IP Allow List Improvements Are Now Live

The new updates to our IP Allow List feature have been rolled out to all Syncro instances! These new enhancements include:

Simplified User Experience: We added the ability to add IP addresses via email. When a user logs in successfully from an IP not on the allow list, we’ll notify global admins to let them know that this has occurred and provide a button to easily add the IP address to the list to grant the user access.

Enhanced Security: We expanded the IP Allow List feature to cover all users and API tokens within your organization. This means that the enhanced feature will be available to everyone, eliminating the previous limitations on Global Admins who could not utilize this important security tool. Now, every team member can benefit from this added layer of protection.

Effortless Implementation: The enhanced IP Allow List feature has been designed with a focus on easy implementation. You can now add IPv6 addresses as well as IPV4 and IPv6 addresses with CIDR notation to quickly add all the IP addresses you need.

But, can we name the IPs so we can keep up with what’s what? Also, can we add host names, in addition to IPs? I ask this because Synco themselves will not supply a list of IPs for API connections so that IP Allow listing can be implemented and actually work properly, stating they (Syncro) can only supply host names. But, Syncro’s system only allows IPs…

Currently, you cannot add labels to the IPs. It supports IPs only at this time.

Yes! DNS names would allow Dynamic DNS for those who don’t have a static IP, myself included. I know that would take additional work as it would have to poll those names and convert them regularly. My workaround is TailScale to my DC as an exit node.

Comments per item would be very welcome too. You know us MSP folks. We love to document!

I have turned the IP restrictions on. So far all is working. Thanks for this much needed security update.

How were we alerted that IP Allow Lists were active? I see from this post that they were “improved” though I never knew they were available in the first place. Have I been missing out on this security features for months? This seems like a HUGE security feature (perhaps #1 on the list of what we should ALL be implementing to keep hackers out of our accounts) that we should have in place. The only thing I can think of is that I saw something about them being available a while back and found that they wouldn’t work well for my situation so I soon forgot about them, but I would expect a popup when I login telling me that this feature is available/improved.

I think I’ve seen it before, but is there a quick link to all the more recent additions? (I found the link at the top right, but I don’t see any notices about when IP Allow Lists were first active or were they always there?) The last New in Syncro email I got was from June and no mention of IP Allow Lists.

We send emails, had it on our blog, on Products Updates section from our website, and on our social sites. IP allow list has always been present for technicians. The updates expand that support to global admins, and you can now force API calls to adhere (or ignore) to those IP allow lists as well.

Thanks Andy. I think since I’m the only user I’m the global admin so the IP Allow List of past wouldn’t work for me. Is that correct? That’s perhaps fits with my mentioning of “The only thing I can think of is that I saw something about them being available a while back and found that they wouldn’t work well for my situation so I soon forgot about them”. So I had been waiting for IP filtering that would apply to my case ever since I started with Syncro or since IP Allow Lists were added.

FWIW, I wouldn’t look to blogs or social sites for updates for a tool I use. That’s just me being picky, but social media doesn’t seem like the place for important product updates news. I guess as an additional method to get the news out it works for Syncro. Maybe I’ll start following Syncro on FB more closely, but I think the update icon at the top right is the best place. I don’t have to go look for news on social media if there is an update. I can just look there and see what’s been added.

I do think that this is a big improvement for IP Allow Lists since anyone that couldn’t use them in the past (global admins) can and SHOULD start using them ASAP. Or are they not that big of a deal? I’m coming from an RMM product that was breached (fortunately my account was not) and if IP Allow Lists had been implemented or forced on, it would have mitigated the issues immensely.

Thanks again for the info. I’ll go check out the IP Allow Lists now that I can use them. :slight_smile:

Just an FYI it does also update the news icon in the header of your Syncro instance for new releases, and we had 2 there. One announcing it was coming, and a second announcing it was live.

I’m glad this one is going to be useful for you all :).

Was this communicated prior? We had several API connections that failed on 11/2 around noon CST. No warning, no announcements prior, they just started failing. We did track it down to the IP whitelist and got it resolved, but it did cause a business continuity event that could’ve been avoided had we known.

Now, 11 days later, the announcement comes out saying “You’re welcome, we rolled it out!”

A little disappointed this is how a potentially breaking change is announced… after the fact.

To be clear, I check my emails from Syncro and the announcement tab semi frequently, and I never saw a warning that the IP whitelist will begin affecting the API as well on 11/2 at noon CST.

Yep, we announced via email, our social communities, our blog, and it appeared in the news feed in the header of your Syncro instance both pre and post launch.

Can you link this? I cannot seem to find it anywhere. I didn’t see any notifications between 9/27 and 11/2 about an IP allowlist.

To be clear, the specific parts I am concerned about are:

  1. That it went live on a seemingly random date/time… 11/2 at noon CST
  2. That the (breaking) feature was ENABLED by default.

We had IP allowlisting on for the technicians, but it appears when the API allowlist rolled out, it enabled by default. If you can link the communication that includes the date, and a warning that it will be enabled by default and to make sure to whitelist your API endpoint IPs that’d be great, so I can make sure to keep a closer eye on those types of communications, since I clearly must have missed it sometime after SEPT

I found an announcement in here:

But that was not in the news feed header in Syncro, which is primarily what I check for announcements

It’s been kicked off that list since you just see the top 5.

But this is the one that showed up in the feed:

I checked the day of the breaking change, and there was not anything in the feed. The earliest things I saw were some test messages from 9/27, here’s a screenshot I took that day as a sanity check

That release note thing was not there. And it also does not mention the feature will be turned on by default.

Hey Chase,

Everything from the Release Notes and Announcements category appears in our news feed. The link above was posted on October 31st. This was in additional to the in-app notifications, emails, and posts in misc. places.

I had a picture of it from a few days back. You can see it listed from the 10/31 at the bottom there:

I’m very happy to see this being rolled out. That being said, applying existing IP Allowlists to API keys by default is pretty bad.

Breaking changes like that should be announced and planned way further ahead of time. I think the notice we received would have been totally sufficient- IF it wasn’t automatically applied to API keys by default. THAT is the breaking change that should be done with much more consideration.

To be clear, this notification does not say anything about it being enabled by default, correct?

It’s not enabled by default. Basically, if you had any IPs in their previously, then it is enabled. If you don’t, it is disabled.

Was that indicated anywhere?

We had IP whitelisting for technician logins enabled. When the feature rolled out that allowed you to toggle this for API connections, it too was enabled, this is what I mean by “by default” if that was unclear.

It’s optional whether or not you want API keys using your IP allow list or not.