Website Blocking in ActivTrak

Website blocking is a feature found in select ActivTrak subscription plans. This feature allows administrators to set a list of websites which will be blocked from being accessed by monitored machines. 

Learn more about:

How blocking works

ActivTrak's website blocking feature works by writing to the hosts file of the machine's operating system, so any machine you have assigned blocking to will block that site for all users accessing that machine.

Screen_Shot_2020-01-28_at_1.38.18_PM.png

Example of hosts file on Windows. Everything in between "### Begin ActivTrak" and "### End ActivTrak" are domains that have been added to ActivTrak's website blocking and will be blocked by the agent.

 

When a user attempts to access a blocked site they will be redirected to websiteisblocked.com, which says "This website is not available. Please consult your domain administrator to resolve this issue." and gives them the option to go back to the previous page.

Screen_Shot_2020-01-23_at_5.25.59_PM.png

It's possible you may instead receive a "network error has occurred" or "your connection is not private" page if unable to redirect to websiteisblocked.com; this typically happens with secured websites that require a login, such as Gmail, Facebook, etc. If you see any other blocking message than the ones mentioned above, the website is usually not being blocked by ActivTrak and you will need to look into any other website blocking tools your organization may have enabled.

Before you start

There are some very important things to know before setting up blocking:

  • Blocking only applies to websites. In order to block access to an application, select ActivTrak subscription plans that also have "Full Details" for Sensitive Data Visibility can utilize alarms to close certain applications upon opening. To learn more about terminating applications with alarms, click here.
  • Blocking can only be applied to computers, not users. No matter which user is logged into the computer, the website will be blocked. In order to block websites for only some users accessing a computer but not others, you could utilize terminate alarms as covered in the bullet above, as long as your plan has this feature.
  • Blocking can either be applied to All Computers or to select groups. For example, you may want to block Facebook for most of the organization, but need to allow the Social Media / Marketing team.
  • Any group you select for blocking must contain computers. Blocking will not apply if you choose a group that contains only users since blocking is done on the machine level.
  • Blocking does not respect our scheduling feature. Websites will be blocked even if a user is accessing them outside of their tracking schedule. Once you block a domain, that domain will be blocked 24/7 until you remove it from being blocked.
  • Do Not Track & Blocking

    • Putting a user on the DNT list will not remove blocking from their machine.

    • If you wish to not track a user, but still utilize website blocking, you will need to log into their machine with a user who is not on the DNT list to ensure an update to the blocking list is made.

  • Blocking can only be applied at the domain level, not to sub-domains. For example, you must block youtube.com and don't have the ability to target specific channels.
  • Microsoft protects its operating system from malicious attackers by preventing some of its own websites from being blocked using the hosts file. The following sites cannot be blocked using ActivTrak:

    • www.msdn.com
    • msdn.com
    • www.msn.com
    • msn.com
    • go.microsoft.com
    • msdn.microsoft.com
    • office.microsoft.com
    • microsoftupdate.microsoft.com
    • wustats.microsoft.com
    • support.microsoft.com
    • www.microsoft.com
    • microsoft.com
    • update.microsoft.com
    • download.microsoft.com
    • microsoftupdate.com
    • windowsupdate.com
    • windowsupdate.microsoft.com

    These fully qualified domain names (FQDNs) are hardcoded in the following DLL: %WINDIR%\system32\dnsapi.dl

    Click this link to learn more

How to set up blocking

Select Settings > Blocking from the navigation menu. NOTE: Only Admins and Configurators with Settings checked under Role Access will have access to Blocking. Learn more.

Groups tab

The Groups tab allows you to apply domains to groups and easily see which groups already have at least one domain blocked (number of domains is indicated within the blue bubble). In this mode you can only apply sites that have already been accessed by your users.

Recall from the Before you start section of this guide that blocking can only be applied to computers, not users. The list of groups conveniently shows in parentheses how many computers are in each group. Groups that only include users and no computers will show (0 group members) and any domains added to these will not be blocked properly. If you need to add computers to an existing group, or create a new group with computers, click the "Manage Groups" button.

Once you have a group of computers you want to adjust domain blocking for, select that group on the left side of the page, and the right side will populate with any existing domains blocked for that group.

  • Click "Add Domains" and search for and select URLs you wish to block, then click "Add" to close the pop-up. 
  • Click the minus icons to remove individual domains or use the "Remove All" button.
  • Review the starting number of blocked domains (blue bubble) + number of domains being added (green bubble) - number of domains being removed (red bubble).
  • Click "Apply" to confirm and finalize the blocking changes.

groups.PNG

Example of Groups tab showing facebook.com being added and pokemon.com being removed from blocking for All Computers. The colored bubbles indicate that All Computers started with 5 blocked domains, and after clicking Apply, 1 will be added and 1 removed.

 

Domains tab

The Domains tab allows you to apply groups to domains and easily see which domains are being blocked for at least one group (number of groups is indicated within the blue bubble). In this mode you can add any domain regardless of whether it has been accessed yet.

  • To modify the groups associated with an existing blocked domain, select that domain on the left side of the page, and the right side will populate with any groups that already have it blocked.
    • Click "Add Groups" and search for the groups you wish to block from accessing the selected domain, then click "Add" to close the pop-up. 
    • Click the minus icons to remove individual domains or use the "Remove All" button.
    • Review the starting number of blocked domains (blue bubble) + number of domains being added (green bubble) - number of domains being removed (red bubble).
    • Click "Apply" to confirm and finalize the blocking changes.

domains.PNG

Example of Domains tab showing removing instagram.com blocking from All Computers and only adding it to two specific groups. The colored bubbles indicate that instagram.com started with 1 blocked group, and after clicking Apply, 2 will be added and 1 removed. Note that one of the new groups has (0 group members) so it is either a blank group or includes only users, and this change will have no effect on users in that group unless and until their computers are added to the group as well.

  • To add a new domain that is not yet blocked for any groups, click "Add Domain".
    • Type in the URL you wish to block, either select it from the filtered list or click "Add" if it's not in the list, then click "Next" and select the groups you wish to block it for. Click "Add" to close the pop-up.
    • Review the starting number of blocked domains (blue bubble) + number of domains being added (green bubble) - number of domains being removed (red bubble).
    • Note that the list of groups conveniently shows in parentheses how many computers are in each group. (Recall from the Before you start section of this guide that blocking can only be applied to computers, not users.) Groups that only include users and no computers will show (0 group members) and any domains added to these will not be blocked properly. If you need to add computers to an existing group, or create a new group with computers, this needs to be done first under Settings > Users & Groups > Groups.
    • Click "Apply" to confirm and finalize the blocking changes.

add.PNG

domains2.PNG

Example of adding temu.com as a new domain. Since nothing populated after the search, this domain has not yet been accessed and we will click "Add". We chose to block this domain on All Computers. The colored bubbles indicate that temu.com was not previously blocked for any groups, and after clicking Apply, 1 blocked group will be added.

Troubleshooting blocking

Whitelisting

If there is an Anti-Virus, Firewall, or DNS Filter installed on the machine or network, the machine may attempt to use those settings before those implemented by ActivTrak. If ActivTrak is incorrectly identified as a potential security vulnerability and prevented from writing to the hosts file, a user may be able to bypass blocking, or a previously blocked website may be unable to be removed. This is typically resolved by whitelisting the necessary file paths per this guide, but in some cases it may be necessary to manually edit the hosts file.

Flushing DNS after making changes

It can take up to 20 minutes for changes in the blocked domain list to take effect on the computers with ActivTrak installed. To speed up this process:

Windows

  • Navigate to the Windows Search bar, then type “cmd“.
  • Right-click “Command Prompt“, then choose “Run as Administrator“, and click Yes.
  • Type ipconfig /flushdns then press Enter (be sure there is a space before the slash). A success message should be returned.

MacOS

  • Open Terminal.
  • Type the following strings and hit return after each one: 
    • sudo killall -HUP mDNSResponder
    • sudo killall mDNSResponderHelper
    • sudo dscacheutil -flushcache

Resetting the hosts file

The agent will remove any ActivTrak-written entries to the hosts file when uninstalled, but in the rare case the uninstaller fails to remove them, it may be necessary to reset the hosts file manually. In order to do this, we make changes to the host file saved on every Mac and PC and use a routing service for the Chrome agent.

Windows

Please select your operating system version and follow the associated instructions in the "How to reset the Hosts file back to the default" guide provided by Microsoft Support.

MacOS

  • Open Terminal, type "sudo nano /etc/hosts/" and press return.

  • Enter your administrator password and then hit return. Note: you will not see any characters appear on the screen when typing your password.

  • Use the screen that comes up to remove the ActivTrak entries from your hosts file.
    • The highlighted section shows the domains currently being blocked by ActivTrak. 

      Screen_Shot_2020-01-28_at_2.54.08_PM.png

    • Move the cursor (using the arrow keys) to the line(s) you want to remove. Press Control + K and that line will be removed. Repeat for each desired deletion.

      Screen_Shot_2020-01-28_at_3.02.06_PM.png 

    • After this is completed, press Control+X and you will be prompted if you want to save your changes. Enter "Y" for yes and the hosts file with be modified to reflect those changes.

      Screen_Shot_2020-06-30_at_1.28.48_PM.png

  • After you are done editing the hosts file, save it and run the commands listed in the Flushing DNS after making changes section above to flush the DNS on your Mac.

Screen_Shot_2020-03-29_at_1.32.11_PM.png

 

ChromeOS

The Chrome Agent is the easiest to reset the hosts file for. Simply open your Chrome browser and navigate to chrome://extensions, then locate the ActivTrak extension and click "Remove".

Screen_Shot_2020-01-28_at_3.21.22_PM.png

Was this article helpful?

18 out of 41 found this helpful

Comments

No comments