Skip to content

Safe Exam Browser 2.2.1

Compare
Choose a tag to compare
@danschlet danschlet released this 31 Aug 01:07

SEB 2.2.1 for macOS is a major update, improving security by blocking prohibited processes, adding new capabilities and offering full compatibility to enhanced integrations with learning management systems, like the one available in Moodle 3.9.

  • Prohibited Processes settings for blocking specific processes and applications from running together with SEB.
  • Preset prohibited processes covering communication, screen sharing and recording apps. Let us know if you would like to suggest applications and tools to be added to those preset prohibited processes (we need information about the software and its name and Bundle Identifier (if applicable).
  • Added settings to allow to reconfigure SEB, even it is already running in a secure exam session.
  • Implemented setting keys to control clearing cookies when starting/ending an exam session (examSessionClearCookiesOnStart / examSessionClearCookiesOnEnd). This can be used to keep users logged in from the previous session after an exam session was started (and SEB reconfigured with new settings).
  • Added setting to enable Web Inspector (web developer tools) in Preferences/Browser (same settings key allowDeveloperConsole as in SEB for Windows 3.0. If enabled and right click isn't disabled (see Preferences/Security/Hooked Keys/Enable Right Mouse), you can right click/ctrl-left click on a web page element and open Web Inspector with 'Inspect Element'.
  • Added Mac-specific settings for blocking screen shots and screen recording. The separate settings allow to run SEB correctly in parallel with some remote proctoring tools.
  • Added separate Mac setting for the Private Clipboard feature.
  • Added Mac-specific setting for blocking screen sharing over the network (VNC): key screenSharingMacEnforceBlocked (default: false, then the value of the existing key allowScreenSharing is used).
  • Added all SEB for iOS settings in Preferences window.
  • Fixed that a wrong Config Key was calculated because of specific new default settings added in a new SEB version. This was the cause why SEB 2.1.4 did not work correctly with the new SEB integration in Moodle 3.9.
  • Fixed: Overriding check for specific processes in lock screen didn't work.
  • Fixed: Client config encrypted with password wasn't compatible between Win vs. Mac+iOS.
  • Fixed: Loading config file with different SEB admin password in Preferences didn't work.
  • Fixed that an SEB config without proper MIME type wasn't recognized: Added "text/xml" as alternative MIME type for SEB config files when a seb(s) link is opened.
  • Removed ARDAgent from detecting Remote Management: ARDAgent is running always when Remote Management is enabled in System Preferences / Sharing, which made it necessary to always disable Remote Management. Now this is not necessary, as long as no VNC client tries to connect to the SEB client (in that case the according red lock screen is displayed and requires the quit/unlock password to be entered).
  • Removed setting for disabling Local Storage (in Browser pane). Local Storage is now always enabled.
  • Replaced key string mobileShowSettings with string showSettingsInApp in default settings.

Fixed SEB 2.2 issues in SEB 2.2.1:

  • Cannot open Moodle Deeper Integration quiz by starting SEB with indirect sebs:// link.
  • Browser Exam and Config Key are not displayed correctly first time opening Preferences/Exams.
  • Allow to load configs from indirect sebs:// Links regardless of URL filter in client settings.
  • Embedded SSL debug certificate doesn't work with wildcard domains.

IMPORTANT: SEB 2.2.1 for macOS uses a different policy to decide if it can be reconfigured when a seb(s) URL is opened and a .seb config file downloaded: When running in Secure Mode (a quit password is set in the currently active settings), SEB 2.2.1 cannot be reconfigured, even if it's using the persisted client settings. Earlier versions could always be reconfigured when using client settings. If you want to allow reconfiguring SEB by opening a seb(s) URL while running in Secure Mode, then you need to use the "Allow Reconfiguring" and "Reconfiguring Config URL" options in Preferences/Exam Session. For the same behavior as in previous versions, you can enable "Allow Reconfiguring" and set "Reconfiguring Config URL" to "*" (wildcard symbol, meaning any seb(s) URL or download URL of a .seb config file is allowed to reconfigure SEB) in your SEB client settings. This policy settings for reconfiguring are already used by SEB for iOS and will also be introduced in SEB 3.1 for Windows.

Other changes could also require you to change your SEB settings:

  • Preset prohibited processes are required to be quit before starting an exam and are automatically added to any config you open with SEB 2.2.1. This doesn't alter the Config Key hash. The Browser Exam Key hash value is changed, but that key you anyways have to determine by loading the according SEB config file in SEB 2.2.1 and copy-paste the key from the Preferences/Exam pane. You cannot remove those preset prohibited processes, but you can deactivate them individually using their "Active" parameter. See the Preferences/Applications/Prohibited Processes pane. You can change other properties of the prohibited process, although not all of these parameters are used by SEB for macOS, currently only "Active", "Executable", "Identifier", "OS", "Force quit" and "Description" are used. You can't change "Executable" or "Identifier", if you do so, a new prohibited process entry is created internally (and visible next time you open those settings). There are two kinds of processes: Applications with a Bundle Identifier, which follows the reverse domain notation (for example org.safeexambrowser.Safe-Exam-Browser). SEB uses the Identifier parameter to detect those Application processes. BSD processes don't have a Bundle Identifier, they are only detected using the Executable property (process name). If you want to add prohibited processes to your settings, you can use the Activity Monitor macOS app: Select a process, press the info button (or cmd-I) and press the "Sample" button. In the sample output, you can identify the process name (SEB property "Executable", which can differ from the localized application name displayed by macOS in the Finder, Dock and Activity Monitor process name list. If the sample shows an "Identifier" in reverse domain notation (and not the identical string as the "Process" entry), then this process is an application with a Bundle Identifier and you should enter this bundle ID as "Identifier" in SEB's settings if you create a prohibited process. If "Identifier" from the sample output isn't in reverse domain notation, don't enter anything in the "Identifier" field in SEB's prohibited process settings, only enter the process name in "Executable".
    Only enable the "Force quit" parameter for prohibited processes in SEB if you are sure that student's won't loose unsaved documents if the process is terminated without a warning when starting SEB. Usually "Force quit" should not be used with applications: When "Force quit" is disabled, SEB will send a regular quit command to the application. Most applications will then either auto-save unsaved changes in open documents or ask the user if the document should be saved before quitting.
    By default, when the SEB setting "Attempt to quit prohibited applications" (Preferences/Applications) is enabled, then SEB tries to quit all running prohibited applications in this "nice" way, allowing them to save changes to open documents. If you disable this setting, then the user first has to confirm SEB trying to quit those running prohibited applications even in this "nice" way.
    BSD processes cannot be "nicely" quit, users either have to manually quit or disable them or use the "Force Quit" button displayed in the list of running prohibited processes displayed when SEB is starting. Please note that macOS restarts some background (daemon) processes automatically if they are force terminated. Those processes might have to be uninstalled (or temporarily deactivated using the command line in Terminal, as explained in this external article).

  • New separate Mac setting for the Private Clipboard feature, Preferences/Security/"Enforce private clipboard on Mac" (settings key enablePrivateClipboardMacEnforce), by default enabled. If enabled, then the private clipboard is used, even if the old setting Preferences/Security/"Use private clipboard" is disabled. The reason for the separate Mac setting is, that enabling private clipboard in the Windows version sometimes causes web compatibility issues (which isn't the case in the Mac version). If you intentionally disabled "Use private clipboard" (key enablePrivateClipboard=false) for the Mac version, then you have to set enablePrivateClipboardMacEnforce=false in addition.

  • New separate SEB for macOS settings for allowing screen capture/recording, window capture and to use the legacy method for blocking screen shots. SEB 2.2.1 for macOS is no longer using the old setting "Enable screen capture" which corresponded with the setting "Enable Print Screen" in Windows. Instead, these new settings allow to control access to the screen while SEB is running in a gradual way. The new setting "Allow screen capture/recording" (key allowScreenCapture) controls a system process, which since macOS 10.14 Mojave is used for the macOS screen recording feature (cmd+shift+5) and for screen shots. The new setting "Allow window capture (screen shots)" (key allowWindowCapture) controls if other processes are able to read the contents of the windows displayed by SEB. Depending which system APIs are used to read window or screen contents, those settings have a different effect: If allowScreenCapture=true and allowWindowCapture=false, then macOS screen shots using cmd-shift-3 and -4 can still be taken, but don't show SEB's windows (only the desktop background). On screen recording videos taken with cmd-shift-5, SEB's windows will still be visible, unless allowScreenCapture is set to false. When the new setting "Block screen shots (Legacy)" (key blockScreenShotsLegacy) is enabled, then SEB uses the method to redirect and delete screen shots which had to be used with macOS 10.9 and older. Those separate settings may allow to use SEB with specific remote proctoring solutions which need access to the screen and SEB's window contents.

  • New SEB for macOS setting "Enforce blocking screen sharing on Mac" (key screenSharingMacEnforceBlocked, default value true/enabled), which overrides the original screen sharing setting "Allow (network) screen sharing" (key allowScreenSharing) on Mac clients. This allows for example SEB for Windows to be used in Windows remote sessions (RDP), while still blocking VNC-based macOS screen sharing and remote management on Mac SEB clients.