Controlling access to Foldr by Location
Foldr provides the administrator the ability to control where users are able sign into Foldr and what resources are available from a given location. The administrator can permit or deny users or Active Directory groups based on the client IP address, IP address ranges or entire subnets. This could be useful if a group is only to be allowed access from inside the organisations network, or to limit the locations that a user is permitted to sign in from remotely.
From Foldr Settings > Security > Permissions the administrator can specify location based permissions for ‘Use Foldr‘ and this is a global permission that affects access to Foldr via the web or any of the client desktop or mobile apps.
Location based permissions can be used throughout the Foldr Settings admin interface and where these are used networks / locations should be configured one per line if multiple entries are required.
Accepted values are:
- Wildcard format: 1.2.3.*
- CIDR format: 1.2.3.0/24 OR 1.2.3.4/255.255.255.0
- Start-End IP format: 1.2.3.0-1.2.3.255
In the example below, the built-in Foldr Users (Everyone) is configured with an allow rule for subnet 1.2.3.0/255.255.255.0 – This rule will result in all users ONLY being permitted to sign in from a client device on the 1.2.3.0 subnet. (client IP address of 10.20.30.1 – 10.20.30.254)
In the second example, the built-in Foldr Users group is denied access from the same subnet. The result of this ACL rule would allow users to sign in from any location except subnet 1.2.3.0.
In the final example, the Active Directory group ‘Marketing’ is only allowed to sign in from client devices on the network 172.16.10.0. Users in this group will be denied access if they attempt to sign in from any other location.
Location based share permissions
As well as being able to control where users / groups can sign in from, the administrator can control where users can access certain storage locations through Foldr. i.e. you can apply share permissions based on location / network address.
Using the granular share access permissions, this gives the administrator the ability to only present a share if the client is signing in from a particular IP address or subnet, or you can force shares to only be read only / writable from specific locations. Share permissions are configured within:
Foldr Settings > Files & Storage > edit-share > Access tab > Permissions
Then double click the User or Group that you wish to apply location based permissions
In the example below, the permissions on the share below have been modified to only allow the storage location to be visible in the Foldr web or client apps (with Read Only access) if the client is connecting from either the 172.16.1.0 or 192.168.1.0 networks. Note the Write section has a permission entry of ‘None’ so the user cannot write to the share.
In the final example, users in the Marketing group will have access to the storage item from any location, but will only be able to write to the storage if they are connecting from the 10.1.1.0/24 network.
Location based client app configuration
Within Foldr Settings > Devices & Clients, the administrator has the ability to also configure granular access permissions for each client app individually – Windows, macOS, iOS, Android and web.
In the example below, a policy has been configured to only allow users within the Marketing group permission to use the macOS app from networks 172.16.1.0 and 172.16.2.0.
