"SEB Is Locked!" screen showing up during the exam

[t00]

I received a report from 2 different schools about iOS app showing a red screen SEB dialog all of the sudden during taking the exam. In first case it happened to less than 1% of students, in another case it happened to 13% of students!

Initially I thought it might be due to a check for a hash in User-Agent header which we do for every request and redirect to SEB settings download page. I thought SEB might have skipped updating the header for a request but after looking more into it it is not possible as the next request we are getting is downloading SEB settings from https://<GLOBAL_CONFIG_URL>/safeexambrowser/SEBClientSettings.seb and while testing reconfiguring SEB manually during the exam, SEB correctly complaints with the dialog "Loading New SEB Settings Not Allowed!" instead of displaying the red screen.

The issue is only present on iOS SEB 2.1.14, not sure about previous versions. We have not had any reports for Windows or Mac installations.

Do you have any ideas what could have gone wrong? I briefly checked 2.1.14 codebase but I could not find a way to disable this screen or the way how can it be triggered. We don't have any special quit urls configured and as far as I know, all are empty.

Please find below a screenshot with a problem and a test config file we use.

https://gist.github.com/t00/dedc067667248eebc4b01da7393ae38f

[danschlet]

So if it really was this "SEB is Locked!" red screen, then I can guess what happened. Please note that in 2.1.14 there is another possible message on such a red lock screen, which can be triggered in case someone tried to build and use their own SEB version.

This screen, as the log message "Re-opening an exam which was locked before" suggests, is displayed when starting an exam session (= settings containing a quit password are used), which wasn't ended properly before. Ending properly means using a Quit Link or the quit button. If SEB crashes during an exam or the student restarts the iPad during the exam session and then tries to start the same exam (settings with the same startURL) again, then this screen is displayed.

In the screen shot, the log shows that an exam session was started at 9:34. Then SEB was terminated somehow (crashed or device restarted) and at 9:45 the student tried to start the same exam session again.

It would be interesting to know what happened after the exam proctor/invigilator/supporter entered the quit password to unlock SEB. Did they just let the student start the exam again? Does your exam system log when students start the exam (an attempt) and does it prevent them to start another attempt later?

I guess you know that when the AAC single app mode is used, it can be ended by restarting the device. On supervised iPads, it's possible to configure that SEB can invoke the managed single app kiosk mode ASAM. In this kiosk mode, when devices are restarted, the app which started the kiosk mode is automatically launched again. So ASAM is more secure (also no message to allow AAC to lock the device is displayed).

Please let me know, what you find out about these cases. It would be interesting to know if some students found out that they can restart their iPads during the exam, search some answers and then tried to restart the exam again.

[danschlet]

Also not that the iOS version has an easy option to send log files by email to us (or to yourself first). Open the "About SEB" view (from the left side menu or by tapping the SEB icon on the "Options to start an exam or configure SafeExamBrowser for your institution" screen). Scroll all the way down and tap "Send Logs to SEB Developers". The iPad needs to have a mail account set up for this to work. If you send the logs to us, add some comment in the mail body, as we ignore logs sent without any error description.

[danschlet]

Btw., are those schools really still using SEB 2.1.14? The current version for iOS is 2.1.15 (released September 19). We don't support any older versions anymore (on none of the platforms, but definitely not on iOS...).

[t00]

Sorry I got confused with the version number - the problem indeed occurred on 2.1.15, on iOS 13.3 as well as 13.1.2 and 12.4.3 as I checked in the logs we have.

I can safely assume students without staff directions did not restart iPads provided by uni nor reported any crashes, this was a small exam with 50 or so candidates, well monitored and 9 of them had the same issue.

In the logs I could see that SEB downloads client settings (not exam settings) sometimes just 30 seconds and up to about 3 minutes, depending on one of 9 cases, after student proceeds to the next question. It happened after different time intervals from taking the exam - on the screenshot attached about 12 minutes from starting the exam. Keep in mind students were successfully answering multiple questions during this time.

This made me wonder if SEB by any chance tries to download client settings again (does it remember the original settings URL?) from https://[SERVER]/safeexambrowser/SEBClientSettings.seb
and it does that using the following user agent string: SEB/11907 CFNetwork/978.0.7 Darwin/18.7.0

After loading exam settings, they use the following user agent string:

Mozilla/5.0 (iPad; CPU OS 13_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Version/12.1.2 Safari/605.1.15 SEB/2.1.15 [HASH FOR SECURITY]

[danschlet]

Hmm, wait, where is that user agent string "SEB/11907 CFNetwork/978.0.7 Darwin/18.7.0" coming from? Is that just an example you used, or was there somewhere "CFNetwork/978.0.7 Darwin/18.7.0" in a user agent string?

Was MDM managed configuration used to deploy client settings to these iPads? I realized that somehow the MDM seems to resend those managed settings, maybe only to some devices (I don't have enough cases to determine the reason). It seems independent of the MDM used (happened both with macOS Server Profile Manager and Jamf Pro).

SEB 2.1.15 should not reconfigure itself during a running exam session (when settings saved with "for starting an exam" were used to start an exam), even if settings from the MDM are received during the exam. It should also not happen when just using the client settings with a quit password set, but I would guess that there is a bug in SEB 2.1.15, I already fixed some possible issues when repeatedly receiving managed configuration from the MDM in the 2.1.16 beta.

I would guess that this is the reason for the issue you were observing. I tried to find information why the MDM would send the managed app configuration repeatedly, but didn't succeed.

[t00]

I was just checking what is available in logs coming from the student's device IP address and we are luckily logging user-agent used when requesting settings from our server.

I am not aware of any WDM managed configuration or at least I was not informed about it - and that might be source of the problem in the first place - deploying client settings to devices configured to say every 15 minutes.

We don't have any passwords in client settings, just exam and these cannot be modifier outside of automatically generated by our exam app so fiddling with settings is not an option as well. It actually sounds wonderful about a bug fixed already as I was pulling out my hair while trying to understand what is happening :)

I will ask about MDM and that is a good starting point - thank you for explaining the possible issues, it starts to make sense!!!

[t00]

After a chat with client it seems that iPads are not centrally managed and it is up to students to update them and install / upgrade the Safe Exam Browser, manually! Under these circumstances, do you have any idea what could be happening other than WDM which causes SEB to download client settings during the exam?

[danschlet]

No. Please provide me the full logs of some of those iPads.

[t00]

Thanks, much appreciated. I will instruct them to do so through me so you won't have to guess what the log is about.

[danschlet]

It's a very weird issue, but I hope we can solve it quickly and include it in the 2.1.16 update.

[t00]

Just an update - still waiting for a client to provide us with logs - not sure how long this might take :(

[danschlet]

I still think that the cause of the reconfiguration was, that those devices had SEB (maybe a previous version) installed by a mobile device management system. It seems that the MDM app configuration is still pushed to devices, even if SEB is removed and afterwards installed normally through the App Store. Only if the App Configuration payload is removed in the MDM, then the config isn't pushed repeatedly to devices anymore. I can't figure out any other reason why SEB should reconfigure during an exam (and no one else reported such a case).

Well anyways, I fixed possible issues with the MDM app configuration feature, so it would never reconfigure SEB while an exam is running. If I don't get any negative feedback, I will release the current TestFlight build in the App Store later this week.

[t00]

I did not receive any logs from them unfortunately. Unless you have any suspicions about the code causing the red screen to appear, feel free to close this issue as it might not be possible to get these logs.

[danschlet]

I expect this issue was fixed with SEB for iOS 2.1.16, closing for now.