Location Based Access Permissions
Controlling access by location
Foldr v4 provides the administrator the ability to control where users are able sign into Foldr and what resources are available from that location. The administrator can permit or deny users or Active Directory groups based on the client IP address, IP address ranges or entire subnets. This could be useful if a group is only to be allowed access from inside the organisations network, or to limit the locations that a user is permitted to sign in from remotely.
From Foldr Settings > Security the administrator can specify permissions for ‘Use Foldr‘ and ‘Use Foldr Drive‘ (WebDAV) in conjunction with the field labelled ‘Only apply to these IP addresses/networks’. Networks should be configured one per line if multiple entries are required.
Accepted values are:
- Wildcard format: 1.2.3.*
- CIDR format: 184.108.40.206/24 OR 220.127.116.11/255.255.255.0
- Start-End IP format: 18.104.22.168-22.214.171.124
In the example below, the built-in Foldr Users (Everyone) is being configured with an allow rule for subnet 126.96.36.199/255.255.255.0 – This rule will result in all users ONLY being permitted to sign in from a client device on the 188.8.131.52 subnet. (client IP address of 10.20.30.1 – 10.20.30.254)
In the second example, the built-in Foldr Users group is denied access from the same subnet. The result of this ACL rule would allow users to sign in from any location except subnet 184.108.40.206.
In the final example, the Active Directory group ‘Marketing’ is only allowed to sign in from client devices on the network 10.20.30.0. Users in this group will be denied access if they attempt to sign in from any other location.
As well as being able to control where users / groups can sign in from, the administrator can control where users can access certain storage locations through Foldr. i.e. you can apply share perimssions based on location / network address.
Using the granular share access permissions, this gives the administrator the ability to only present a share if the client is signing in from a particular IP address or subnet, or you can force shares to only be read only / writable from specific locations.
In the example below, the permissions on the share below have been modified to only allow the storage location to be visible in the Foldr web or client apps if the client is connecting from either the 172.16.1.0 or 192.168.1.0 networks.
Location based client app configuration
Within Foldr Settings > Devices & Clients, the administrator has the ability to also configure granular access permissions for each client app individually – Windows, macOS, iOS, Android and web.
In the example below, a policy has been configured to only allow users within the Marketing group permission to use the iOS app from networks 172.16.1.0 and 192.168.1.0.