Anyone using Lightspeed Relay for Mac OS?

bethlehemacadem
New Contributor

I am looking at using Lightspeed Systems Relay on our student laptops. We use a SonicWall firewall on campus. I am hoping to use Relay to provide content filtering when off-campus. I also like the reporting tools. I am curious who has deployed it on MacOs. What issues have you run into deploying Relay?

23 REPLIES 23

russeller
Contributor III

Haven’t deployed it yet. Just in the testing phase a few months ago. This may be old news if they updated their installer. There are hidden files in the DMG the installer references so it’s best to put the dmg on the client in a tmp location then script the opening of the dmg with hdiutil command then script the install of the pkg. Hope this helps prevents headaches later.

jreeves
New Contributor III

We started with lightspeed relay at the beginning of this school year in august and it was an absolute disaster. When we started we were not even able to establish internet connectivity with the relay agent installed until 2 days before deployment. since then its been an uphill battle of going engineer to engineer until eventually we had weekly calls with their CEO about all of our issues. Right now we still have occasional issues, including anytime we have an SSL issue on a blocked page we cannot fix it and have to contact support for them to do it, they told us this is expected behavior and it will always be this way. Even though they have made major strides since we originally deployed I still wouldn't feel comfortable recommending it to anyone.

If you have any more questions i'm happy to answer them

Hugonaut
Valued Contributor II

We went from LightSpeed Rocket (DISASTER!) to LightSpeed Relay (MUCH MUCH BETTER)

After having Rocket for a year, we ironed out a lot of kinks and realized what we wanted. for this school year, we made our "image" or "provision" with Lightspeed Relay in mind.

It is a lot of management but Relay works great for us. 2500+ Machines - biggest problem is Unknown SSLs being blocked by default but on a per site basis, you can easily add them to the dashboard to unblock websites with problems such as the SSL issue.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

dpenny
New Contributor III

@Hugonaut Does Relay not do SSL decryption? Could you explain a little more what you mean by unknown SSLs? We are investigating moving to Relay and are looking for some real world experiences with it. Anything you could share would be greatly appreciated.

Hugonaut
Valued Contributor II

@dpenny if a website has a SSL unknown to Lightspeed (Usually Self Signed SSL Certs) Lightspeed by default blocks that website categorically as unknown.

These can be manually approved and added to the allowed list for your environment. The process of identifying and allowing unknown SSLs to our Lightspeed filter is the most time consuming part of Lightspeed Management for us and quite frankly is not that big of a deal as its doing its job which is what we want and need. Overall it is a great product.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

dpenny
New Contributor III

@Hugonaut Thanks for the additional information. We are setting up a Relay demo and hope to start testing it this week.

Tolandese
Contributor

@jreeves We are dealing with the exact same situation. Are you using iPads or just Macs? Right now our issue is that the agent is somehow causing students to get booted out of any website that requires a login around the 10 minute use mark. We have tested over the last month and determined that removing the smart agent fixes the problem. After providing them logs and reproduction of the issue 2 weeks ago, I finally heard back yesterday and was told they have made zero changes.

I get the sense they don't have a really well developed apple support infrastructure at the moment.

jreeves
New Contributor III

@Tolandese we are using both and i haven't seen this specific issue yet, but that doesn't mean we are going to be having it soon. I've been very disappointed with their time management when it comes to fixing issues. the only way we got our main issue fixed before school started this year is because my boss talked to the CEO and it had to trickle down until they got someone to work non stop on it until it was fixed. best of luck with your issues and let us know if you get a fix.

Tolandese
Contributor

Well we determined the issue is only present on iOS 12. anything before works just fine. Relay gave us bug report for apple indicating its a software conflict, however Apple isn't known for their quick resolutions.

yaindlc
New Contributor II

We deployed it to our Macbook Air student laptops at the end of October/beginning of November. It wasn't difficult to install but it was difficult to get the reporting side to work properly.

We created a package that removed our current mobile filter and user agent software and THEN installed Relay. Lightspeed actually has a pretty useful script for installing Relay on their website, which I'll post here:

cd ~/Desktop || exit 1

curl -sSO [Enter the link to your organization’s MacOS Smart Agent Installer]

hdiutil attach -nobrowse SmartAgent.dmg

cd /Volumes/SmartAgent/ || exit 1

sudo installer -pkg SmartAgent.pkg -target /

cd ~/Desktop || exit 1

hdiutil detach /Volumes/Smartagent/ -force

rm -rf SmartAgent.dmg

If you don't want it to appear on the user's desktop while installing you can feel free to modify the location like we did - we ended up running it in ~/Library so students didn't just see a random installer show up on their machine.

After we prepared the package and started test deploying it to some spare Mac OSX computers we found that some of them were reporting properly and some weren't. The problem was two fold:

The first issue was that we had the policy in JAMF set to run on Login, Logout, and Recurring Check-In. If the Relay Smart Agent package tried to install via Login/Logout, it would complete and apply the filter correctly, but the reporting side of things didn't work. When we signed in as a user it would log them simply as "base." This appeared to be a generic account that Relay would use to record all the usage logs for every computer that it didn't recognize, with no way of differentiating between them. After some more testing we found out that our Relay policy had to be set with ONLY the Recurring Check-In flag in order to install and then report properly. Anything else would nullify the reporting aspect.

The second issue was that the Relay Smart Agent requires a kernel extension to be approved for reporting to work. Since our student laptops were on varying versions of 10.13, some of them would auto approve this extension and some of them would manually require approval in Security & Privacy, which obviously no student is going to do. Our version of JAMF at the time didn't have the approved kernel extension functionality, so we had to upgrade. Once we did and once we added Relay as an approved extension, it retroactively allowed the kext on all the machines that it was pending on and they started reporting properly.

TL;DR - the install of Relay itself isn't terrible but getting the reporting aspect to work can feel like a bunch of random little things getting in your way.

rleblanc
New Contributor

We have away from LightSpeed. Many issues to say the least. The problem now is I have all these laptops with the UserAgent and the MobileFilter that I need removed. Any ideas on how to do this. Everything I have tried is not working.

dpenny
New Contributor III

I would love an update on what some of you who are moving away from Lightspeed are moving to. The one feature that Lightspeed has that our administration is very excited about is the YouTube visibility. I haven't been able to find anything else that provides the options for blocking specific videos or channels while still allowing other videos. Due to the lack of detailed reporting provided by Relay on iOS, we are currently demoing one of their Rocket filtering appliances, setup as a global HTTP proxy.

I don't want this thread to turn into a Lightspeed bashing session, but any additional information former Lightspeed users could provide, as far as pitfalls and problems, would be very helpful. Also, what you moved to and how it is working for you would be helpful as well.

danny33c
New Contributor III

@dpenny I can't really answer your question about moving away from Lightspeed. Our BOCES is looking at other options, but we're not seriously considering a move yet. I'm demoing Relay on about 100 student iPads and 20 Windows 10 laptops with success. Yes, the reporting is limited on iPads, but I'm hoping that gets better. There's no reason why it can't at least pull the browsing history off the iPad. We have been using Global Proxy for years on the iPads, and I can tell you that is a huge step backward. I can't wait until all 2000 of our iPads are on Relay, despite the reporting shortfalls. I can't count the number of times we had to submit a ticket with Lightspeed to create an SSL exclusion on the backend of the proxy. It might be a little easier with a PAC file, but we had issues with that. I'm surprised Lightspeed is supportive of you starting a proxy demo since they are pushing Relay so hard. Since Relay encrypts SSL on the device I can already tell it's better than proxy. And if there is a site that has an issue I can now exclude sites from encryption on Relay myself. It's so much easier.

dpenny
New Contributor III

@danny33c The idea right now is to use the system in a sort-of hybrid fashion. I haven't worked it all out yet, but the agreement is that we will use the Rocket until Relay fully supports the reporting that is required for us. We will also be using the Rocket for all of our desktop systems that remain on campus. We'll see what actually happens in practice.

We are currently using our Fortigate firewall as a web filter/global proxy and it is working decently, but our administration is very adamant about better YouTube controls.

apredmore
New Contributor II

yaindlc,

Do you just run the provided install script during every check in? How does it handle computer where it is already installed? Does it reinstall it every check in or just leave it alone if it is already there?

apredmore
New Contributor II

I have that question too. I am concerned that installing over the top at every check in could cause issues.

dwaterbury
New Contributor III

Does anyone have a step-by-step guide on how to package the Relay Smart Agent? The directions regarding using the above script are still a bit confusing to me. And Lightspeed's technical support by chat only and "follow the directions on this link" are a bit frustrating. Thank you in advance.

Rjackson1
New Contributor

Did anyone get relay working for ipads with Jamf? We can deploy the configuration but if a new user logins into the ipad it still will show the old user information.

danny33c
New Contributor III

We now have all of our 3-8th grade iPads, and high school laptops on Relay. @Rjackson1 What are you using in the User Name field in your JAMF conifig for Relay? We are using an extension attribute which maps to their email in LDAP, but they are not shared iPads either.

Eigger
Contributor III

@dwaterbury You dont need to repackage the SmartAgent.dmg. After downloading the agent from relay.school, just upload it straight to Jamf Admin, then use the Jamf provided script here installPKGfromDMG see the below screenshot of the policy.

5c8b8c920f014cbbb14b257dd628a670

9bd94255763d47668f17b5fc836cdeb0

afb1d5891caa45e58d3358d3216f73de

kswaney
New Contributor II

Can someone help me with deploying relay to our staff's Macs?

dwaterbury
New Contributor III

Trying to tackle this some more.  I was able to get it to work, or so I thought, but have found that the user's history isn't appearing in the Relay Admin interface.  Sites are being blocked on the laptops and data is appearing on the Relay Dashboard, but it's not linking to each user.  I think this might have broke with Monterey, which I upgraded the students to recently.  I have a test student machine still on 11.4.0, which is showing up correctly under that user's account in Lightspeed.

 

Here are Lightspeeds "directions".

https://help.lightspeedsystems.com/s/article/Lightspeed-Filter-Agent-for-MacOS-Installation-Instruct... 

 

1.  I have a Configuration Profile that push out the certificate file ca.cer.

 

2. Since I am using the installPKGfromDMG.sh to install the SmartAgent.dmg, it creates the config.json file, so no need to follow that step under the "Bulk Installation via MDM" section.

 

3.  After installing and running their makeCA program, I used composer and copied the following files from the /usr/local/etc directory to a .dmg.  Then push them out as a separate policy.

ca.pem, ca_key.pem, localhost.pem, localhost_key.pem

 

I've tried several calls with Lightspeed Support, but they only seem to understand their own MDM and reply with "Here are the directions for our MDM".

dwaterbury
New Contributor III

So it "appears" to be working, but it took a while for it to register in Lightspeed's system.  Although I tried to access a couple of blocked sites around 2-3 pm on Friday afternoon (which were correctly blocked on the MacBook Air), it shows up in the Logs for that user as 12:52 am Saturday morning.