Posted on 11-18-2018 08:34 AM
I am looking at using Lightspeed Systems Relay on our student laptops. We use a SonicWall firewall on campus. I am hoping to use Relay to provide content filtering when off-campus. I also like the reporting tools. I am curious who has deployed it on MacOs. What issues have you run into deploying Relay?
Posted on 11-18-2018 11:41 AM
Haven’t deployed it yet. Just in the testing phase a few months ago. This may be old news if they updated their installer. There are hidden files in the DMG the installer references so it’s best to put the dmg on the client in a tmp location then script the opening of the dmg with
hdiutil command then script the install of the pkg. Hope this helps prevents headaches later.
Posted on 11-26-2018 05:58 AM
We started with lightspeed relay at the beginning of this school year in august and it was an absolute disaster. When we started we were not even able to establish internet connectivity with the relay agent installed until 2 days before deployment. since then its been an uphill battle of going engineer to engineer until eventually we had weekly calls with their CEO about all of our issues. Right now we still have occasional issues, including anytime we have an SSL issue on a blocked page we cannot fix it and have to contact support for them to do it, they told us this is expected behavior and it will always be this way. Even though they have made major strides since we originally deployed I still wouldn't feel comfortable recommending it to anyone.
If you have any more questions i'm happy to answer them
Posted on 11-26-2018 12:17 PM
We went from LightSpeed Rocket (DISASTER!) to LightSpeed Relay (MUCH MUCH BETTER)
After having Rocket for a year, we ironed out a lot of kinks and realized what we wanted. for this school year, we made our "image" or "provision" with Lightspeed Relay in mind.
It is a lot of management but Relay works great for us. 2500+ Machines - biggest problem is Unknown SSLs being blocked by default but on a per site basis, you can easily add them to the dashboard to unblock websites with problems such as the SSL issue.
Posted on 11-30-2018 01:48 PM
@Hugonaut Does Relay not do SSL decryption? Could you explain a little more what you mean by unknown SSLs? We are investigating moving to Relay and are looking for some real world experiences with it. Anything you could share would be greatly appreciated.
Posted on 12-03-2018 06:27 AM
@dpenny if a website has a SSL unknown to Lightspeed (Usually Self Signed SSL Certs) Lightspeed by default blocks that website categorically as unknown.
These can be manually approved and added to the allowed list for your environment. The process of identifying and allowing unknown SSLs to our Lightspeed filter is the most time consuming part of Lightspeed Management for us and quite frankly is not that big of a deal as its doing its job which is what we want and need. Overall it is a great product.
Posted on 12-03-2018 11:06 AM
@Hugonaut Thanks for the additional information. We are setting up a Relay demo and hope to start testing it this week.
Posted on 01-03-2019 12:31 PM
@jreeves We are dealing with the exact same situation. Are you using iPads or just Macs? Right now our issue is that the agent is somehow causing students to get booted out of any website that requires a login around the 10 minute use mark. We have tested over the last month and determined that removing the smart agent fixes the problem. After providing them logs and reproduction of the issue 2 weeks ago, I finally heard back yesterday and was told they have made zero changes.
I get the sense they don't have a really well developed apple support infrastructure at the moment.
Posted on 01-07-2019 06:01 AM
@Tolandese we are using both and i haven't seen this specific issue yet, but that doesn't mean we are going to be having it soon. I've been very disappointed with their time management when it comes to fixing issues. the only way we got our main issue fixed before school started this year is because my boss talked to the CEO and it had to trickle down until they got someone to work non stop on it until it was fixed. best of luck with your issues and let us know if you get a fix.
Posted on 01-07-2019 06:12 AM
Well we determined the issue is only present on iOS 12. anything before works just fine. Relay gave us bug report for apple indicating its a software conflict, however Apple isn't known for their quick resolutions.
Posted on 01-08-2019 07:15 AM
We deployed it to our Macbook Air student laptops at the end of October/beginning of November. It wasn't difficult to install but it was difficult to get the reporting side to work properly.
We created a package that removed our current mobile filter and user agent software and THEN installed Relay. Lightspeed actually has a pretty useful script for installing Relay on their website, which I'll post here:
cd ~/Desktop || exit 1
curl -sSO [Enter the link to your organization’s MacOS Smart Agent Installer]
hdiutil attach -nobrowse SmartAgent.dmg
cd /Volumes/SmartAgent/ || exit 1
sudo installer -pkg SmartAgent.pkg -target /
cd ~/Desktop || exit 1
hdiutil detach /Volumes/Smartagent/ -force
rm -rf SmartAgent.dmg
If you don't want it to appear on the user's desktop while installing you can feel free to modify the location like we did - we ended up running it in ~/Library so students didn't just see a random installer show up on their machine.
After we prepared the package and started test deploying it to some spare Mac OSX computers we found that some of them were reporting properly and some weren't. The problem was two fold:
The first issue was that we had the policy in JAMF set to run on Login, Logout, and Recurring Check-In. If the Relay Smart Agent package tried to install via Login/Logout, it would complete and apply the filter correctly, but the reporting side of things didn't work. When we signed in as a user it would log them simply as "base." This appeared to be a generic account that Relay would use to record all the usage logs for every computer that it didn't recognize, with no way of differentiating between them. After some more testing we found out that our Relay policy had to be set with ONLY the Recurring Check-In flag in order to install and then report properly. Anything else would nullify the reporting aspect.
The second issue was that the Relay Smart Agent requires a kernel extension to be approved for reporting to work. Since our student laptops were on varying versions of 10.13, some of them would auto approve this extension and some of them would manually require approval in Security & Privacy, which obviously no student is going to do. Our version of JAMF at the time didn't have the approved kernel extension functionality, so we had to upgrade. Once we did and once we added Relay as an approved extension, it retroactively allowed the kext on all the machines that it was pending on and they started reporting properly.
TL;DR - the install of Relay itself isn't terrible but getting the reporting aspect to work can feel like a bunch of random little things getting in your way.
Posted on 01-08-2019 07:33 AM
We have away from LightSpeed. Many issues to say the least. The problem now is I have all these laptops with the UserAgent and the MobileFilter that I need removed. Any ideas on how to do this. Everything I have tried is not working.
Posted on 02-19-2019 07:48 AM
I would love an update on what some of you who are moving away from Lightspeed are moving to. The one feature that Lightspeed has that our administration is very excited about is the YouTube visibility. I haven't been able to find anything else that provides the options for blocking specific videos or channels while still allowing other videos. Due to the lack of detailed reporting provided by Relay on iOS, we are currently demoing one of their Rocket filtering appliances, setup as a global HTTP proxy.
I don't want this thread to turn into a Lightspeed bashing session, but any additional information former Lightspeed users could provide, as far as pitfalls and problems, would be very helpful. Also, what you moved to and how it is working for you would be helpful as well.
Posted on 02-19-2019 08:41 AM
@dpenny I can't really answer your question about moving away from Lightspeed. Our BOCES is looking at other options, but we're not seriously considering a move yet. I'm demoing Relay on about 100 student iPads and 20 Windows 10 laptops with success. Yes, the reporting is limited on iPads, but I'm hoping that gets better. There's no reason why it can't at least pull the browsing history off the iPad. We have been using Global Proxy for years on the iPads, and I can tell you that is a huge step backward. I can't wait until all 2000 of our iPads are on Relay, despite the reporting shortfalls. I can't count the number of times we had to submit a ticket with Lightspeed to create an SSL exclusion on the backend of the proxy. It might be a little easier with a PAC file, but we had issues with that. I'm surprised Lightspeed is supportive of you starting a proxy demo since they are pushing Relay so hard. Since Relay encrypts SSL on the device I can already tell it's better than proxy. And if there is a site that has an issue I can now exclude sites from encryption on Relay myself. It's so much easier.
Posted on 02-19-2019 09:48 AM
@danny33c The idea right now is to use the system in a sort-of hybrid fashion. I haven't worked it all out yet, but the agreement is that we will use the Rocket until Relay fully supports the reporting that is required for us. We will also be using the Rocket for all of our desktop systems that remain on campus. We'll see what actually happens in practice.
We are currently using our Fortigate firewall as a web filter/global proxy and it is working decently, but our administration is very adamant about better YouTube controls.
Posted on 07-22-2019 07:21 AM
Do you just run the provided install script during every check in? How does it handle computer where it is already installed? Does it reinstall it every check in or just leave it alone if it is already there?
Posted on 09-12-2019 09:56 AM
I have that question too. I am concerned that installing over the top at every check in could cause issues.
Posted on 10-21-2019 11:16 AM
Does anyone have a step-by-step guide on how to package the Relay Smart Agent? The directions regarding using the above script are still a bit confusing to me. And Lightspeed's technical support by chat only and "follow the directions on this link" are a bit frustrating. Thank you in advance.
Posted on 10-30-2019 08:05 AM
Did anyone get relay working for ipads with Jamf? We can deploy the configuration but if a new user logins into the ipad it still will show the old user information.
Posted on 10-30-2019 11:53 AM
We now have all of our 3-8th grade iPads, and high school laptops on Relay. @Rjackson1 What are you using in the User Name field in your JAMF conifig for Relay? We are using an extension attribute which maps to their email in LDAP, but they are not shared iPads either.
Posted on 10-30-2019 12:35 PM
@dwaterbury You dont need to repackage the SmartAgent.dmg. After downloading the agent from relay.school, just upload it straight to Jamf Admin, then use the Jamf provided script here installPKGfromDMG see the below screenshot of the policy.
Posted on 03-09-2020 06:36 AM
Can someone help me with deploying relay to our staff's Macs?
Posted on 05-06-2022 11:54 AM
Trying to tackle this some more. I was able to get it to work, or so I thought, but have found that the user's history isn't appearing in the Relay Admin interface. Sites are being blocked on the laptops and data is appearing on the Relay Dashboard, but it's not linking to each user. I think this might have broke with Monterey, which I upgraded the students to recently. I have a test student machine still on 11.4.0, which is showing up correctly under that user's account in Lightspeed.
Here are Lightspeeds "directions".
1. I have a Configuration Profile that push out the certificate file ca.cer.
2. Since I am using the installPKGfromDMG.sh to install the SmartAgent.dmg, it creates the config.json file, so no need to follow that step under the "Bulk Installation via MDM" section.
3. After installing and running their makeCA program, I used composer and copied the following files from the /usr/local/etc directory to a .dmg. Then push them out as a separate policy.
ca.pem, ca_key.pem, localhost.pem, localhost_key.pem
I've tried several calls with Lightspeed Support, but they only seem to understand their own MDM and reply with "Here are the directions for our MDM".
Posted on 05-09-2022 07:00 AM
So it "appears" to be working, but it took a while for it to register in Lightspeed's system. Although I tried to access a couple of blocked sites around 2-3 pm on Friday afternoon (which were correctly blocked on the MacBook Air), it shows up in the Logs for that user as 12:52 am Saturday morning.