We won’t be providing regular updates for feature requests, but it is something currently being discussed.
As a guess, is this a feature that is likely to be available in 2023 or 2024 or later?
I don’t have a guess. If I had a clear timeline I’d just make it available to you.
Hey Andy,
Do you think maybe you could push this up the chain so we can hear from someone that actually does know what is going on? All I’m hearing is a lot of “I don’t know”, “we are discussing it” or “it’s coming”.
I pretty confident I speak for the bulk of the community when I say the transparency here is terrible and the frustration being caused by the “official” responses is antagonizing at best…
I think we would all prefer an honest response from Syncro stating that either “Yes, this is coming, ETA is …” or “No this isn’t a priority for us, we would prefer to spend our dev time on UI updates.”
/RANT
1 Like
I had a conversation this morning with folks and I can confirm it is on the internal roadmap.
I know our CPTO, Kristen, will be releasing some more details on our Q2 focus coming up fairly soon, so keep an eye out for more details there.
2 Likes
So I guess they have given up on this? Not saying I am leaving as it wont hurt them but if we don’t have a choice, well I guess we don’t have a choice (insurance and common sense)
2 Likes
Well said.
This feature request has been open for 16 months with zero progress and no firm ETA. Merely hand waving at a “we are are talking about it”
By any measure “Words are wind”, SyncroMSP are not demonstrating that this is a priority feature request (other improvements to SyncroMSP have been rolled out in the last 16 months)…
Given the zero visibility to a roadmap and therefore no information on which to base a business decision, the wise path is to assume it isn’t going to happen and make plans accordingly…
(which is one of the many attractive features which drove us to Halo PSA for ticketing because they have Azure SSO and custom domains, so we intend to use Conditional Access to limit where logins can come from).
I first raised this in July 2021. It’s now June 2023. TWO YEARS OF NOTHING.
We’re now actively working on exit plans. Just can’t take the chance anymore, a compromise would literally destroy our business.
6 Likes
This should be priority #1
3 Likes
Thanks to the Syncro Team for adding this much-needed feature!
However, it is mostly useless in its current form for us. As this global list also applies to API keys, they should be separate from users.
Some of the integrations have a large number of IPs they are using (eg; Huntress), whilst others have only a handful, this should be kept separate with users having one list and each API key having its own list.
We’re adding a checkbox to allow API calls to skip the allow list. No eta, but it’s getting worked on.
We have released the update for API Requests to be excluded from the allowlist if you would like. To disable you can go to https://admin.syncromsp.com/settings/ip_allowlist and toggle Users / API Requests individually depending on what you would like to enable / disable.
We do recommend enabling this for APIs and working with your integrations to track IPs that have access to your environment as well as limiting API token access because API access is a large attack surface and could pose a risk to your environment.
I’m curious how people are handling the Approval Emails when an unlisted IP Address was attempting access Syncro?
Given that a mobile phone will change IP Addresses fairly often, or a tech could be working from various locations while travelling to clients (i.e. coffee shops, hotels), how can the syncro administrator (approver) know it’s a legitimate request every time without contacting the accessor in real time, every time?
Like most apps who detect a “new device” or “new location”, an app often emails or texts the accessor to verify that they are legitimate. Asking the app’s Administrators feels like the incorrect approval routing. We need JIT Access concepts in Syncro
So this is not the proper way of handling mobile devices. If you are managing your employee’s (work) mobile devices (which you should be for added security), you’d really setup a VPN to your office and that is the only way to ever access company resources remotely. Then you can ensure every connection is secure, and mobile users can access the necessary work resources from anywhere without hinderance.
Hi Andy, thanks for chiming in so quickly.
That makes good sense, and it is an option I could use without new costs (just time).
Given the nature of BYOD & work-from-anywhere, I think a nice enhancement to consider would be a switch that allows either/or, and let the Syncro Admin (who is often going to be IT-saavy) decide the degree of security risk they want.
“Send new IP approval requests to All Admins via Email (default)”
“Send new IP approval requests to accessor via Email (not recommended)”
Just an idea to allow faster adoption, even if not completely ideal, it’s would be an improvement over not using the feature at all.
2 Likes
The point of IP whitelisting is the assumption that some techs accounts will get compromised at some point, and who’s to say the email won’t be compromised at the same time. Ideally, you’d want to require all IP approvals to come from approved IPs to make sure that an attacker has to compromise a device in a trusted location before they can add a new location. I believe the “correct” way to handle this in a work from anywhere world, if you’re not going to have and rely on strong auth is to use some sort of zero trust SASE/SDP type solution that gives you a static egress point. If you pick a good product, you can then enforce strong continual authentication, and break off the connection if someone’s account starts acting weird requiring them to re-auth
I think ideal security never meets realistic adoptability, and adoptability is the tide that raises all boats.
For example, in Azure conditional access, during an on going security attack I was able to implement SMS two-factor without intervention from any user and enforce it. Is SMS ideal or recommended by Microsoft? Not at all. But I could adopt it entirely in 1 afternoon and severely limit the threat potential… Then, we later improved it.
I believe security measures with good, better, best options should always be considered during development.
Thats fair, as long as the Best option exists also having Better and Good is icing on the cake.
Hmm, with techs working from all client locations, as well as WFH and/or coffee shops etc. It sure would be nice to have space for Names/Notes and a Last Used Date shown for each IP that is whitelisted, with possibly with rules to auto disable IPs that have not been used in X days.
Which leads to, what if we could assign a device (or devices) to a tech, and allow access for that tech from the wan IP their device is checking in from currently?
I mentioned this to Sergio at Syncro during our early access testing of this feature, and it was another “yes it’s being discussed, but no timeline yet” scenario.
Again, it was most important to get the IP restriction feature in place, the ability to add notes is absolutely super handy – but at least I can frikkin sleep at night(!)
