrome. Disable any opportunity to bypass web filters by adding these pages to your list of blocked URLs in Google’s Admin console.
To add the Chrome Flags and Inspect Tool URLs to the URL Blacklist from the Google Admin console, navigate to the URL Blacklist settings (Device Management > Chrome > User settings > Content > URL Blocking > URL Blacklist) enter the following URLs in the URL Blocking Field. Click Save to apply this setting.
Ensure Extensions are Allowed
Our web-filtering services (for Chrome) are deployed to devices via a Chrome Extension. By default, Extensions should be allowed, but if you have issues pushing the extension to a device, ensure that this setting is enabled.
To verify that extensions are allowed from the Google Admin console, navigate to the list of Allowed Types of Apps and Extensions (Device Management > Chrome > User settings > Apps and Extensions > Allowed types of Apps and Extensions) and ensure that the box next to Extension is marked. Click Save to apply this setting.
Disallow Incognito Mode
Chrome’s Incognito Mode allows users to browse the Internet privately. While user activity isn’t hidden in Incognito Mode, it’s best to disallow this feature when setting up your web-filtering service.
To disallow Incognito Mode from the Google Admin console, navigate to Incognito Mode (Device Management > Chrome > User settings > Security > Incognito Mode) and select Disallow Incognito Mode from the drop-menu. Click Save to apply this setting. Click Save to apply this setting.
Never Allow Developer Tools
Chrome’s built-in developer tools give users access to the browser’s (and other web applications) internal code. It’s best to never allow users access to the browser’s built-in developer tools.
To never allow access to Chrome’s built-in developer tools, from the Google Admin console, navigate to Development Tools (Device Management > Chrome > User settings > User Experience > Developer Tools) and select Never allow use of built-in developer tools from the drop-menu. Click Save to apply this setting.
Mac OS Devices
To install a Smart Agent on a Mac, follow these steps:
- 1. Obtain your .dmg file in one of the following ways:
- a. From Getting Started under Deploy Relay software to devices, click the macOS tab. Then click the SmartAgent.dmg link.
- b. Navigate to Settings > Software using the left-side navigation of Relay and click the macOS tab. Then click the SmartAgent.dmg link.
- 2. Working from the target workstation as an Administrator, make a local copy of your Smart Agent .dmg file accessible..
- 3. Open SmartAgent.dmg and complete the installer.
Enabling High Sierra Security and Privacy
You can bypass this step by following the instructions in this Apple article
under the How This Affects Enterprise App Distribution
section. Use Team ID ZAGTUU2342
if you elect to boot into Recovery OS and use the spctl kext-consent command approach.
After installing the Relay Smart Agent, enable security and privacy preferences. This step only needs to be done once for every device.
Navigate to System Preferences > Security & Privacy. Click on the lock icon at the bottom left to unlock changes and enter your password. Click the Allow button to authorize software initiation.
Before installing the Windows Smart Agent, ensure that your anti-virus software is set to exclude the following locations:
- C:\ProgramFiles\Lightspeed Systems\Smart Agent\*
- C:\ProgramData\Lightspeed Systems\Smart Agent\*
To install a Smart Agent on a Windows machine, follow these steps:
- 1. Obtain your .msi file in one of the following ways:
- a. From Getting Started under Deploy Relay software to devices, click the Windows tab. Then click the appropriate link to the Smart Agent .msi file.
- b. Navigate to Settings > Software in the left-side navigation of Relay and click the Windows tab. Then click the Smart Agent .msi link.
- 2. Working from the target workstation as a Local Administrator, make a local copy of your Smart Agent .msi file accessible.
- 3. From an administrator command prompt, navigate to the folder where your SmartAgentx64.msi file is saved and launch it using this command: msiexec /i [File Name.msi]
Note: If you are using LANDesk to deploy the Windows Smart Agent, add a 5 min delay to the deployment to give the agent enough time to receive it’s policy.
If you are using Sophos AV
, disable the
software’s web filter feature, or else the Smart Agent will not filter the device properly.
iOS Specific Prerequisites
- Device cannot be running any other iOS filtering software and cannot have a global proxy configured.
- Device must be enrolled in a mobile device manager and owned by the user that you are filtering with Relay.
- The app must be launched once (this can be done by placing the device in single-app mode and selecting this app).
You should install the Smart Agent iOS app using Managed Distribution. For more information on Managed Distribution, click here.
Following installation, you need to configure the Web Content Filter settings within your MDM.
Lightspeed Systems Mobile Manager
Follow these instructions to configure the Web Content Filter settings in Lightspeed Systems Mobile Manager.
- Click Policies in the main navigation menu.
If your Relay interface is integrated with Mobile Manager, click Device Management
to open the Mobile Manager policies page.
- Click Web Content Filter in the Policies list.
- In the Web Content Filter policy, set Filter Type to Plug-In and Vendor to Lightspeed (Relay).
If you’re using a third-party MDM, you’ll need to configure the following settings:
||Provided by Customer (ex: Relay – Content Filter)
||email address – must match the email address in Relay/Launch
|Filter WebKit Traffic
|Filter Socket Traffic
||UDID of the device
||Lightspeed Customer ID
Here’s an example of the settings using Apple Configurator as a third-party MDM:
Cisco Meraki MDM
solutions do not support our Relay Smart Agents for iOS. Refer to our FAQ to learn more