sign in

New 5/12/2026 Cynthia Chillemi

2

Votes

Separate IP Restriction and MFA Policies for Technicians vs End Users

Currently, the “Predefined IP Addresses” restriction applies globally to all logins, including technicians using the mobile/tablet app. This creates operational challenges for technicians who legitimately need to access the help desk remotely while traveling, working from client sites, or responding after-hours from mobile devices.

I would like to suggest the following enhancements:

  1. Separate IP Restriction Policies for Technicians/Admins vs End Users

  • Allow organizations to define IP restrictions independently for:

    • Technicians/Admins

    • End Users/Customers

  1. MFA-Based Exception for Technicians

  • If MFA/2FA is enabled for a technician/admin account, allow login from any IP address, including through the mobile app.

  • This would maintain strong security while allowing legitimate remote access for support staff.

  1. Trusted Network Bypass for End Users

  • If an end user is connecting from a trusted/predefined IP range, optionally bypass MFA requirements for convenience.

  • If outside the trusted range, require MFA.

  1. Mobile App Awareness

  • The technician mobile/tablet app should ideally honor MFA authentication while not being blocked by static IP restrictions.

  • Mobile device IPs are inherently dynamic and often change due to cellular providers, VPNs, and roaming networks.

This would provide a much more flexible and modern security model that aligns with real-world IT operations:

  • Stronger security for privileged accounts

  • Better usability for mobile technicians

  • Reduced friction for internal/trusted users

  • Granular policy control for administrators

Thank you for considering this enhancement.

CC
Cynthia Chillemi 5/12/2026 3:59 PM
Currently, the “Predefined IP Addresses” restriction applies globally to all logins, including technicians using the mobile/tablet app. This creates operational challenges for technicians who legitimately need to access the help desk remotely while traveling, working from client sites, or responding after-hours from mobile devices.

I would like to suggest the following enhancements:

1. Separate IP Restriction Policies for Technicians/Admins vs End Users

Allow organizations to define IP restrictions independently for:

- Technicians/Admins
- End Users/Customers

2. MFA-Based Exception for Technicians

- If MFA/2FA is enabled for a technician/admin account, allow login from any IP address, including through the mobile app.
- This would maintain strong security while allowing legitimate remote access for support staff.

3. Trusted Network Bypass for End Users

- If an end user is connecting from a trusted/predefined IP range, optionally bypass MFA requirements for convenience.
- If outside the trusted range, require MFA.

4. Mobile App Awareness

- The technician mobile/tablet app should ideally honor MFA authentication while not being blocked by static IP restrictions.
- Mobile device IPs are inherently dynamic and often change due to cellular providers, VPNs, and roaming networks.

This would provide a much more flexible and modern security model that aligns with real-world IT operations:

- Stronger security for privileged accounts
- Better usability for mobile technicians
- Reduced friction for internal/trusted users
- Granular policy control for administrators

Thank you for considering this enhancement.
1

Log in to comment...
Get help for this page Powered by Jitbit HelpDesk