I am looking at using Lightspeed Systems Relay on our student laptops. We use a SonicWall firewall on campus. I am hoping to use Relay to provide content filtering when off-campus. I also like the reporting tools. I am curious who has deployed it on MacOs. What issues have you run into deploying Relay?
Haven’t deployed it yet. Just in the testing phase a few months ago. This may be old news if they updated their installer. There are hidden files in the DMG the installer references so it’s best to put the dmg on the client in a tmp location then script the opening of the dmg with
hdiutil command then script the install of the pkg. Hope this helps prevents headaches later.
We started with lightspeed relay at the beginning of this school year in august and it was an absolute disaster. When we started we were not even able to establish internet connectivity with the relay agent installed until 2 days before deployment. since then its been an uphill battle of going engineer to engineer until eventually we had weekly calls with their CEO about all of our issues. Right now we still have occasional issues, including anytime we have an SSL issue on a blocked page we cannot fix it and have to contact support for them to do it, they told us this is expected behavior and it will always be this way. Even though they have made major strides since we originally deployed I still wouldn't feel comfortable recommending it to anyone.
If you have any more questions i'm happy to answer them
We went from LightSpeed Rocket (DISASTER!) to LightSpeed Relay (MUCH MUCH BETTER)
After having Rocket for a year, we ironed out a lot of kinks and realized what we wanted. for this school year, we made our "image" or "provision" with Lightspeed Relay in mind.
It is a lot of management but Relay works great for us. 2500+ Machines - biggest problem is Unknown SSLs being blocked by default but on a per site basis, you can easily add them to the dashboard to unblock websites with problems such as the SSL issue.
@dpenny if a website has a SSL unknown to Lightspeed (Usually Self Signed SSL Certs) Lightspeed by default blocks that website categorically as unknown.
These can be manually approved and added to the allowed list for your environment. The process of identifying and allowing unknown SSLs to our Lightspeed filter is the most time consuming part of Lightspeed Management for us and quite frankly is not that big of a deal as its doing its job which is what we want and need. Overall it is a great product.
@jreeves We are dealing with the exact same situation. Are you using iPads or just Macs? Right now our issue is that the agent is somehow causing students to get booted out of any website that requires a login around the 10 minute use mark. We have tested over the last month and determined that removing the smart agent fixes the problem. After providing them logs and reproduction of the issue 2 weeks ago, I finally heard back yesterday and was told they have made zero changes.
I get the sense they don't have a really well developed apple support infrastructure at the moment.
@Tolandese we are using both and i haven't seen this specific issue yet, but that doesn't mean we are going to be having it soon. I've been very disappointed with their time management when it comes to fixing issues. the only way we got our main issue fixed before school started this year is because my boss talked to the CEO and it had to trickle down until they got someone to work non stop on it until it was fixed. best of luck with your issues and let us know if you get a fix.
We deployed it to our Macbook Air student laptops at the end of October/beginning of November. It wasn't difficult to install but it was difficult to get the reporting side to work properly.
We created a package that removed our current mobile filter and user agent software and THEN installed Relay. Lightspeed actually has a pretty useful script for installing Relay on their website, which I'll post here:
cd ~/Desktop || exit 1
curl -sSO [Enter the link to your organization’s MacOS Smart Agent Installer]
hdiutil attach -nobrowse SmartAgent.dmg
cd /Volumes/SmartAgent/ || exit 1
sudo installer -pkg SmartAgent.pkg -target /
cd ~/Desktop || exit 1
hdiutil detach /Volumes/Smartagent/ -force
rm -rf SmartAgent.dmg
If you don't want it to appear on the user's desktop while installing you can feel free to modify the location like we did - we ended up running it in ~/Library so students didn't just see a random installer show up on their machine.
After we prepared the package and started test deploying it to some spare Mac OSX computers we found that some of them were reporting properly and some weren't. The problem was two fold:
The first issue was that we had the policy in JAMF set to run on Login, Logout, and Recurring Check-In. If the Relay Smart Agent package tried to install via Login/Logout, it would complete and apply the filter correctly, but the reporting side of things didn't work. When we signed in as a user it would log them simply as "base." This appeared to be a generic account that Relay would use to record all the usage logs for every computer that it didn't recognize, with no way of differentiating between them. After some more testing we found out that our Relay policy had to be set with ONLY the Recurring Check-In flag in order to install and then report properly. Anything else would nullify the reporting aspect.
The second issue was that the Relay Smart Agent requires a kernel extension to be approved for reporting to work. Since our student laptops were on varying versions of 10.13, some of them would auto approve this extension and some of them would manually require approval in Security & Privacy, which obviously no student is going to do. Our version of JAMF at the time didn't have the approved kernel extension functionality, so we had to upgrade. Once we did and once we added Relay as an approved extension, it retroactively allowed the kext on all the machines that it was pending on and they started reporting properly.
TL;DR - the install of Relay itself isn't terrible but getting the reporting aspect to work can feel like a bunch of random little things getting in your way.
I would love an update on what some of you who are moving away from Lightspeed are moving to. The one feature that Lightspeed has that our administration is very excited about is the YouTube visibility. I haven't been able to find anything else that provides the options for blocking specific videos or channels while still allowing other videos. Due to the lack of detailed reporting provided by Relay on iOS, we are currently demoing one of their Rocket filtering appliances, setup as a global HTTP proxy.
I don't want this thread to turn into a Lightspeed bashing session, but any additional information former Lightspeed users could provide, as far as pitfalls and problems, would be very helpful. Also, what you moved to and how it is working for you would be helpful as well.
@dpenny I can't really answer your question about moving away from Lightspeed. Our BOCES is looking at other options, but we're not seriously considering a move yet. I'm demoing Relay on about 100 student iPads and 20 Windows 10 laptops with success. Yes, the reporting is limited on iPads, but I'm hoping that gets better. There's no reason why it can't at least pull the browsing history off the iPad. We have been using Global Proxy for years on the iPads, and I can tell you that is a huge step backward. I can't wait until all 2000 of our iPads are on Relay, despite the reporting shortfalls. I can't count the number of times we had to submit a ticket with Lightspeed to create an SSL exclusion on the backend of the proxy. It might be a little easier with a PAC file, but we had issues with that. I'm surprised Lightspeed is supportive of you starting a proxy demo since they are pushing Relay so hard. Since Relay encrypts SSL on the device I can already tell it's better than proxy. And if there is a site that has an issue I can now exclude sites from encryption on Relay myself. It's so much easier.
@danny33c The idea right now is to use the system in a sort-of hybrid fashion. I haven't worked it all out yet, but the agreement is that we will use the Rocket until Relay fully supports the reporting that is required for us. We will also be using the Rocket for all of our desktop systems that remain on campus. We'll see what actually happens in practice.
We are currently using our Fortigate firewall as a web filter/global proxy and it is working decently, but our administration is very adamant about better YouTube controls.
Does anyone have a step-by-step guide on how to package the Relay Smart Agent? The directions regarding using the above script are still a bit confusing to me. And Lightspeed's technical support by chat only and "follow the directions on this link" are a bit frustrating. Thank you in advance.