Using IP Security to Control Time Clock Punch Locations

The initial configuration for a new Spectrum TimeClock Service account allows a firm's employees to punch in from any modern web browser, on any device with an active internet connection, from anywhere. Using administrative configuration menus, there are two different ways to limit punching to only authorized locations. The ideal scenario is where your company has static external IP addresses. These can be configured into Spectrum TimeClock as named "Locations", and punching can then be limited to these IP addresses.

Internal, External, and Static IP Addresses

Every computer or device on a network will have its own IP address within your network. These are typically non-routable IP addresses like 192.168.0.128. Non-Routable IP addresses live only within your network and can not typically be seen by a server (like your time clock server) on the internet. Your network router funnels all traffic from these devices into your modem (cable, DSL, etc...), and that device would typically have only one IP address that your time clock server. That IP address can be static, or it may change periodically.

A "static IP address" is one that does not change periodically. You will typically have to pay your internet service provider to give you a static IP address. If your IP address isn't a static IP address, it may change every time you turn on your computer or DSL / cable modem, or it may change only once every several weeks.

The first thing to do is to build a list of authorized IP addresses, and find out if they are static or not. There are many websites that can give you your IP address. Your ISP can tell you if they are setup as static IP addresses or not.

Using IP Addresses to Name Punch Locations

Now that you've got a list of all of your static external IP addresses, you can add those to Spectrum TimeClock.

1. Login to Spectrum TimeClock as an administrator.
2. Click on the "Admin / Configuration / TimeClocks" menu.
3. Click on "Add" to add one IP address or range.
4. If you are at the location for a given IP address, you can click on "Use This IP" to use that location's IP address. If you aren't at that location, you can type the IP address into the input box at the bottom of the screen, and click "Use This IP".
5. Next, Type in a "Network / Station" name.
6. If you have a "Station ID" you want exported to your payroll software, enter it in the "Station ID" input box.
7. Set the time zone that this location is in.
8. Press "Submit".
9. And go back to step #3 for each of your other IP addresses.

The top of the IP Address Add form also allows you to specify a range of IP addresses, vs. just a single IP address. This is useful if a network at a location exposes a range of IP addresses, and not just one IP address.

Limiting Punching to Authorized IP Addresses

Once you've configured your IP addresses in Spectrum TimeClock, you can limit punching to just those authorized IP addresses. To do that:

1. Login as an administrator.
2. Go to the "Admin / Configuration / System Settings" menu.
3. Click on the "Edit" link at the bottom of the screen.
4. Check the checkbox "Limit Timeclocks to configured IP Addresses".
5. Click "Submit".

Once this is configured, employees will see an error message letting them know that they can't punch from their current IP address when they are at unauthorized locations.

Note that all of the instructions above control only where employees can punch in and out from. Employees with a Punch-ID and Password would still be able to Login from any IP address anywhere.

by Alfred Heyman

Spectrum Research Time Clock Software

All articles are
Copyright © 2004-2013
Spectrum Research, Inc.
and may not be reproduced without permission.