Windows Authentication - Active Directory & Azure AD

Windows authentication into SchoolProtect is handled through an agent (called Netsweeper Workstation Agent or WAgent) that is installed on the devices and runs as a service. Group Policy or Intune are used to push the correct policy setting to associate users with the appropriate filtering policy.

Note: this authentication method replaces the legacy 'AD Link' tool that was previously used. The new tool works with both on-premise AD or Azure AD joined devices.

SchoolProtect Steps

Sign into the SchoolProtect admin console: https://schoolprotect.lgfl.org.uk/.
Browse to Policies > Policy Configuration.
Create a new policy, choose what to base it on (system default or copy existing policy) and give it a name. The new policy will show under the Inactive Policies section at the bottom of the page.
Click Edit to enter the Policy Group page (this is where you can configure time schedules and edit the policy allowed/blocked URLs, categories and Bundles).
You should not enter anything into the Priority box.
Under Target Group click Windows (InTune/GPO) (if this button is not showing, check the policy is not targeted to any other user type, i.e. IP addresses, AD groups or USO groups).

Repeat this process for each different filtering policy you need to set up.

Azure AD - Intune Steps

Please note: in testing, this works best when the device has Shared PC Mode enabled as per-user Intune polices apply quicker upon login.

Download and extract LGfL Netsweeper Workstation Agent ADMX. This zip contains 4 files:
- Netsweeper Workstation Agent MSI
- Netsweeper Workstation Agent INTUNEWIN
- Wagent.admx
- Wagent.adml
Create the App Installation. This needs to be completed once:
1. In Intune, open Apps > Windows.
2. Select Windows app (Win32) and click Select.
3. Click Select app package file and upload the Netsweeper Workstation Agent INTUNEWIN file from step 1.
4. Enter ‘LGfL’ as the Publisher name and click Next.
5. Click Next on the Program page.
6. On the Requirements page, select both 32 bit and 64 bit in the Operating system architecture box and Windows 10 1607 in Minimum operating system box and click Next.
7. On the Detection rules page, select Manually configure detection rules in the Rules format box. Click Add, select MSI in the Rule type box and click OK. Click Next
8. Click Next on both the Dependencies and Supersedence pages
9. On the Assignments page, click Add to all devices under the Required heading to install onto all the managed Windows devices and click Next
10. Click Create.
11. The Workstation Agent should start to be installed on the Windows devices as they check in to Intune.
Import the ADMX definition. This needs to be completed once:
1. In Intune, open Devices > Configuration.
2. On the ‘Import ADMX’ tab click + Import.
3. Select the wagent.ADMX and wagent.ADML files extracted from step 1.
4. Click Next then Create.
Create the per-policy configuration. This needs to be completed for each filtering policy you wish to define:
1. On the Devices > Configuration page, open the Policies tab and click + Create then + New Policy.
2. Choose Windows 10 and later in platform and Templates in Profile type. Select Imported Administrative templates (preview) and click Create.
3. Give your profile a name and description (e.g. LGfL SchoolProtect Students). And click Next.
4. In the Configuration settings page, click User Configuration, open the ‘LGfL’ folder and select SchoolProtect Netsweeper Workstation Agent Config.
5. Click Enabled and paste in the configuration that is displayed in the SchoolProtect Policy Group Configuration page (ensure that you have clicked on Windows (InTune/GPO) to show it).
6. Click OK then Next and Next again on the Scope tags page.
7. On the Assignments page, add the user groups you wish this policy to apply to.
8. Click Next then Create

Testing

Once these steps are completed, wait 90 minutes then test with a user in the group/OU added in step 4.7:

Sign into a PC and ensure Workstation Agent is installed:
1. This can be done by looking for ‘Wagent’ in Task Manager
Visit http://wsblock.co.uk and check the username listed is the currently logged in user

Active Directory - Group Policy Steps

Download and extract LGfL Netsweeper Workstation Agent ADMX. This zip contains 4 files:
- Netsweeper Workstation Agent MSI
- Netsweeper Workstation Agent INTUNEWIN
- Wagent.admx
- Wagent.adml
Deploy the MSI installer. This needs to be completed once:
1. Copy the Netsweeper Workstation Agent MSI file to \\<domain controller>\NETLOGON
2. Open Group Policy Management Console
3. Create a new Group Policy Object linked to your domain (top-level) and give it a name such as 'SchoolProtect Agent Installation'
4. Edit the GPO and open Computer Configuration > Policies > Software Settings
5. Right-click Software installation and choose New > Package
6. Locate the Netsweeper Workstation Agent MSI within NETLOGON and assign it.
Add the ADMX definition. This needs to be completed once:
1. Copy wagent.ADMX and the en-US folder to \\<domain controller>\sysvol\<domain name>\Policies\PolicyDefinitions. You may need to set up the Group Policy Central Store if this folder does not exist.
Create the per-policy configuration. This needs to be completed for each filtering policy you wish to define:
1. Open Group Policy Management Console
2. Create new Group Policy Object and give it a name such as 'SchoolProtect Staff' or relevant name for the target OU/SchoolProtect policy
3. Edit the GPO and open User Configuration > Administrative Templates > LGfL > SchoolProtect Netsweeper Workstation Agent Config
4. Press enable and enter the config provided from Step 6 of SchoolProtect steps, will start with '-S -w https://wsx' to target the relevant group

Testing

Once these steps are completed, force a GPUpdate and reboot to trigger the MSI install:

Sign into a PC and ensure Workstation Agent is installed:
1. This can be done by looking for ‘Wagent’ in Task Manager or hovering over the icon bar on bottom left
Visit http://wsblock.co.uk and check the username listed is the currently logged in user and the policy group name matches the item you targeted in the GPO.

Troubleshooting

If you have performed the steps above and wsblock is not showing the username and you are still on an IP policy please check the follow

Ensure Workstation Agent is installed:
1. This can be done by looking for ‘Wagent’ in Task Manager or hovering over the icon bar on bottom left
2. Check the GPO is targeting all devices and check RSoP to see if it has attempted to run
If the agent is installed but hover over gives you the message 'Could not assign user to group' or 'Netsweeper Workstation Agent':
1. Check the registry to see if there is an entry within HKEY_CURRENT_USER\Software\Policies\Netsweeper\Netsweeper Workstation Agent\NS_WAGENT_ARGS
2. If there is no entry, check the user is targeted by that GPO
3. In the rare case the registry key is there and agent is showing the 'could not assign' error and no authentication happens, restart the WAgent service in task manager. If this resolves the issue you may need to create a delayed start GPO for the agent.
If the agent is installed but not showing on the task bar:
1. Check for the service within Administrative Tools > Services for a service called wagent. If no agent exists, its not been installed.
2. If service is there, check its startup type. If this is set to manual, change it to automatic. If this resolves the issue, this may require you to configure a change in Group Policy to set the service to automatic start for all.