Safe Exam Browser – SEB for Windows opens a web browser window without navigation elements and locks the computer into a kiosk mode, which prevents from switching to other applications or quitting SEB untimely. SEB enables secure exams on unmanaged computers like students' own laptops as well as in managed environments. Currently SEB integrates with the wide spread learning management systems (LMS) Moodle, ILIAS and OpenOLAT and several commercial and non-commercial exam systems, as for example Inspera Assessment. Generally it can easily be used with most web-based online quiz and e-assessment systems.

The following manual explains how to configure and use SEB for iOS from the perspective of exam administrators. SEB is a very flexible and modular tool, therefore documentation for examinees on how to use SEB with individual exam setups and the various exam systems it works with should be provided by the institution using SEB or their e-assessment provider.

SEB disables the options of the Windows Security Screen (invoked by pressing Ctrl+Alt+Del), namely Lock this Computer, Switch User, Log off, Change a password, Start Task Manager, Shut down and Ease of Access. It disables the Start Menu (button in the lower left corner of the screen) with its submenus Shut down / Undock / Switch user / Log off / Lock / Restart / Sleep / Hibernate, the Task Switcher (invoked by Alt-Tab and Windows-Tab), printing. It can also be set whether users can quit SEB and if it is required to enter a quit password to do so.

Its possible to configure SEB to quit after the exam is submitted without having to enter a quit password by specifying a quit link and placing this on the summary page displayed by the LMS after submitting the exam.

In the browser window there is no right mouse (or Shift-F10) click popup window available. Besides that, the browser is supporting Quicktime, Java and Flash content (as long as the required plugins are installed on the system).

SEB detects when it was started in a virtual instead of a native environment and refuses to run. This virtual machine detector hinders manipulating SEB further when used in unmanaged environments.

SEB for Windows is based on the Mozilla Firefox/XULRunner/Gecko engine (in contrast to the WebKit browser engine used by SEB for macOS, which is also used by Safari and some open source browsers).

SEB for Windows can be used together with additional (third party) applications during an exam. You can download and open files linked in your online exam, edit it in a third party application and then upload the results to your online quiz/LMS again.

From version 2.0 SEB uses encrypted .seb setting files which allow to individually configure SEB per exam.

Also see the preliminary how to use SEB 2.0 document explaining the concept behind SEB 2.x and its new features.

Please understand that you also have to configure your exam system correctly to be locked down securely. SEB is generally locking down exam client computers only, not the exam system or the quiz module of a learning management system. Check documentation for your exam/learning management system on how to lock it down correctly.

Some learning management systems require plugins to be installed to fully support secure exams taken with SEB, others have built-in support.

SEB support in Moodle has the following objectives:

  1. Don't display any links during an exam which would allow to navigate to other sections of Moodle or even other websites. This means the course navigation, link to the user's Moodle profile, logout, link to the University homepage etc. needs to be disabled/hidden. Only the quiz navigation (to navigate to other questions) and the "Finish attempt..." link should be visible
  2. Make sure a quiz can only be taken using Safe Exam Browser, display an error message if trying to open the quiz in another web browser.
  3. Optionally check if the correct version of SEB and legitimate SEB settings are used.

There are two options how to activate SEB support in Moodle. Both achieve the above objectives 1 and 2. Only the second option also ensures objective 3 is met:

  1. Enable the "classic" SEB support in Moodle: How to activate the SEB secure browser mode in a Moodle quiz. Then configure the quiz at Administration / Quiz administration / Edit settings / Extra restrictions on attempts / Browser security / Require the use of Safe Exam Browser. This option uses only a basic, not very secure check for the used browser. This may be safe enough if students can only access the exam from centrally managed university computers inside a computer lab/exam room. For other scenarios like BYOD you should use the second option.
  2. Use the Browser Exam Key authentication in Moodle for the connecting SEB version and its settings by installing the quiz access rule plugin in Moodle. In addition you will have to copy the Browser Exam Key hash code string into the quiz settings (Administration / Quiz administration / Edit settings / Extra restrictions on attempts / Allowed browser keys). This key is generated by SEB when you save the settings you intend to use for the exam. As this key includes a hash (checksum) of both the saved exam settings and the code signature of the used SEB version, you may have to generate and copy several Browser Exam Keys into the Moodle quiz settings, for example one for the Windows version of SEB and one for the Mac version.

Sometimes hiding course navigation, link to the user's Moodle profile, logout etc. doesn't work as expected because some custom Moodle themes don't support the secure browser mode of Moodle correctly, they display links with which students can get out of the quiz during an exam. If this happens only with your customized theme and not the standard Moodle theme, then your theme is not implemented correctly. In that case you should fix the problem in your custom Moodle theme. You may also create URL filter rules which only allow to access the exam and no other parts of Moodle, but this is not trivial and we cannot provide you with any support on that.

You may find additional information and help in the discussion boards for SEB and Moodle.

You can find information about how to install the ILIAS plugin for SEB support here.

Please note that currently support for Safe Exam Browser in ILAS can only be switched on for some roles of a whole installation, not a single exam/course.

An assessment mode has been added to the OpenOLAT standard with the 10.2 release. The assessment mode allows course authors to limit the functionality and access of OpenOLAT courses for exam settings. An exam setting is not limited to online tests however, IMS QTI assessments, SCORM modules, external LTI 1.1 tools and all other OpenOLAT course elements can be configured for such an exam setting.

One of the many security features is the enforced usage of Safe Exam Browser. An exam setting can be configured with multiple Browser Exam Key keys.

No additional software needs to be installed in order to use the assessment mode together with Safe Exam Browser. The assessment mode is globally enabled / disabled in Administration -> Modules -> Assessment mode. Within the courses the configuration is done in the course menu.

More information and a video tutorial about the assessment mode.

More information about OpenOLAT.

You can download the SEB for Windows Installation setup program (also containing the SEB Windows configuration tool) here. Just start SafeExamBrowserInstaller.exe and follow the steps in the installation program.

SEB for Windows containing the main application executable SafeExamBrowser.exe and the configuration tool SebWindowsConfig.exe are placed in the SEB application folder named SafeExamBrowser which will be installed into the standard program folder of your computer (usually C:\Program Files or C:\Program Files (x86), depending on whether you have a 32-bit or 64-bit machine). Also a Safe Exam Browser program icon shortcut will be placed on your desktop.

When you start SEB, all currently running applications are hidden and all attached screens are covered with a dark blue background. On the main screen SEB opens its web browser window filling the whole screen (optionally the window can be resized and moved or switched to fullscreen). SEB opens the webpage at the preset Start URL, which might take some seconds. As default, as long as you don't set another Start URL (see Configuration), SEB for Windows opens the project web site.

SEB doesn't have any navigation buttons, but the optional reload button in the SEB task bar or the key F5 can be used to reload the current page.

To quit SEB (while it's using the default settings), just press the Quit button in the SEB task bar, keys Ctrl-Q or the red close button in the browser window. Quitting SEB can optionally be switched off or password protected, also the function key exit sequence which was used in former SEB versions is still supported optionally. When SEB quits, the applications which were running before starting it will get unhidden again (as long as settings didn't force to quit those applications).

SEB for Windows has a comfortable configuration tool which should be used for configuring SEB. You can find SEBConfigTool.exe in the SEB application folder SafeExamBrowser which is placed in the standard program folder of your computer (usually C:\Program Files or C:\Program Files (x86), depending on whether you have a 32-bit or 64-bit machine).

In the SEB configuration tool window, settings are grouped in several panes. There you can set the parameters described below.

  • In the General pane you'll find basic settings like the URL which SEB opens and the passwords to open a config file for editing and to quit/restart SEB. When first time using SEB, you might only have to change these general settings, as the default values for all other settings should reflect the more "secure" option.
  • Config File contains details about encryption of the SEB .seb configuration files plus all functions to deal with opening, saving, reverting, duplicating and applying settings. These commands can also be accessed in the menu bar above the tab bar.
  • User Interface contains general SEB user interface settings;
  • Browser all detail settings for the built-in SEB web browser.
  • Down/Uploads refers to file downloads and uploads;
  • Exam handles the connection to exam systems and exam specific settings.
  • Application is for handling permitted and prohibited processes;
  • Network about the URL filter, certificates and proxies;
  • Security contains detail settings about how SEB locks down security relevant system features.
  • Registry allows to control options in the Windows Security Screen invoked by Ctrl-Alt-Del and an option when using VMware Horizon View while SEB is running.
  • Hooked Keys controls blocking key and mouse commands.
  • Start URL: Full URL (starting with http:// or https://) of the page to open when SEB is started.
  • Administrator password: Password required to open a config file for editing in the config tool. You should set an administrator password if you don't want that someone could open and examine a .seb configuration file, after knowing the encryption credentials (for example after an exam).
    If you're using macOS SEB clients for exams as well, you definitely should set an administrator password, as otherwise students could open the preferences window (which is build into SEB for macOS) and change settings during the exam.
  • Confirm administrator password: Retype the administrator password. As long as it's not matching the administrator password typed in the field above, "Please enter correct confirm password" is displayed below and you cannot save the configuration file.
  • Allow user to quit SEB: If selected, Users can quit SEB with the Quit button in the SEB taskbar, by pressing the keys Ctrl-Q or by clicking the main browser window (the one that displays the exam) close button. Otherwise you can shutdown or reboot the computer. In a computer room in a university or school you could for example use some tool to shutdown or reboot all computers after a exam and therefore not allow students to quit SEB themselves at all. This setting has no influence on a Quit Link (if one is set, see Exam Pane).
  • Ignore exit keys: If selected, SEB ignores the exit keys and can only be quit manually by entering the quit password after clicking the Quit button in the SEB taskbar, by pressing the keys Ctrl-Q or by clicking the main browser window close button.
  • Quit/restart password: This password is prompted when users try to quit SEB with the Quit button, Ctrl-Q or the red close button in the main browser window (if not in full screen mode). If no quit password is set, then SEB just prompts "Are you sure you want to quit SEB?". The password is not prompted when using a Quit Link.
    This password is also prompted if the restart exam button is used (if activated and cofigured to be password protected, see Exam Pane).
  • Confirm quit/restart password: Retype the quit password. As long as it's not matching the quit/restart password typed in the field above, "Please enter correct confirm password" is displayed below and you cannot save settings.
  • Exit sequence: Function keys which have to be pressed and held down together to exit SEB. This works only if ignore exit keys is not selected. Some combinations don't work as Windows doesn't allow to use some keys/combinations, this also differs depending on hardware and key map, so you should test the exit key combination on all the clients you use. We recommend to no longer use exit keys, this feature will probably be removed in future SEB versions. Note: SEB for macOS doesn't support exit keys, so in mixed environments you should anyways prefer using a quit passwort for manually quitting SEB.
  • Use SEB settings file for ... starting an exam: A configuration file saved with this option will start the exam with the according settings, but won't change local SEB settings.
  • Use SEB settings file for ... configuring a client: A SEB settings file saved with this option is used to change local settings of a SEB client. This means, next time SEB is started by double clicking its shortcut from the desktop (or opening SafeExamBrowser.exe from the Program Files folder), it will use these settings.Usually you should encrypt it with the same password which is set as administrator password on the SEB client or none if there is no administrator password set on the SEB client yet (using an empty password prevents people from having to enter a password just when SEB is starting, unless you want this to prevent SEB being started unintentionally for example in a computer lab when there is no exam happening).
    When this .seb file is opened, for example by double clicking it in Windows Explorer, then SEB is started and settings from this file are copied into the file SebClientSettings.seb which is placed in the hidden Application Data folder of the current user (see below for exact path).

    You can also copy this file manually or with a deployment system one of the following directories:

                          

    C:\ProgramData\SafeExamBrowser\
    Exact path using Windows path variables:
    %PROGRAMDATA%\SafeExamBrowser\SebClientSettings.seb

    (valid for all users on a computer, writable only with administrator rights, has first priority)

                        

    C:\Users\<username>\AppData\Roaming\SafeExamBrowser\
    Exact path using Windows path variables:
    %APPDATA%\SafeExamBrowser\SebClientSettings.seb

    (writable with user rights, second priority)

    Please note: On a managed exam computer you probably should copy the default client settings file SebClientSettings.seb to the \ProgramData\SafeExamBrowser\ directory. If such a file exists in this location, this will be read by SEB with first priority and another file at the Local Application Data folder of the current user will be ignored. As the PROGRAMDATA directory usually is writable only with administrator rights, regular users cannot change the exam computer's default settings, which is the desired case on a managed computer.
    You should only use a client settings fileSebClientSettings.seb in the \ProgramData\SafeExamBrowser\ directory on deployed exam client machines, not on your admin workstation, as SEB will ignore all local client settings which you configure in the Config Tool ("Use Current Settings to Configure Client", "Revert Settings to Local Client Settings" and "Apply and Restart SEB" won't work as expected, see also below)!

  • Allow to open preferences window on client (Mac only): Usually you should disable the preference window on exam clients besides for debugging purposes.
  • Choose identity to be used for encrypting SEB settings file ... In this popup menu all identities (X.509 certificates with RSA public key and associated private key) in the Windows Certificate Store are listed, which can be used for encrypting and decrypting. Install that identity on your SEB clients, then they can decrypt .seb files encrypted with this certificate/key. You can also make identities available to specific computers in a network zone over the LAN without placing them physically onto the exam clients (ask your Windows network administrators about that). You can install identities on client computers using deployment systems or by embedding them into a .seb config file for configuring the client (see Network / Certificates pane).
  • Settings password: Password to decrypt the settings file, if one is set then it will be prompted when SEB reads the settings. Local client settings (saved on every exam client, at one of the two possible standard paths, see above) should be saved with the option "Use SEB settings file for ... configuring a client", so you (and examiniees when starting SEB) don't have to enter any settings password. Then a standard password is used for encrypting these settings. This is not very safe, but you should anyways not store any really secret information (like critical admin and quit passwords or a secret exam URL) in the local client settings, for that you should use separate settings files saved with the option "Use SEB settings file for ... starting an exam".
  • Confirm settings password: Retype the settings password.
  • Open Settings... Lets you choose a .seb settings file which will be loaded into memory, so you can edit the settings.
  • Save Settings (As...) Saves the SEB settings using the same file name or lets you choose a file name and location for the SEB settings file. You have to either enter a password or choose a cryptographic identity with which the SEB settings file will be encrypted. Use the saved encrypted settings file to either start the exam in SEB or to change the local settings of a SEB client, depending on the Use SEB settings file for ... option.

Revert Settings to…

  • Default Settings: After the user confirms, settings are reset to the default settings. The options for default settings are in general set to a safe, most common value, so usually you can start using the default settings and just customize options which you need for your exam scenario.
  • Local Client Settings: After the user confirms, revert to the local client settings.
  • Last Saved: After the user confirms, settings are reverted to the last ones saved or loaded.

Use Current Settings to…

  • Edit Duplicate: Creates a duplicate of the current settings and continues editing those.
  • Configure Client: Configures the client using settings from the .seb file which is currently being edited (overwriting current local client settings) and SEB switches to editing local client settings.
  • Apply and Restart SEB: Saves current settings, closes the SEB Config Tool and starts SEB. If local client settings were edited, then SEB is started and loads those (same as when double clicking the SEB icon). If some config file was edited, then SEB is started as when double clicking that .seb config file.
    Note: If you're editing client settings (at %APPDATA%\SafeExamBrowser\SebClientSettings.seb) and there is also a client settings fileSebClientSettings.seb in the \ProgramData\SafeExamBrowser\ directory, then Apply and Restart SEB does not apply the currently edited file, as this function simulates what will happen when you start SEB either by clicking its icon (starting the application directly, then client settings are used) or by opening another SEB config file (then SEB is started opening those settings inside that config file). You should only use a client settings fileSebClientSettings.seb in the \ProgramData\SafeExamBrowser\ directory on deployed exam client machines, not on your admin workstation!
  • Use browser window: Use a window for the SEB browser which can be scaled and moved around, also to another screen when available. One advantage of using a browser window is that if you're using a large wide screen display, some web pages may not be ergonomic to read. With the scalable browser window you can adjust the width of displayed web pages.
  • Use full screen mode: Display the SEB browser full screen. Full screen browser mode should mainly be used with exam systems which display everything in one main window and don't open auxilary windows: When a web page opens in a new window, this will be hidden behind the full screen main browser window when the user clicks into that. From SEB 2.1 you can access single windows in the SEB task bar (click on the SEB icon) or with Alt-Tab.
  • Touch optimized: Enables the touch optimized mode for Windows tablet computers (for Windows 8.1 and 10) featuring:
    • Larger buttons in the SEB task bar
    • Touch optimized message boxes (alerts, dialogs) with larger buttons
    • The Winodws on-screen keyboard is displayed when the user touches a text field on a browser page or when SEB asks to enter a password.
    • New web pages open in full screen 'windows', switch between open pages with the open windows chooser popup menu invoked by tapping the SEB icon in the SEB task bar. With the close button below each window in this window chooser you can close open browser full screen 'windows'.
  • Enable touch exit: When enabled, SEB can be quit in touch optimized mode with a swipe down from the upper display edge (helpful when the SEB task bar with the quit button is not used).
  • Automatic on-screen keyboard behavior: Controls when SEB displays the on-screen keyboard.
    • Always show
    • Never show
    • Detect physical keyboard: If a physical keyboard is connected, SEB doesn't show the on-screen keyboard.
  • Main browser window size and position: You can set the width and height of the main SEB browser window as absolute pixel values or a percentage of the screen width or height. You can enter the dimensions (in pixels or percent values) in the text field or select one of the predefined values in the pop down menu.
  • Horizontal positioning: You can choose how the window will be positioned horizontally if it doesn't fill the full screen width: Left, Center, Right.
  • Enable browser window toolbar (Mac only): Indicates if a toolbar is displayed on top of the browser window which can also be hidden by the user if it's disturbing.
  • Hide toolbar as default (Mac only): After SEB starts, the browser window toolbar is hidden. Users can unhide the toolbar in the view menu or the contextual menu on the browser window title bar.
  • Show menu bar (Mac only): The menu bar can be used in SEB for macOS to access menu bar widgets like changing keyboard layouts, re-connecting to a WiFi network etc.
  • Show SEB task bar: Usually to be used when you permitt third party applications, which are displayed as icons. Clicking on the icon of an application starts it (if it wasn't running yet), brings the application to foreground or maximizes its window if it was minimized before. The task bar is not required, users can also switch to third party applications using the task switcher with keys Alt-Tab. But if users quit a third party application, they can restart it only by using its task bar icon (or by opening a file which is linked in an exam and gets opened by that application).
    • Task bar/dock height: Task bar height in pixels can be changed for high resolution displays (display DPI settings are now also taken in account, in touch optimized mode task bar is scaled up in addition).
    • Show Wi-Fi control: Allows to reconnect to Wi-Fi networks which have previously been connected to.
    • Show reload button: This button in the SEB task bar reloads the current web page. Shows warning if enabled in Browser settings tab.
    • Show time: Displays current time in SEB task bar: This is for example helpful if you decide to ban personal watches in exams (because of smartwatches).
    • Show keyboard layout: Shows current keyboard layout and allows to switch to other keyboard layouts which have been enabled in Windows.
  • Enable page zoom: Pages can be zoomed with Ctrl-Mousewheel (Win) or cmd +/- or the commands in the view menu and buttons in browser window toolbar (Mac)
  • Enable text zoom: Text in browser windows can be zoomed with Ctrl-Mousewheel (Win) or ctrl - cmd +/- or the commands in the view menu and buttons in browser window toolbar (Mac)
  • Zoom Mode (Win): Zoom whole web pages or just text using Ctrl-Mousewheel (only in Windows version)
  • Allow spell checking: Allow using check spelling/grammar and 'correct spelling automatically
  • Allow dictionary look up: Allow looking up text elements on a web site using the 3-finger tap on a trackpad or ctrl-cmd-D
  • Links requesting to be opened in a new browser window... (Mac only): This popup list offers three policies:
    • get generally blocked
    • open in same window
    • open in new window
  • Block when directing to a different server: Hyperlinks which direct to a different host than the one of the current page will be ignored.
  • New browser window size: You can set the width and height of new browser windows as absolute pixel values or a percentage of the screen width or height. You can enter the dimensions (in pixels or percent values) in the text field or select one of the predefined values in the pop down menu.
  • New browser window horizontal positioning: You can choose how the window will be positioned horizontally if it doesn't fill the full screen width: Left, Center, Right.
  • Links in JavaScript/plug-ins... (Mac only): This list offers three policies for hyperlinks opened from JavaScript or plug-ins (like Flash):
    • get generally blocked
    • open in same window
    • open in new window
  • Block when directing to a different server: Hyperlinks which direct to a different host than the one of the current page will be ignored. This can also filter unwanted cross-site content on a page, but redirections might also not work. Test this option carefully with your exam before using it!
Browser Security Settings
  • Enable plug-ins: Enables web plugins like Flash. For security reasons it's recommended to disable this option if you don't use any plugin content.
  • Enable JavaScript: Please note that most modern websites need JavaScript for full functionality.
  • Enable Java: Enables Java Applets. Starting SEB 2.0 this option is disabled by default because Java applets are considered a potential security risk. Note: Only applets with the highest Java security level will run in SEB for Windows.
  • Block pop-up windows: Disables pop-up windows (often advertisement) opened by JavaScript without an user action such as a button click.
  • Allow video capture (webcam): Allow web applications to access camera (using HMTL 5 APIs).
  • Allow audio capture (microphone): Allow web applications to access microphone (using HMTL 5 APIs).
  • Allow browsing back/forward: Disabling browsing to previously visited pages (by Alt-Mousewheel or Ctrl-Cursor left on Mac) increases security, because it might be possible to leave an exam by browsing back to an external start page. This setting corresponds with the setting "Enable Alt-Mousewheel" in Hooked Keys pane.
  • Show reload warning: SEB shows a warning asking the user to confirm reloading a web page with F5 or the reload button.
  • Remove profile (Win only): Deletes contents of the seb XULRunner embedded browser profile directory (cache, cookies, local browser storage etc.) when quitting SEB.
User Agent Settings
  • User agent for desktop mode: Allows to switch between the default and a custom browser user agent string for SEB Windows running in desktop mode. SEB appends its version number automatically to the selected user agent string.
  • User agent for touch/tablet mode: Allows to switch between the default, an iPad-like and a custom browser user agent string for SEB Windows running in the touch optimized mode (on tablet computers). SEB appends its version number automatically to the selected user agent string.
  • iPad: Use an iPad-like user agent string for the touch optimized/tablet mode, as many mobile optimized websites recognize this user agent, but not the Windows tablet touch user agent.
  • User agent (Mac): Allows to switch between the default and a custom browser user agent string in SEB for macOS running in desktop mode. The default string depends on the installed Safari/WebKit version and therefore can differ on exam clients. SEB for macOS also appends its version number automatically to the selected user agent string.
  • Use SEB without browser window: If you intend to use another application for an exam and don't need to display any web content on the exam client, you can switch off the SEB browser with this option. Don't try to disable XULRunner in the Application -> Permitted Processes tab, that isn't necessary when using this option.
  • Allow downloading and uploading files (Mac only): Usually to be used with permitted third party applications for which you want to provide files to be downloaded.
  • Save downloaded files to: Choose the download directory with this button, which displays a file/directory chooser dialog. In the path displayed afterwards righthand of the button, SEB automatically replaces sections with a Windows environment variable, so paths are portable to other computers, for instance with another user account name (if you for example select your Documents folder, the path becomes %USERPROFILE%\Documents). An empty path means SEB uses the Download folder.
  • Open files after downloading (Mac only): Downloaded files will be opened with the according application, which has to be set correctly in the system for each used file type.
  • Choose file to upload… (Mac only): SEB can let the user choose the file to upload manually (as usual) or automatically choose the same file which was downloaded before. There are three possible policies to choose the file to upload:
    • manually with file requester
    • by attempting to upload same file downloaded before: If the file is not found, a file requester is presented and the user can choose some other file manually.
    • by only allowing to upload the same file downloaded before: If the file is not found, an error message is presented. This setting might bring additional security, because only files which have been downloaded before (in the same browser session, means since SEB was started) can be uploaded. If several files have been downloaded, pressing the choose file (or similarly named) button in the browser window will first choose the file most recently downloaded, pressing the button several times will cycle through all the files downloaded in this session.
  • Download and open PDF files instead of displaying them inline (Mac only): PDF files will not be displayed by SEB but downloaded and opened (if Open files after downloading is active!) by the application set in Finder (usually Preview or Adobe Acrobat). This option is useful when you allow to switch to third party applications and want to use some PDF forms which have to be filled out by the examinees/users.
  • Browser Exam Key: Copy the exam key string (which depends on your SEB configuration and the SEB version/application signature) to the according field in your quiz settings in the exam system having support for SEB 2.0 or later built in. Plug-ins offering this functionality have been released for the learning management systems Moodle, ILIAS and OpenOLAT has a built-in SEB support.
    Important: First save your final exam settings in a .seb settings file and then copy the browser exam key to your exam system's quiz settings as the Browser Exam Key changes when you change any setting.
    Please note that if you want to use the same .seb file with Windows and Mac clients, you should not alter the file anymore when you're copying the Browser Exam Key hashes to your exam settings in your quiz module. Re-saving it will change the Browser Exam Key of that file also in the SEB version on the other platform. The keys for the Mac and the Windows version will in any case be different, so you have to load the final .seb file into both versions and copy both keys to your quiz settings.
    PLEASE NOTE: Every new SEB version generates a different Browser Exam Key (as code and configuration option changes are reflected in the key, this is the idea of the request header check using this key together with compatible exam systems). If you want to use an existing exam configuration with a new SEB version, you have to re-calculate the Browser Exam Key with the new version and copy the new key to the quiz settings in your SEB compatible examination system (Moodle, ILIAS and OpenOLAT allow you to specify several keys in case you want to allow your examinees to use for example the current and previous SEB version).
  • Send Browser Exam Key in HTTP header: This enables sending the Browser Exam Key in an HTTP header to authenticate the SEB client and its settings to a compatible exam system.
  • Link to quit SEB after exam: Its possible to configure SEB to quit after the exam is submitted without having to enter a quit password by specifying a quit link (full URL starting with http:// or https://) and placing this on the summary page displayed by the LMS after submitting the exam.
  • Restart exam button: Either check the "Use Start URL" option or enter a link to which the exam is redirected when the restart exam button is pressed. The restart exam button is displayed in the SEB task bar when either the "Use Start URL" option is selected or a link is entered.
  • Title/tool tip text for the restart button: This text is displayed as the title of the confirmation alert and as tool tip on the icon. Leave empty for a standard text (which is localized to the SEB user interface languages).
  • Protect restart exam button with the quit/restart password: The quit/restart password (if set, see General pane) must be entered when the restart exam button was tapped. Exam support/invigilators should be told this password to be able to restart the exam if there is a problem.

You can allow third party applications to be used while SEB is running. Usually you would enable the SEB task bar, then for each allowed application (with the setting "Icon in task bar" enabled) an application icon will be displayed in the SEB task bar. Clicking on the icon starts the application when it's not yet running or brings its window(s) to the foreground. If a running application has several windows open, SEB displays a window chooser. You can switch between open windows with keys Alt-Tab as well.

SEB allows only applications to run which are configured in "Permitted Processes" (as long as the "Monitor processes" setting below is active). But SEB cannot prevent these applications from:

• Accessing the file system (local or network drives). So if you use an application which can open and save files and displays a file dialog, students can access local and network drives on the exam computer.

• Accessing the internet. SEB only has a URL filter for the built-in browser, other applications and the system are not blocked from accessing the internet. So any third party software with a built-in help browser or similar can be used to cheat during an exam.

Therefore using such applications requires additional measures, as for example a drive which is cleaned before every exam on a managed computer and a firewall (either hardware or firewall filter rules in a virtual desktop, see below). If you intend to use SEB with third party applications on unmanaged computers (BYOD, student owned machines), you should run the exam including those third party applications in a secured virtual machine, usually this would be a virtual desktop. This technical paper describes the virtual desktop infrastructure (VDI) environment ETH Zurich (the top ranked university in continental Europe which is the driving force behind the development of SafeExamBrowser) is using for such exams. For other (less technical) papers on our exam environment, see our publications page. Our environment runs on managed computers and uses the VMware View Client software secured by SEB on the local machine and another instance of SEB running inside the virtual desktop, allowing to use the configured permitted third party applications in addition to an exam displayed by the SEB browser. In a bring-your-own-device scenario you would ideally use VDI with a technology like VMware Horizon View HTML Access. Then students just need to install/run SEB on their Windows or Mac laptops. SEB would be configured to only load and display the HTML Access portal page in a full screen browser window (ideally without displaying the SEB task bar/dock). The entire exam takes place in the virtual desktop, which can be perfectly secured. You also don't have to worry about distributing, configuring and licensing those third party applications you want to use in exams to students, as you just have to install and configure these applications once on the master image for the VDI exam pool. If an exam computer breaks down during the exam, no data is lost, as everything is running inside the virtual desktop on your server infrastructure. Usually such exams would have a browser-based part, where you place the questions and maybe template files, which students then can open in the permitted third party applications. After they finish working on those documents, they can save the results and upload them into the exam, using a file upload question type. Students can only interact with the empty file system inside the virtual desktop, they also cannot access the local file systems or connected USB sticks on their BYOD exam computers.

Setting options:
  • Monitor processes while SEB is running: If enabled, SEB prevents non-permitted processes to display any windows (including alerts, message boxes etc.) by hiding them immediately. If SEB cannot hide such a process (because it is running with the rights of another user, for example SYSTEM) SEB terminates it. For the "Disable Explorer Shell" kiosk mode (see Security pane), "Monitor processes..." should always be activated (which was implicitly the case in former SEB versions), but from SEB 2.1 you can (and should in most cases) use this feature also with the "Create new desktop" kiosk mode.

Besides the live process monitoring while running, when SEB is started, an alert/dialogue window is displayed to tell the user to quit the currently running applications (which are in the list of permitted and prohibited processes) and to restart SEB afterwards or to let SEB kill the applications risking that there could be data loss. Applications which have the Force quit parameter set are automatically terminated (without asking the user).

Third party applications and processes which are permitted to run during an exam. Permitted applications show up in the application chooser with their icon and their application name set with the parameter title, they can be used during an exam in addition to the SEB browser.

  • Allow switching to third party applications (Mac only): If this option is activated, the kiosk mode induced by SEB will be reduced one level. The process switcher (Cmd-Tab) will work, so it's possible to switch to other running applications.
    Use this option only when running SEB in a user account managed by parental controls, with only SEB and the desired applications allowed. Also you should switch on Simple Finder and don't give users access to other accounts with administrator rights on that computer (see SEB for macOS manual: Secure Environment).
  • Allow Flash to switch to full screen mode (Mac only): Playing videos with Flash in full screen mode is a security problem. That's why it is strongly recommended to use HTML5 video (there full screen mode is no problem) instead of Flash whenever possible. Depending on the Flash video player and the Mac used, it can be difficult to switch back from full screen mode (best is to use the Esc key), so if you don't need full screen mode, don't enable it here.
    When switching to third party applications is disabled, Flash fullscreen mode isn't possible at all.
  • Click +/- to add/remove permitted process
  • Choose Application... In general you should use this button to choose a permitted application from your drive. SEB will automatically fill in title, executable and path of the application. You can change the title if you want (which is displayed in the SEB task bar). Path will usually be empty, as for applications which have been installed and properly registred in Windows App Paths you don't need to (and should not, as it can be different on another client system) specify the path.

Selected Process details:

  • Active: Indicates if this permitted process item is active (can be used while testing).
  • Title: Application title which is displayed in the application chooser.
  • Description: Optional, should explain what kind of process this is, because this might not be obvious only from the executable's name.
  • OS: Indicates on which operating system the permitted process runs (currently only the option Win works).
  • Executable: File name of the executable, which should not contain any parts of a file system path, only the filename of the exe file (like calc.exe).
  • Window Handling Process: Process executable which is actually handling the main window, this is necessary to indicate for Java and some other applications (for example OpenOffice, Eclipse, Adobe Acrobat).
  • Path: Optional filesystem path (formatted system specific) to the process executable's directory excluding the filename, see field executable. If the path is not given or relative, then SEB searches the system provided paths for applications. For applications which have been installed and properly registred in Windows App Paths you don't need to specify the path.
  • Arguments to append to the executable of the application when starting it. You can select if an argument is active or not (for testing). You can add and remove arguments using the +/- buttons.
  • Icon in task bar: Disabling this option is mainly useful for background processes (not requiring user interaction) which you want to autostart when SEB is run.
  • Autostart: Start the process automatically together with SEB.
  • Identifier: String of the process identifier in reverse domain notation (Mac) or the string or substring of the main window title of a process which doesn't have a MainWindow handle (Win), this is usually the case with Java applications (use for example "OpenOffice" for OpenOffice Calc).
  • Allow running in background: Permitted processes with this option set are allowed to already be running when starting SEB. In this case SEB doesn't ask the user if the process can be terminated before continuing to start SEB. Processes with the option "Allow running in background" don't have an icon in the SEB task bar. They can nevertheless have the option "Autostart" set, in this case SEB attempts to start the permitted process regardless if it was already running or not (and the option "Icon in task bar" is considered in this case).
    If you need some background process running together with SEB and this process might display some window or alert/message box, you have to add this process's executable to permitted processes with the option "Allow running in background" set, otherwise SEB will hide the window of the background process when "Monitor processes" is selected (or even terminate that process, in case it cannot be hidden).
  • Allow user to select location of application: The user is presented a file dialog window allowing to locate the third party application's executable if it cannot be found at the path specified and paths provided by the system (instead of just displaying an error message). Only applications matching the executable string specified are accepted.
  • Force quit: Indicates whether an application/process may be terminated in a not-nice way, what may cause data loss if the application had unsaved data in memory or was just writing to a persistent memory/drive. If this application is safe to be terminated anytime, then enabling this setting helps to avoid bothering users: Because if this setting is disabled and the application is running when SEB is started, then an alert/dialogue window is displayed to ask the user to quit this permitted application together with other permitted and the prohibited applications and to restart SEB afterwards (or to let SEB terminate the applications risking that there could be data loss).
    Disabling this setting does not mean that processes are not killed: Depending on the platform's capabilities, SEB first tries to terminate prohibited processes and applications nicely or asking the user to do it themselves, if this doesn't work then it terminates them anyways (as long as monitor processes is enabled). But enabling Force quit will speed up this process.
    This flag should not be set for macOS applications which allow to be terminated nicely (they are anyways automatically terminated, without asking the user).

Java applications (like OpenOffice) can be used as permitted processes, but require specific settings: The title of their main window must be defined in the field Permitted Processes -> Identifier (for example "OpenOffice Calc"), the required main executable in Permitted Processes -> Executable ("scalc.exe") and the process which is actually handling the main window in Permitted Processes -> Window Handling Process(es) ("soffice.bin"). For this example the executable path should be entered as "program" in Permitted Processes -> Path, as that is the relative path to the main executable from the OpenOffice main directory, which is registered in Windows App Paths.

List of processes which are prohibited to run during an exam when monitor processes is enabled. This list of prohibited processes makes sense because SEB on both platforms usually allows to run system processes, but some of them might not be wanted during an exam. With prohibited processes you can prevent some specific background processes and applications from running together with SEB. Use this with care, test if the system continues to run safely when the prohibited processes are killed by SEB.

Selected Process details:

  • Active: Indicates if this prohibited process item is active.
  • Executable: Process name, usually the filename of the executable.
  • Description: Optional, should explain what kind of process this is, because this might not be obvious only from the executable's name.
  • OS: Indicates on which operating system SEB should watch for the prohibited process (currently only Win works).
  • Identifier: String of the process identifier in reverse domain notation (Mac) or the string or substring of the main window title of a process which doesn't have a MainWindow handle (Win), this is usually the case with Java applications (use for example "OpenOffice" for OpenOffice Calc).
  • Force quit: Indicates whether an application/process may be terminated in a not-nice way, what may cause data loss if the application had unsaved data in memory or was just writing to a persistent memory/drive. If this application is safe to be terminated anytime, then enabling this setting helps to avoid bothering users: Because if this setting is disabled and the application is running when SEB is started, then an alert/dialogue window is displayed to ask the user to quit this prohibited application together with permitted applications and to restart SEB afterwards (or to let SEB terminate the applications risking that there could be data loss).
    Disabling this setting does not mean that processes are not killed: Depending on the platform's capabilities, SEB first tries to terminate prohibited processes nicely or asking the user to do it themselves, if this doesn't work then it terminates them anyways (as long as monitor processes is enabled). But enabling Force quit will speed up this process.
    This flag should not be set for macOS applications which allow to be terminated nicely (they are anyways automatically terminated, without asking the user).
  • Activate URL filtering: Filter URLs when loading web pages using the filter set defined below.
  • Filter also embedded content: If selected, also all embedded resources will be filtered using the filter set. Note that there can be hundreds of resources such as images and other media per page, so filtering all content may slow down page loading.
  • Rules are regular expressions: If not enabled, then the rules can be formatted using the wildcard '*', which stands for an arbitrary string of any length.

There are two tables contains URL filter rules, either with an Allow or Block action. The URL filter always first processes rules with the block action, if one matches, then the according http request is discarded. If no block rule matched, then rules with an allow action are processed. If one matches, then the request is loaded. If no allow rule matched, then the request is discarded. Discarding a http request means that a link with the URL is not followed and the user is notified with an alert. When content filtering is enabled, an embedded resource with the according URL is not loaded.

SEB automatically creates an allow filter rule for the exact address of the Start URL defined in these settings. This means that if your Start URL is example.com, then all pages and resources in the domain example.com will be allowed. If your Start URL is example.com/exams/engineering2015-1.html, then only the page with this exact address will be allowed. In this case you have to manually add an allow filter rule so all pages and resources your exam uses will be allowed (like example.com/exams/*).

Create a new rule by clicking the'+' button below the table. Remove a rule by selecting it in the table and clicking the '-' button.

Please not that SEB 2.1 for macOS is using a more advanced format for URL filters. It also incorporates a teach mode, where SEB can interactively create filter rules for you. When SEB 2.0 or higher for macOS saves a .seb settings file, it creates also compatible filter rules for SEB 2.0.3 (or higher) for Windows (which you can see in the Allow/Block tables here in the SEB Config Tool / Network / Filter tab, see the screenshot above for an example). So the URL filter rules created in SEB 2.0 for Mac are compatible with SEB 2.1.3 for Windows, but not the other way round: Filter rules defined in SEB 2.1.3 for Windows are not compatible with SEB for macOS.

This means in short: If you want to use URL filter rules in a mixed environment (Windows/Mac), you have to create the URL rules in SEB for macOS. A future version of SEB for Windows will also adopt the more advanced format for URL filters.

  • Choose TLS/SSL certificate to embed into configuration... Here you can choose SSL server certificates which are stored in the Windows Certificate Store (if you have a certifcate file, you first need to import it to the Windows Certificate Store, depending on the format you can just double click such a certificate file to invoke the Windows certifcate import assistant). The certificates added to this table will be embedded into a .seb settings file when it is saved and used on the SEB clients which are started up with that .seb exam configuration. Users then won't be presented a warning then when connecting to https servers with those self-signed certificates and you don't need to distribute SSL certificates manually to the exam client computers.
  • Choose identity to embed into configuration... You can also choose cryptographic identities stored in the Windows Certificate Store which are suitable for decrypting .seb files on SEB exam clients (X.509 certificates with RSA public key and associated private key). If you have a .p12 or .pfx certificate archive file, you first need to import it into the Windows Certificate Store (usually you can just double click such a certificate file to invoke the Windows certificate import assistant). When importing the .p12/.pfx identity file, the included private key must be marked as "exportable". The identities added to this table will be embedded into the .seb settings file. Use this feature for creating a .seb file for configuring a client and add the identity or identities you like to use for encrypting/decrypting .seb files for starting exams later. When opening this .seb file on your exam clients, the embedded identities will be imported into the Windows Certificate Store (or Keychain on Macs), so that they can be used for decrypting exam settings later. Please note that during this process the private keys imported into the Windows Certificate Store of the exam clients will be flagged as non-exportable for increased security.
In SEB problems with SSL certificates can occur:
  • Even if your secured site is using certificates which are generally trusted by browsers like Firefox, there might be a problem with the SEB XULRunner browser. The problem occurs when your server certificate is signed by an intermediate certificate of any trusted certification authority. In that case the whole issuer chain must be provided to the browser for validation. You might have to ask your server administrator to change their settings to solve the problem.
    For further information please consult the documentation of your webserver: Apache 2.2, IIS. There is a discussion about this problem in our forum too.

In this pane you can configure proxy settings for the exam client computers which override the system's proxy settings on the clients. You can currently specify a proxy server address and port manually for HTTP, HTTPS, FTP and SOCKS proxies (without authentication), use auto proxy discovery and automatic proxy configuration. You can also add host/domain addresses to the bypass/exception list.

  • SEB Service policy: The SEB Service is a background process running with elevated privileges (as administrator), which is necessary to block and unblock some system features (the options in the Windows Security Screen invoked by Ctrl-Alt-Del) and pausing Windows Update. SEB Windows Service is installed automatically together with the SEB application and started afterwards, but it might happen in rare cases that the service gets stopped. After a reboot of the computer it should get started again, also you could use Windows Task Manager to restart the service manualy (in the Services tab).
    You can define the policy that applies when an exam client doesn't have the SEB Service running:
    • allow to use SEB without service: SEB is allowed to run without the SEB Service running, it will only be noted in the log that the service was not securing the computer during the exam.
    • warn when service is not running: A warning is displayed when the service is not running, but the exam can be started.
    • allow to use SEB only with service: SEB is only allowed to run when the SEB Service is running.
  • Allow SEB to run inside virtual machine: Indicates if SEB is allowed to run in a virtual machine (e.g. for exams in virtual desktop environments) or not (in order to prevent potential manipulation).
  • Enable screen capture / PrintScreen: Controls PrintScreen and macOS screen capture (invoked with cmd-3 and cmd-4), this setting corresponds with Enable PrintScreen in the Hooked Keys pane. If users have the DropBox client installed and activated to upload screen shots directly to their DropBox, then this will also be stopped when PrintScreen is disabled.
  • Enable logging: The log can help in debugging SEB (if you send it to the developers) and to find out about possible manipulations. There are three log files:

    SafeExamBrowser main application, located at

                        

    %APPDATA%\SafeExamBrowser\SebClient.log
    usually:
    C:\Users\<username>\AppData\Roaming\SafeExamBrowser\SebClient.log


    SafeExamBrowser browser, located at

                        

    %APPDATA%\SafeExamBrowser\seb.log
    usually:
    C:\Users\<username>\AppData\Roaming\SafeExamBrowser\seb.log


    SEB Windows Service, located at

                        

    %INSTALLDIR%\SafeExamBrowser\SebWindowsServiceWCF\sebwindowsservice.log
    usually:
    C:\Program Files (x86)\SafeExamBrowser\SebWindowsServiceWCF\sebwindowsservice.log

  • Kiosk mode: This setting reflects how the computer is locked down into SEB.
    • Create new desktop: SEB and all permitted applications are started on a new desktop. Switching to the standard desktop is not possible, so other applications are invisible and cannot be reached during the exam. This kiosk mode may prevent specific third party software to run correctly together with SEB, like some screen recording software or the Windows on-screen keyboard (this is why this kiosk mode cannot be used with touch optimized mode).
    • Disable Explorer Shell: The Windows Explorer is closed when the exam starts and restarted afterwards. All other applications running on the computer are hidden, prohibited applications are closed. Windows of all not permitted applications/processes are hidden (or if that's not possible those applications are killed) when they open or try to come to the foreground. This kiosk mode is compatible with some screen recording/proctoring software (like ObserveIt) and the Windows on-screen keyboard.
    • None: SEB runs without kiosk mode, switching to other applications is possible. Use this for debugging purposes only.


    Note: The kiosk mode is a SEB environment setting. This means it is not possible to change the kiosk mode when starting an exam or reconfiguring SEB. An alert window will inform users that the local client settings of SEB need to be reconfigured with the correct kiosk mode settings if they try to start an exam with another kiosk mode than the one set in the current local SEB client settings. SEB will have to be quit and manually restarted when the kiosk mode is reconfigured in local client settings.

Options in the Windows Security Screen invoked by Ctrl-Alt-Del:

  • Enable Switch User
    activates the button "Switch User" or "Benutzer wechseln", respectively.
  • Enable Lock this computer
    activates the button "Lock this computer" or "Computer sperren", respectively.
  • Enable Change a password
    activates the button "Change a password..." or "Kennwort ändern...", respectively.
  • Enable Start Task Manager
    activates the button "Start Task Manager" or "Task-Manager starten", respectively.
    Note: Normally it makes no sense to permit the Task Manager inside SEB (thus during an online exam). Furthermore SEB is usually started in a new desktop (see option CreateNewDesktop in the Security Pane), which would cover an eventual Task Manager window and make it invisible. In case you want to permit the Task Manager in SEB anyhow, CreateNewDesktop and Monitor processes must be disabled. An alternative possibility is to add the Task Manager as a third-party application TaskManager,taskmgr.exe; to the PermittedApplications (see below).
  • Enable Log off
    activates the button "Log off" or "Abmelden", respectively.
  • Enable Shut down
    activates the button "Shutdown" or "Herunterfahren" in the lower right corner.
  • Enable Ease of Access
    activates the button "Ease of Access" or "Erleichterter Zugriff" in the lower left corner, which offers help e.g. to visually or aurally handicapped persons, like the Magnifier Glass.
  • Enable VMware Client Shade
    activates the "Shade" bar at the upper edge of a virtual desktop, if existent. If you're not using VMware, this setting doesn't have any effect.

These Windows Registry options define the values while SEB is running. SEB remembers the settings which were active on the exam client computer before running SEB and resets them to the original values when exiting regularly. In case SEB would crash or the user would enforce a reset of the machine while SEB was running, these options are reset to the original values:

  • when SEB is restarted once again and properly quit;
  • or when uninstalling SEB.

There is also a command line tool which can be used to reset those values for the unlikely case that the SEB Windows Service didn't work properly or was damaged and can't be run anymore. This tool can be found at the following directory path in your Program Files directory:

                

SafeExamBrowser\SebWindowsServiceWCF\SebRegistryResetter.exe

You need to execute this tool as administrator (right mouse button context menu "Run as administrator"). In case the original values for the Registry Settings aren't found anymore, they will be reset to the Windows default values (all enabled). In this latter unlikely case you would also need to enter the short user name of the user in which account SEB was run, when the problem occurred. If you were running SEB in your administrator account, the short user name you have to enter usually isn't "Admin" or similar. It is the user name of the account which has the administrator role. The short user name is the same as the name of the user's home directory (if you go to C:\Users\ in a Windows Explorer window, you can see all user account names on this computer). If you have spaces in your short user name, enter it as it is, without quotes.

  • Special Keys: Settings to enable or block (hook) keys, key combinations and mouse buttons.
  • Enable PrintScreen: Controls PrintScreen and macOS screen capture (invoked with cmd-3 and cmd-4), this setting corresponds with Enable screen capture / PrintScreen in the Security pane. If users have the DropBox client installed and activated to upload screen shots directly to their DropBox, then this will also be stopped when PrintScreen is disabled.
  • Enable Alt-Mousewheel: Disabling browsing to previously visited pages (by Alt-Mousewheel or Ctrl-Cursor left on Mac) increases security, because it might be possible to leave an exam by browsing back to an external start page. This setting corresponds with the setting "Allow browsing back/forward" in Browser pane.
  • Function Keys: Enable or block function keys. This doesn't have any effect on the SEB exit sequence. Depending on specific keyboards some function keys cannot be blocked.

SEB for Windows is running on 32-bit and 64-bit PCs with the following operating systems:

  • Windows 7
  • Windows 8/8.1
  • Window 10

Safe Exam Browser for Windows: © 2010-2015 Dirk Bauer, Daniel R. Schneider, ETH Zurich, Educational Development and Technology (LET), Pascal Wyss, Viktor Tomas, Stefan Schneider, Oliver Rahs, based on the original idea of Safe Exam Browser by Stefan Schneider, University of Giessen
Project concept: Dr. Thomas Piendl, Daniel R. Schneider, Dr. Dirk Bauer, Kai Reuter, Tobias Halbherr, Karsten Burger, Marco Lehre, Brigitte Schmucki, Oliver Rahs. French localization: Nicolas Dunand

Safe Exam Browser is released as freeware. The source code is subject to the Mozilla Public License Version 1.1 (the "License"); you may only use these files in compliance with the License. You may obtain a copy of the License at http://www.mozilla.org/MPL/ .

Important parts of this project have been carried out as part of the program "AAA/SWITCH –
e-Infrastructure for e-Science
" led by SWITCH, the Swiss National Research and Education Network and the cooperative project "Learning Infrastructure" (part of the CRUS program "Information scientifique: accès, traitement et sauvegarde") coordinated by SWITCH, and was supported by funds from the ETH Board and the State Secretariat for Education, Research and Innovation (SERI).