Use of Browser Exam Key if "Yes - Upload my own config" is selected

[danschlet]

1. Create a quiz
2. Set "Require the use of Safe Exam Browser" to "Yes - Upload my own config"
3. Upload a config file
4. Enter one or several Browser Exam Key hashes, which you copied from the SEB Config Tool/Preferences window for this config file in the field "Allowed Browser Exam Keys"
5. Don't change neither setting "Enable quitting of SEB" nor "Quit password"
6. Access to the exam should be granted

It is important, that users can upload their own config and use the Browser Exam Key feature, as that key provides better protection agains students using a manipulated SEB binary or a wrong version. But as the key has to be copy-pasted from the SEB client (configuration tool or in-app Preferences/settings).

Therefore in the mode "Yes - Upload my own config", place a message (for example right underneath the field Browser Exam Key) “If you add Browser Exam Keys, you must leave the password field in Moodle empty and not change the setting 'Enable quitting of SEB’”

[dmitriim]

It feels like this needs more discussion. Not sure if any messages is a good way to avoid user mistakes and confusion. Maybe after submitting we should validate if the password is not empty and if it is to force users to clear Browser Exam Keys field as they won't work anyway and/or suggest to clear password field?

[danschlet]

After further discussion, we actually don't think either of these solutions are intuitive and both have the risk of user confusion. I would suggest another solution:

Add a boolean selection "Use Browser Exam Keys", by default set to "No" (disabled).

• When this option is disabled, then the text box "Allowed Browser Exam Keys" isn't displayed. The option "Enable quitting of SEB" and the field "Quit password" are displayed.

• When this option is disabled, then the plugin uses the entered quit password and the setting "Enable quitting of SEB".

• When this option is enabled, then display the text box "Allowed Browser Exam Keys" and hide the option "Enable quitting of SEB" and the field "Quit password".

• Optionally a message could be displayed "The quit password from the uploaded config is used"

• If the option "Use Browser Exam Keys" is enabled, then the uploaded config file is sent unmodified to the SEB browser.

• If the user attempts to save settings without entering a Browser Exam Key, the plugin should notify the user that at least one is required.

This seems like the clearest solution to me, avoiding confusion and user mistakes. What do you think, @lucaboesch (as you are representing BYOD scenarios here)?

[dmitriim]

@lucaboesch any input from your side?

[lucaboesch]

Dear Dmitrii and Daniel. The proposal by Daniel is thought through very well. I would approve that approach, if it wasn't giving too much work. User confusion minimizing is one thing, the other is how to explain settings to users in a manual. And the proposal by Daniel is helping here.

Best, Luca

[nhoobin]

For the item

If the option "Use Browser Exam Keys" is enabled, then the uploaded config file is sent unmodified to the SEB browser.

We still modify the uploaded config file as we want to set the start URL to the current quiz, is that still the use case here?

If people were to upload any SEB file then the start URL could be anything, potentially unrelated to the quit itself.

[lucaboesch]

@danschlet, ETHZ, what do you think? My opinion is that Nicholas is right. It should be more precisely

If the option "Use Browser Exam Keys" is enabled, then the uploaded config file is sent unmodified to the SEB browser, but the start URL is adopted to lead to the current quiz.

If anyone wants to distribute SEB config files to lead to any other place, they should distribute them the way they are distributing them nowadays.

[lucaboesch]

I did "Close and comment" instead of "Comment" by mistake.

[danschlet]

Argh, I forgot that it’s necessary to modify the start URL. Ok, that makes it a bit more complicated for the user which wants to set up the exam using a Browser Exam Key:

1. Upload config file
2. Start/preview quiz and use the Download Configuration button to download the final config, where the start URL has been adapted to the quiz
3. Open that config file in SEB Preferences or SEB Config Tool and copy-paste its Browser Exam Key to the settings of that quiz

Unfortunately, using the Browser Exam Key is a bit cumbersome...

[lucaboesch]

I did run a test right now.

It turns out I have to manually add the URL mod/quiz/startattempt.php and mod/quiz/attempt.php* too in order to make the attempt work.

login/ as well, but that one could be different depending on your Moodle's setup. In an ideal world, wouldn't mod/quiz/startattempt.php and mod/quiz/attempt.php automagically be added?

Either this or we'll document this very well.

[danschlet]

One moment, are you talking about the URL filter? If yes, that doesn't have anything to do with this issue, you should maybe create another issue.

[lucaboesch]

Yeah, you're right, that's going to be a follow-up, Daniel.

[danschlet]

(We can move this comment if we create a separate issue about URL filters)

SEB automatically only allows the start URL. If the start URL is https://example.com/moodle, then everything in the /moodle/* directory is allowed (without having to create a separate URL filter). If the start URL is https://seb-demo.catalyst-au.net/mod/quiz/view.php?id=64, then SEB allows only exactly this URL, as SEB cannot assume which URLs can be allowed or not (like https://seb-demo.catalyst-au.net/mod/quiz/view.php or https://seb-demo.catalyst-au.net/mod/quiz/ or https://seb-demo.catalyst-au.net/mod).

The Moodle plugin knows how Moodle's URL structure works, so it would be possible that the plugin would automatically add URL filter rules to allow accessing the whole quiz (including startattempt.php and attempt.php). But you still might have to add URLs like the AAI (Shibboleth) single sign-on home organization servers.

[dmitriim]

@danschlet @lucaboesch Sorry, but it's not clear what we need to do here. Do you need more time to discuss the requirements?

[danschlet]

@dmitriim So regarding the actual issue (Use of Browser Exam Key ...), everything should be ok and you can let us test it. The initial question was

If the option "Use Browser Exam Keys" is enabled, then the uploaded config file is sent unmodified to the SEB browser. We still modify the uploaded config file as we want to set the start URL to the current quiz, is that still the use case here?

It's ok that you modify the uploaded config. I updated the specification.

For the URL filter issue we have to open a separate issue.

[dmitriim]

@danschlet in this case do you still need to change form/settings behaviour as regardless anytime using BEK a teacher would need to download file and regenerate new keys? Or maybe we should prohibit using BEK for everything except Yes – Use SEB client config?

[danschlet]

@dmitriim I think we still should offer the option for "power users" to use their own uploaded config and the Browser Exam Key (BEK), we just have to document the correct process/workflow well. Using an uploaded individual config has the advantage that educators can secure particular exams more strictly (for example when they are testing IT students which could try to use a manipulated SEB version, then the BEK could give them a bit more control.

If you didn't implement the change for the form/settings behavior yet, I would suggest to leave it. As the config needs to be modified for the start URL anyways, then we can also allow to change the quit password in quiz settings.

I wonder if it would be complicated to add a "Download Final Configuration" button in the quiz settings, just above the Browser Exam Key text field, maybe with a remark "Use this configuration to calculate the Browser Exam Key"? Then the teacher wouldn't have to change his role to "student" and start the exam to download the exam configuration file.

What is your opinion, @lucaboesch? We can also discuss this if it makes it easier to understand/assess.

[dmitriim]

Thanks @danschlet ! Closing this one off... Please open one related to URL filters and let us know how would you like to change their behaviour.

[dmitriim]

@danschlet @lucaboesch I have added feature to let teachers (those who can bypass SEB) to download SEB config easily. They see a link on a view page.

[danschlet]

@dmitriim That looks great! Will make it easier for them to download the SEB config for generating the Browser Exam Key. I will help to document this properly (for each SEB platform, Windows, macOS, iOS) and I'm trying to improve the usability of getting the Browser Exam Key out from the SEB clients.