Timeclock Hosts

AngelTrack's timeclock requires employees to be physically present at one of your stations in order to clock in and out. This document describes how AngelTrack knows whether your employees are at one of your stations.


How Does AngelTrack Know Employees are Present at a Station?

You may be wondering whether AngelTrack uses GPS locations to decide whether employees are present at a company station.

The answer is no, it does not use GPS locations, because those can be easily spoofed using a web browser's F12 developer mode. And anyway, some computers and mobile devices do not have GPS at all. So GPS is not suitable for this purpose.

Instead of checking GPS, AngelTrack decides whether employees are present by checking something that cannot be spoofed: their IP address.

Because AngelTrack lives on the internet, it can see the IP address that each employee is using to reach the internet. By comparing these IP addresses to the list of your stations' IP addresses, AngelTrack knows which employees are connecting through one of your stations. Since the employee must be physically present in order to do that, this is a suitable qualification for using the timeclock.

For this to work, you must tell AngelTrack the IP addresses of your stations.

Employees can use their smartphones to clock-in and -out

Once an employee's smartphone has connected to a station's WiFi network, the smartphone's internet access makes use of the station's IP address. AngelTrack will therefore allow the smartphone to clock-in and -out.

As soon as the employee departs the station, their smartphone must disconnect from the station's WiFi, and once that happens, AngelTrack will no longer allow clock-in and -out.


Add All Your Stations to the List

The list of timeclock hosts specifies the IP addresses (or ranges of addresses) from which employees are permitted to clock-in and -out. Specify the internet-facing addresses of your headquarters and all of your stations, so that employees can clock-in and -out at those locations using their mobile device, or by using a computer connected to the station's LAN.

This screenshot shows a fully configured timeclock: the "allow any address" entries are disabled, and each company building has an entry...

Timeclock allowed hosts

Once that's done, all workstations and mobile devices that are connected to those networks will permit clock-in and -out. Some employees will require training in order to understand that their mobile device must connect to the company-owned wireless network in order to clock-in and -out... being physically present inside the company building is not enough.

If you do not know a station's IP address, then use one of its computers to connect to AngelTrack, or use your mobile device to join the station's WiFi network and then connect to AngelTrack. The Timeclock Hosts page will then see you connecting from the station's IP address, and so just add it as an allowed location.

You can also call someone who is at the station, and ask them to connect to http://whatismyipaddress.com and then read off the numbers to you.


Static and Dynamic IP Addresses

If your station's internet connection has its own static IP address, then simply input that address into AngelTrack as an approved clock-in location. A static IP address is guaranteed to never change, so you're all done.

Most stations do not have a static IP address. Instead they have a dynamic IP address, also known as a "DHCP address". Dynamic IP addresses change over time. They usually change once a week, or perhaps once a month. One week it might be 198.51.100.65, and then the next week it might be 198.51.51.188.

The assigned addresses are random, but they will always fall within a certain range. In this example, the range is probably 198.51.something.something.

You can configure AngelTrack to allow clock-in from any address within that range: simply input "198.51/16" as the allowed IP address. The "/16" on the end means that only the first 16 bits of the address: the "198" in this example is 8 bits and the "51" is another 8 bits, 16 bits total.

The same applies to IPv6 addresses, if your internet service has made the switch. AngelTrack accepts IPv6 addresses just like traditional IPv4 addresses, except that an IPv6 address must contain at least one colon. You can still specify a /bits value, and any number (even all 128) can be considered.

Don't be fooled by your NAT address

Most company networks use a NAT router, which means that computers on your local network do not know their real IP address as seen from the internet. If you ask your computer for its IP address, it will respond with "10.1.10.104" or "192.168.0.115" or some such. That is not its real IP address as seen from the outside world. Your computer does not know its real IP address as seen from the outside world.

This is the doing of your internet modem/router -- the device that connects you to your ISP.

Your AngelTrack cloud server is on the internet, and it can therefore see your real IP address; it will be shown as "Your current IP address" on the right-hand side of the page. It is this real IP address, not the artificial NAT address used within your local network, that must be specified as an approved clock-in location.

Checking everyone's IP addresses at once

If you would like to see the IP addresses in use by all of your employees, visit the Heartbeat page under Settings. It lists all employees whose computer or mobile device has interacted with AngelTrack within the last two minutes.

You can click any IP address in the list to check which ISP it belongs to. You will probably see some employees at your station, and other employees on cellular (mobile) networks. It is the station's IP address that goes into the list of timeclock hosts.


Does Your ISP Change Your IP Address Too Often?

If your ISP keeps changing your IP address, and you are tired of adding more and more entries to this list, then call your ISP and rent a static IP address.

They usually cost just a few dollars per month, and they are guaranteed to never change. In fact you can specify the exact address they assign, rather than a /16 or /24 range of addresses.


Setting Up Other Timeclock Locations

If you use restaurants, coffee shops, hotels, libraries, or fire stations as posts, you can allow employees to use the timeclock from there. Simply visit the location, connect to their WiFi, and add their internet address to the list exactly as you did for your own station.

Be sure to give each location a descriptive name, so that you can disable and enable them later, as your posts change.


Exempting Certain Trusted Employees

You can exempt individual employees from these restrictions, allowing them to clock-in and clock-out wherever they please.

Visit the employee's Employee File page and select the "Privileges" tab. You must be an Administrator to grant or revoke the privilege.


Restoring the Timeclock's Unrestricted State

When initially deployed, AngelTrack allows unrestricted clock-in and -out. This is done using a pair of "all IP addresses" entries in the list, one for IPv4 and one for IPv6. Best practice is to deactivate these two entries and set up a restricted list, as shown in the screenshot above.

If you later wish to bring the unrestricted entries back, simply re-activate them: untick the ☑ Hide inactive hosts checkbox, find the "All IPv4 hosts" and "All IPv6 hosts" entries, and reactivate them.



AngelTrack Help Index - AngelTrack Support