Restrict High-Stakes Learn Tests by Location
As increasing numbers of institutions are delivering high-stakes tests using Learn, there is also an increased desire on the part of course facilitators, instructors, and administrators to prevent students from cheating. High-stakes tests are often delivered to students in proctored lab environments to ensure that students can be identified (e.g. using an ID) and monitored while taking a test. However, if the Learn test can be accessed from any location during the testing window, students could conspire to take a test from a different location, or have someone else take the test from another location on their behalf, compromising the security of the testing environment.
IP addresses identify specific PCs and are a good method to enforce the location-restriction requirements described above. In this release, tests can be restricted by location, where locations can be specified by administrators to correspond to specified IP addresses or IP ranges.
The first step to take advantage of location restriction is for an administrator to create a range of IP addresses corresponding to one or more network segments that are used exclusively in the testing environment/s, and to give that range a natural language name. The range can be composed of as many different filters as necessary to correctly capture the part of the network in use in the testing environment. Custom descriptive help text, to be shown to students in the event that they access the test from outside the range, can also be provided.
How to create a range of IP addresses:
You can only create one range. You can add multiple labs to the range.
- From the System Admin panel, click Course Settings and select Grading Security Settings.
- Type a range name. This range name should be easily understood and identified by instructors when they are selecting IP Ranges from their course.
- Type the IP addresses in the IP Filter field.
List one IP filter per line and use the word BLOCK or ALLOW before the IP address.
ALLOW 123.456.3.3 is an example of an IP filter.
Wildcards (*) are allowed in any position of the IP address.
IPv4 and IPv6 syntax are supported.
Specify an IP filter range by inserting a forward slash between two IP addresses. ALLOW 123.456.0.0/123.456.255.255 is an example of an IP filter that uses a range.
Only students who are using a computer with an IP address in the allowed range can access the test or survey.
Type information for students about where the test is located and any other information that is appropriate in the Student Help Text field.
Once an IP Range has been created, it is available for selection within a course, on the respective test options page.
Test Availability Exceptions
There may be situations where an instructor needs to make an exception for a student or group of students to allow them to take the test from someplace outside of specified location (IP range). When this is the case, the instructor may use the Test Availability Exceptions to exclude specified students and/or groups of students from the location restriction, as shown below:
Students with this exception enabled are able to take the test from any location, even if it is restricted for other students.
In a high-stakes testing situation, the proctor or instructor can override a restriction that has been enforced by the system from the Test Begin page. From here instructors are shown the individual instances when users were prevented from accessing a test, along with an option to override this restriction to allow a user to continue taking the test.
Additional notes and technical details:
- The Restrict Location setting on the Test Options page is not displayed to instructors until an administrator has created at least one IP Filter.
- Location restriction is also available for surveys.
- Other tools like SCORM, Assignments, Self & Peer Assessments, etc., do not include location restriction.
- IPv4 and IPv6 range checking will both be supported.
- Load-balanced and SSL-offloaded client installs can support this feature, as long as the X-Forwarded-for HTTP header is properly configured at the balancer/off-loader.
- All course reuse operations that include test deployments (meaning the copy or package includes content AND tests, not just tests or just content) include location restriction information.
- A new public API is available to other tools to compare the user's IP address to the named IP address range set by the system admin, and determine whether the user is in range or out of range.
- Custom range creation or checking, custom error messages and security logging, overrides or other features built for this project are NOT exposed via public API.
All errors and overrides are logged in the new Security Log with event codes 36, 37, and 38.
|Event Code||Security Event||Changes||Description|
|36||User Starting an Assessment Violated IP Address Rule||New Event for Test IP Address Filtering||Identifies intentional and unintentional violations to the IP Address value or range restrictions set on an Assessment. An assessment that begins with an IP Address value/range restriction only has a severity of "0"|
|37||User Taking or Finishing an Assessment Violated IP Address Rule||New Event for Test IP Address Filtering|| |
Identifies intentional and unintentional violations to the IP Address value or range restrictions set on an Assessment. An assessment that may start meeting the IP Address rule but then violates it during or at the completion of an assessment.
|38||IP Address Rule Overridden for an Assessment Attempt||New Event for Test IP Address Filtering||Test Proctors may need to override a given blocked attempt for a particular student if the IP Address/Range was not configured correctly by the Administrator. These exceptions would be logged.|
|Event Code||Security Event||Example Single Row|
|36||User Starting an Assessment Violated IP Address Rule|| |
timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn
|37||User Taking or Finishing an Assessment Violated IP Address Rule||timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn |
|evt_name=User Taking or Finishing an assessment or Continue Attempt Violated IP Address Rule|sev=2|cat=assessments|outcome=success
|session_id=1000|msg=User taking or completing assessment course assessment <_3_1> violated IP Address rule. The violation was logged. May be an indicator of a potentially inadvertent test policy violation or a misconfigured IP Address rule.
|http_useragent=Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)|act=logged
|38||IP Address Rule Overridden for an Assessment Attempt||timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn |
|evt_name=IP Address Rule Overridden for an assessment Attempt
|msg=Test administrator overrode a test policy violation for user <_2_1> for course assessment <_3_1> because it violated IP Address rule. May be an indicator of a potentially inadvertent test policy violation or a misconfigured IP Address rule.
|http_useragent=Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)|act=logged