Summary
We are excited to announce the release of IP Whitelisting, a new security feature designed to provide IT
Administrators with enhanced control over application access. This means that you can prevent unauthorized IP addresses from accessing your system.
What is included
•IP Access Control: IT Admins can now define which IP addresses or IP ranges are permitted to log
into the Cloud 9 application.
•Admin Management UI:
•Add, edit, and delete IP ranges.
•Assign descriptions for each entry (e.g., “Office IP,” “Marketing Contractor”).
•Toggle status between Active and Inactive.
•Database-Level Security: Login requests from non-whitelisted IPs are automatically blocked at
the database validation stage.
•Audit & Logging:
•Unauthorized login attempts due to IP restrictions are logged.
•All whitelist modifications (add, edit, delete, status change) are tracked.
•Error Messaging: Users attempting to login from unauthorized IPs will receive a clear notification
to contact their IT Administrator.
Benefits to your practice
•Strengthened security by preventing unauthorized logins from unknown IPs.
•Centralized IP management through a simple admin interface.
•Reduced exposure to malicious login attempts.
•End-users outside the defined IP ranges will not be able to access the system unless granted by
an Admin.
How to Activate IP Whitelisting Feature
Please contact Cloud 9 Support so we can activate the IP Whitelisting feature for your Cloud 9 URL. Support must activate it by adding an app preference on the back end.
How to Use IP Whitelisting
Once the app preference has been added by Cloud 9 Software, in order to gain access to the Admin Management UI, someone at the practice with the permission to 'Edit Employees' must navigate to Edit > Setup > Employees, select your Employee Profile, and in the 'Permissions' section, apply the permission titled 'IP Whitelisting.'
This allows you to access the Admin Management User Interface for the IP Whitelisting. You may need to log out and back into Cloud 9 after the permission is applied for the URL to update. If it is still not showing, you can clear your cache and cookies and login again. Read THIS article for more information on how to clear cache and cookies.
Managing IP Whitelisting
Once you have the permission listed above, you can now access the Admin Management User Interface for the IP Whitelisting. To access it, navigate to Edit > Practice Information > Security Tab. (Please note: To access Practice Information you must have the 'Edit Practice Information' employee permission already applied.)
Step 1. Once there, you will be able to see the section labeled 'IP Whitelisting.' (Screenshot Below.)
Step 2. From here, you would use the blue 'Add Entry' button to add a Single IP, a CIDR notation, allowed IP Ranges, or Wildcards. We'll review a basic definition of each of these in the next section, but any in detail questions regarding IP Address format and what your practice uses should be directed to Local IT, as they would be able to best assist.
Step 2a. Supported IP Formats for IP Whitelisting are: Single IP, CIDR Notation, IP Ranges, or Wildcards.
Definitions - Single IP: A single IP Address. CIDR Notation: This is a block of IP Addresses that your practice would use. IP Ranges: This applies if you have a range of IP Addresses you wish to allow, but not the entire block. Wildcard: Simply put, a Wildcard is a setup that Local IT would enter. Entering the Wildcard format means that every IP Address in that Wildcard would be allowed. Each of these has a format outlined in the Supported Formats Window.
Step 3. Once you click 'Add Entry', a little box appears where it wants you to enter the information for the IP Address(es).
Step 3a. The first box is 'IP Address/Range.' You can enter a single IP Address, a block, a range, or Wildcard, (definitions in the next section.) The box underneath 'IP Whitelisting' header tells the format for each one. So first, you would enter the IP Address(es).
Step 3b. The next box is 'Description.' You can name it, office network, Carol's login, any nickname that differentiates it and makes it easy to see who has logged on.
Step 3c. Once you have entered the IP Address or block, range, or wildcard and the Description, you will want to click 'Save.' If your format is incorrect, you will get a message that tells you the IP format is wrong and review what the format should be. (Screenshot Below.)
Step 3d. Now that the IP address or IP Range has been saved, instead of 'Save' or 'Cancel' appearing under the 'Actions' portion of the Admin Management UI it now says 'Edit' or 'Delete.' Additionally, the IP Address will be marked as inactive when you first enter the rule.
Step 4. You will need to change the status to 'Active' in the Status drop down to set the rule into place. When you do so, a pop up will appear. The pop up is a dialogue box letting you know if you activate this, all users who are not in the IP ranges or with the current IP Address entered will not be able to login on the next session. To activate it, you will need to click the 'Activate IP Restriction.' Because this goes into affect immediately, it might be best to wait until the office is closed, and have your local IT enter all the applicable IP Addresses and activate them then to make sure it does not affect the practice during business hours.
Step 5. Optional: Deactivating an IP or IP Range. If you find that you don't need an IP Address or IP Range anymore, you would navigate back to Edit > Practice Information > Security Tab. Then, under the IP/IP Ranges listed, change the status to inactive. A pop up will appear warning you that you are deactivating an IP Restriction. If you click 'Deactivate IP Restriction' it will deactivate that single rule you have selected. (Screenshot Below.)
Unauthorized Login Attempts and Logs
When a user attempts to login and is not logging in from a whitelisted IP Address, and they don't have the setup to bypass it, an error will appear. The error will say, 'Unauthorized Login due to security policy. Please contact your office administrator for assistance with your login settings.'
You also have access to look at the login history and you can see when an unauthorized login attempt occurred. To do this, you must have the permission applied by the practice in your Edit > Setup > Employee Profile called 'View Login History.' As long as you have that permission applied, you can click View > Login History, and see any unauthorized attempts to login. In the Login History it will show the login name, Employee Name, Date/Time, Computer ID, Computer IP, Result: 'Failure', (if the login didn't go through), and Reason: 'IP Not Whitelisted', (if the failure is due to IP Whitelisting.)
All changes to the IP Whitelist are tracked in the System Logs in Cloud 9. If you need assistance seeing which Employee made changes to the IP Whitelist, please contact Cloud 9 Support and we can check the System Logs on our end to see the changes. (Please Note: We can only see the last 90 days of the System Logs, so if the change happened 90+ days ago, it will not be available for us to view on the backend.)
How to Bypass IP Whitelisting for Specific Employees
There may be an employee or employee type that you do not want the IP Whitelisting to apply to. Maybe the Doctor needs to access Cloud 9 from home, or you have an employee who works out of state or travels. There are times when you will want to ensure that the rules for IP Whitelisting do not apply to a specific employee or employee type.
To turn on the 'Bypass IP Whitelisting' for one employee, navigate to Edit > Setup > Employees. Select the Specific Employee. Above the Permissions section there is a box that says 'Bypass IP Whitelisting.' You would click that box to select it with a check mark, and then click save. If it doesn't immediately work, have the user clear their cache and cookies, close and relaunch the web browser after checking for an update.
Similar to the above instructions, if you have an entire 'Employee Type' you don't want the IP Whitelist to apply to, you can go to Edit > Setup > Employee Types. Select the Employee Type and then click 'Edit.' There is the same box above the permissions labeled 'Bypass IP Whitelisting.' Check that box and then make sure the permissions are all correct and click 'Push to Employees.' After clicking 'Push to Employees' a dialogue box will appear asking to confirm your selection. If you do want to push the changes to all Employees of that type, click 'Push to Employees.' Then make sure to click the green 'Save' button to save the changes. This way, whenever you enter a new employee in the selected type, they will already have the 'Bypass IP Whitelisting' selected, unless you unselect it while creating their Employee Profile.
As always, if you have any further questions please do not hesitate to reach out to Cloud 9 Support by emailing us at cloud9support@planetdds.com, or chatting us online using the chat bubble on the lower right at https://cloud9support.planetdds.com/hc/en-us, or giving us a call during our business hours of 8:00 AM EST to 8:00 PM EST at the 1.800.394.6050 option 2.