Skip to main content

IP Range / Country Restriction and Behavior

Allow login to CloudM Automate and your other services only from the specified IP ranges or whitelisted countries. You can configure how to handle users login attempts from other addresses.

Admin users can always login via


To access these options, select Directory > Password & Login Controls and chose the Organizational Unit or Smart Team that you wish to set the access time for. Then, select the User Login Controls tab and scroll down to the IP Range Restriction / Country Restriction and IP Range Restriction Behavior / Country Restriction Behavior sections.



IP Range / Country Restriction policies can be:

  • Organizational Units - Set for the root OU and inherited, or explicitly set for each OU. 
  • Smart Teams - Set to Enable to apply the policy to all users in the Smart Team, or to Disable to force the policy to be set by the next Smart Team (set to Enable) they are part of, or the Organizational Unit if the user isn't part of any enabled Smart Team. 


IP Range / Country Restriction

In the IP Range Restriction section, select Add and enter the IP range required. You can add multiple ranges.

  • Address ranges must be specified in CIDR format (e.g. for IPv4 or FE80::202:B3FF:FE1E:8340/94 for IPv6).


In the Country Restriction section, select Add and enter a country that you want to allow access from. You can add multiple countries.


IP Range / Country Restriction Behavior

In the IP Range / Country Restriction Behavior sections, define what happens when the login request comes from an IP in an unknown range or from a country not on the approved list. Use the drop down menu to select whether to Prevent Login or Challenge User. For logins outside the specified IP ranges, you can also Apply Country Rules.

If Challenge User is specified, then the user will only be allowed access if they have 2-step verification and / or password recovery answers configured and they correctly answer the challenge.

Alternatively, the country based restriction rules can be applied so they can still login when they are in an approved country, or the login can be prevented regardless of other settings.

  • Once a user has successfully logged in, their IP is logged and future attempts from that IP for the next month will be allowed, regardless of changes to the allowed IP ranges.

    Can I setup multiple Country / IP restrictions or use both at the same time?


    Just be sure to enable all networks and related countries on both, as if they are not enabled on one side, users could potentially be blocked from logging in.


    Does the Country/IP I am specifying blacklist or whitelist?


Was this article helpful?
0 out of 0 found this helpful