I am not sure if this has been noticed yet, but there is the ability for people to log into the MES from their cell phones (say they are running late) and clock in without actually being here.
I have been tasked with ‘How do we prevent this’ and I have absolutely no clue. So far, I have turned off features in Handheld MES Security Maint, but that didn’t work.
Basically, if someone has the time to slowly copy and type in the MES url into their phone or copy and paste in an email to themselves, they are potentially able to log in, even when they are not here.
Hmm, things I hadn’t thought about… Epicor is device type aware at the appstudio level so you would be able to make a phone specific layer to MES that is a blank screen.. but a savvy user would just use “Desktop Mode”.. You can look at the browser’s user agent and viewport size, portrait would be a pretty significant teller.. but then, a savvy user goes Landscape in Desktop Mode..
You could use an IP Address whitelist for the user account.. and make sure that your guest wifi doesn’t use that public IP but routes against another one..
to do that, I would have to enter all of our current IP addresses into each employee?
That is pretty tedious to manually enter 100 IP addresses on 150 people, no?
@aosemwengie1 WOW, Thank you
As this in not a part of ‘my realm’, say we have 8 different locations, I would reach out to our tech company and get out 1 public ip for each location and enter those?
ok so it seems that at last in 2025.2 they added IP Address Sets, and you can assign a set of IPs there and then assign that to users like @aosemwengie1 sugested.
I forgot about IP Address Sets. Another option if you use Entra. Not only can you limit by IP addresses, but you can also control devices based on enrollment, compliance, etc. protecting your network from other issues as well as remote logins.
Thank you. I will definitely be digging into this more, and unfortunately, I will have to reach out to support because we want MES only and the information on the IP Address Set is too vague. I will keep people updated
Welp… I’ve tried to use it, I think I set it up correctly it appears to not do much of anything. However I am a Global Security Manager maybe it ignores the rules if I’m all powerful?
I would have to create a lowly account to mess with I don’t have the time or the crayons right now. Acording to the help it should work but I guess take that with a
Oooo, does that mean useragent? That would be interesting for lots of reasons. In the topic’s case still spoofable but surely nuisance enough to demonstrate intentional effort. If that’s not enough to get managers managing, employees cheating on hours is a symptom of a problem IT can’t solve.
I tried messing with IP constraints very briefly a while ago and got the impression that client use isn’t the goal. I’ve only ever seen one user account (if you’re SaaS you’ve seen it come and go) with an IP address set successfully applied. Anyway the concept did make me wonder if they’re applying it in a way that would allow one to read user’s IP origins…
Yes and no? Kinetic is aware of the user agent, but just uses that to decide what layer to send the client, it doesn’t expose it to app studio itself.
With app Studio, you set up a base layer, then a parent-child to a phone layer and a tablet layer. The base layer becomes the “Desktop” layer.
You add the Desktop layer to the menu item, and Epicor handles the return of either the Phone or Tablet layer depending on what the user agent says.
I’ve got this enabled to provide a device-specific UI on a number of dashboards, it works well!
but I guess take that with a 
