Security researchers have shared details about a now-addressed security flaw in Apple’s macOS operating system that could be potentially exploited to run malicious applications in a manner that can bypass Apple’s security measures.
The vulnerability, tracked as CVE-2022-32910, is rooted in the built-in Archive Utility and “could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive,” Apple device management firm Jamf said in an analysis.
Following responsible disclosure on May 31, 2022, Apple addressed the issue as part of macOS Big Sur 11.6.8 and Monterey 12.5 released on July 20, 2022. The tech giant, for its part, also revised the earlier-issued advisories as of October 4 to add an entry for the flaw.
Apple described the bug as a logic issue that could allow an archive file to get around Gatekeeper checks, which is designed so as to ensure that only trusted software runs on the operating system.
The security technology achieves this by verifying that the downloaded package is from a legitimate developer and has been notarized by Apple – i.e., given a stamp of approval to ensure it’s not been maliciously tampered with.
“Gatekeeper also requests user approval before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file,” Apple notes in its support documentation.
It’s also worth noting archive files downloaded from the internet are tagged with the “com.apple.quarantine” extended attribute, including the items within the file, so as to trigger a Gatekeeper check prior to execution.
But in a peculiar quirk discovered by Jamf, the Archive Utility fails to add the quarantine attribute to a folder “when extracting an archive containing two or more files or folders in its root directory.”
Thus by creating an archive file with the extension “exploit.app.zip,” it leads to a scenario where an unarchival results in the creation of a folder titled “exploit.app,” while also lacking the quarantine attribute.
This application “will bypass all Gatekeeper checks allowing an unnotarized and/or unsigned binary to execute,” Jamf researcher Ferdous Saljooki, who discovered the flaw, said. Apple said it resolved the vulnerability with improved checks.
The findings come more than six months after Apple addressed another similar flaw in macOS Catalina, Big Sur 11.6.5, and Monterey 12.3 (CVE-2022-22616) that could allow a malicious ZIP archive to bypass Gatekeeper checks.
Actions to Help Protect Against APT Cyber Activity:
• Enforce multifactor authentication (MFA) on all user accounts. • Implement network segmentation to separate network segments based on role and functionality. • Update software, including operating systems, applications, and firmware, on network assets. • Audit account usage.
From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization’s enterprise network. During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.
This joint Cybersecurity Advisory (CSA) provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. The CSA includes detection and mitigation actions to help organizations detect and prevent related APT activity. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recommend DIB sector and other critical infrastructure organizations implement the mitigations in this CSA to ensure they are managing and reducing the impact of cyber threats to their networks.
Download the PDF version of this report: pdf, 692 KB
For a downloadable copy of IOCs, see the following files:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the APT cyber activity mapped to MITRE ATT&CK for Enterprise framework.
From November 2021 through January 2022, CISA conducted an incident response engagement on a DIB Sector organization’s enterprise network. The victim organization also engaged a third-party incident response organization for assistance. During incident response activities, CISA and the trusted –third-party identified APT activity on the victim’s network.
Some APT actors gained initial access to the organization’s Microsoft Exchange Server as early as mid-January 2021. The initial access vector is unknown. Based on log analysis, the actors gathered information about the exchange environment and performed mailbox searches within a four-hour period after gaining access. In the same period, these actors used a compromised administrator account (“Admin 1”) to access the EWS Application Programming Interface (API). In early February 2021, the actors returned to the network and used Admin 1 to access EWS API again. In both instances, the actors used a virtual private network (VPN).
Four days later, the APT actors used Windows Command Shell over a three-day period to interact with the victim’s network. The actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration. The actors manually collected files using the command-line tool, WinRAR. These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2\he\debug directory. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.
During the same period, APT actors implanted Impacket, a Python toolkit for programmatically constructing and manipulating network protocols, on another system. The actors used Impacket to attempt to move laterally to another system.
In early March 2021, APT actors exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server. Later in March, APT actors installed HyperBro on the Exchange Server and two other systems. For more information on the HyperBro and webshell samples, see CISA MAR-10365227-2 and -3.
In April 2021, APT actors used Impacket for network exploitation activities. See the Use of Impacket section for additional information. From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files. See the Use of Custom Exfiltration Tool: CovalentStealer section for additional information.
APT actors maintained access through mid-January 2022, likely by relying on legitimate credentials.
Use of Impacket
CISA discovered activity indicating the use of two Impacket tools: wmiexec.py and smbexec.py. These tools use Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol, respectively, for creating a semi-interactive shell with the target device. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.
The APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization’s multifunctional devices. The threat actors first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterwards, the actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:
This command gave the service account the ability to access other users’ mailboxes.
The APT cyber actors used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. Use of these hosting providers, which serves to conceal interaction with victim networks, are common for these threat actors. According to CISA’s analysis of the victim’s Microsoft Exchange server Internet Information Services (IIS) logs, the actors used the account of a former employee to access the EWS. EWS enables access to mailbox items such as email messages, meetings, and contacts. The source IP address for these connections is mostly from the VPS hosting provider, M247.
Use of Custom Exfiltration Tool: CovalentStealer
The threat actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate sensitive files.
CovalentStealer is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. CovalentStealer includes two configurations that specifically target the victim’s documents using predetermined files paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder, includes a configuration file to specify the types of files to collect at specified times and uses a 256-bit AES key for encryption. See CISA MAR-10365227-1 for additional technical details, including IOCs and detection signatures.
MITRE ATT&CK Tactics and Techniques
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. CISA uses the ATT&CK Framework as a foundation for the development of specific threat models and methodologies. Table 1 lists the ATT&CK techniques employed by the APT actors.
Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Actors abused PowerShell commands and scripts to map shared drives by specifying a path to one location and retrieving the items from another. See Appendix: Windows Command Shell Activity for additional information.
Command and Scripting Interpreter: Windows Command Shell
Actors abused the Windows Command Shell to learn about the organization’s environment and to collect sensitive data. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.The actors used Impacket tools, which enable a user with credentials to run commands on the remote device through the Command Shell.
Actors executed malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths.
Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Actors used Windows command shell commands to detect and avoid virtualization and analysis environments. See Appendix: Windows Command Shell Activity for additional information.
Actors used the taskkill command to probably disable security features. CISA was unable to determine which application was associated with the Process ID.
Actors used the systeminfo command to look for details about the network configurations and settings and determine if the system was a VMware virtual machine.The threat actor used route print to display the entries in the local IP routing table.
System Network Configuration Discovery: Internet Connection Discovery
Actors checked for internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways.
Actors attempted to identify the primary user, currently logged in user, set of users that commonly use a system, or whether a user is actively using the system.
Actors used the tasklist command to get information about running processes on a system and determine if the system was a VMware virtual machine.The actors used tasklist.exe and find.exe to display a list of applications and services with their PIDs for all tasks running on the computer matching the string “powers.”
Actors used the ipconfig command to get detailed information about the operating system and hardware and determine if the system was a VMware virtual machine.
Actors likely used net share command to display information about shared resources on the local computer and decide which directories to exploit, the powershell dircommand to map shared drives to a specified path and retrieve items from another, and the ntfsinfo command to search network shares on computers they have compromised to find files of interest.The actors used dir.exe to display a list of a directory’s files and subdirectories matching a certain text string.
Actors used a non-application layer protocol for communication between host and Command and Control (C2) server or among infected hosts within a network.
Actors used the certutil command with three switches to test if they could download files from the internet.The actors employed CovalentStealer to exfiltrate the files.
Actors scheduled data exfiltration to be performed only at certain times of day or at certain intervals and blend traffic patterns with normal activity.
Exfiltration Over Web Service: Exfiltration to Cloud Storage
The actor’s CovalentStealer tool stores collected files on a Microsoft OneDrive cloud folder.
DETECTION
Given the actors’ demonstrated capability to maintain persistent, long-term access in compromised enterprise environments, CISA, FBI, and NSA encourage organizations to:
Monitor logs for connections from unusual VPSs and VPNs. Examine connection logs for access from unexpected ranges, particularly from machines hosted by SurfShark and M247.
Monitor for suspicious account use (e.g., inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts). To detect use of compromised credentials in combination with a VPS, follow the steps below:
Review logs for “impossible logins,” such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
Search for “impossible travel,” which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). Note: This detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks.
Search for one IP used across multiple accounts, excluding expected logins.
Take note of any M247-associated IP addresses used along with VPN providers (e.g., SurfShark). Look for successful remote logins (e.g., VPN, OWA) for IPs coming from M247- or using SurfShark-registered IP addresses.
Identify suspicious privileged account use after resetting passwords or applying user account mitigations.
Search for unusual activity in typically dormant accounts.
Search for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
Review the YARA rules provided in MAR-10365227-1 to assist in determining whether malicious activity has been observed.
Monitor for the installation of unauthorized software, including Remote Server Administration Tools (e.g., psexec, RdClient, VNC, and ScreenConnect).
Monitor for anomalous and known malicious command-line use. See Appendix: Windows Command Shell Activity for commands used by the actors to interact with the victim’s environment.
Monitor for unauthorized changes to user accounts (e.g., creation, permission changes, and enabling a previously disabled account).
CONTAINMENT AND REMEDIATION
Organizations affected by active or recently active threat actors in their environment can take the following initial steps to aid in eviction efforts and prevent re-entry:
Report the incident. Report the incident to U.S. Government authorities and follow your organization’s incident response plan.
Report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).
For DIB incident reporting, contact the Defense Cyber Crime Center (DC3) via DIBNET at dibnet.dod.mil/portal/intranet or (410) 981 0104.
Reset all login accounts. Reset all accounts used for authentication since it is possible that the threat actors have additional stolen credentials. Password resets should also include accounts outside of Microsoft Active Directory, such as network infrastructure devices and other non-domain joined devices (e.g., IoT devices).
Monitor SIEM logs and build detections. Create signatures based on the threat actor TTPs and use these signatures to monitor security logs for any signs of threat actor re-entry.
Enforce MFA on all user accounts. Enforce phishing-resistant MFA on all accounts without exception to the greatest extent possible.
Audit accounts and permissions. Audit all accounts to ensure all unused accounts are disabled or removed and active accounts do not have excessive privileges. Monitor SIEM logs for any changes to accounts, such as permission changes or enabling a previously disabled account, as this might indicate a threat actor using these accounts.
Mitigation recommendations are usually longer-term efforts that take place before a compromise as part of risk management efforts, or after the threat actors have been evicted from the environment and the immediate response actions are complete. While some may be tailored to the TTPs used by the threat actor, recovery recommendations are largely general best practices and industry standards aimed at bolstering overall cybersecurity posture.
Segment Networks Based on Function
Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for ransomware and other threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. (See CISA’s Infographic on Layering Network Security Through Segmentation and NSA’s Segment Networks and Deploy Application-Aware Defenses.)
Isolate similar systems and implement micro-segmentation with granular access and policy restrictions to modernize cybersecurity and adopt Zero Trust (ZT) principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration.
Manage Vulnerabilities and Configurations
Update software, including operating systems, applications, and firmware, on network assets. Prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
Implement a configuration change control process that securely creates device configuration backups to detect unauthorized modifications. When a configuration change is needed, document the change, and include the authorization, purpose, and mission justification. Periodically verify that modifications have not been applied by comparing current device configurations with the most recent backups. If suspicious changes are observed, verify the change was authorized.
Search for Anomalous Behavior
Use cybersecurity visibility and analytics tools to improve detection of anomalous behavior and enable dynamic changes to policy and other response actions. Visibility tools include network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Monitor the use of scripting languages (e.g., Python, Powershell) by authorized and unauthorized users. Anomalous use by either group may be indicative of malicious activity, intentional or otherwise.
Restrict and Secure Use of Remote Admin Tools
Limit the number of remote access tools as well as who and what can be accessed using them. Reducing the number of remote admin tools and their allowed access will increase visibility of unauthorized use of these tools.
Use encrypted services to protect network communications and disable all clear text administration services(e.g., Telnet, HTTP, FTP, SNMP 1/2c). This ensures that sensitive information cannot be easily obtained by a threat actor capturing network traffic.
Implement a Mandatory Access Control Model
Implement stringent access controls to sensitive data and resources. Access should be restricted to those users who require access and to the minimal level of access needed.
Audit Account Usage
Monitor VPN logins to look for suspicious access (e.g., logins from unusual geo locations, remote logins from accounts not normally used for remote access, concurrent logins for the same account from different locations, unusual times of the day).
Closely monitor the use of administrative accounts. Admin accounts should be used sparingly and only when necessary, such as installing new software or patches. Any use of admin accounts should be reviewed to determine if the activity is legitimate.
Ensure standard user accounts do not have elevated privileges Any attempt to increase permissions on standard user accounts should be investigated as a potential compromise.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA, FBI, and NSA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA, FBI, and NSA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 1).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze the performance of your detection and prevention technologies.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA, FBI, and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See cisa.gov/cyber-hygiene-services.
U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov.
ACKNOWLEDGEMENTS
CISA, FBI, and NSA acknowledge Mandiant for its contributions to this CSA.
APPENDIX: WINDOWS COMMAND SHELL ACTIVITY
Over a three-day period in February 2021, APT cyber actors used Windows Command Shell to interact with the victim’s environment. When interacting with the victim’s system and executing commands, the threat actors used /q and /c parameters to turn the echo off, carry out the command specified by a string, and stop its execution once completed.
On the first day, the threat actors consecutively executed many commands within the Windows Command Shell to learn about the organization’s environment and to collect sensitive data for eventual exfiltration (see Table 2).
Command
Description / Use
net share
Used to create, configure, and delete network shares from the command-line.[1] The threat actor likely used this command to display information about shared resources on the local computer and decide which directories to exploit.
powershell dir
An alias (shorthand) for the PowerShell Get-ChildItem cmdlet. This command maps shared drives by specifying a path to one location and retrieving the items from another.[2] The threat actor added additional switches (aka options, parameters, or flags) to form a “one liner,” an expression to describe commonly used commands used in exploitation: powershell dir -recurse -path e:\<redacted>|select fullname,length|export-csv c:\windows\temp\temp.txt. This particular command lists subdirectories of the target environment when.
systeminfo
Displays detailed configuration information [3], tasklist – lists currently running processes [4], and ipconfig – displays all current Transmission Control Protocol (TCP)/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings, respectively [5]. The threat actor used these commands with specific switches to determine if the system was a VMware virtual machine: systeminfo > vmware & date /T, tasklist /v > vmware & date /T, and ipconfig /all >> vmware & date /.
route print
Used to display and modify the entries in the local IP routing table. [6] The threat actor used this command to display the entries in the local IP routing table.
netstat
Used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.[7] The threat actor used this command with three switches to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP: netstat -anp tcp.
certutil
Used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.[8] The threat actor used this command with three switches to test if they could download files from the internet: certutil -urlcache -split -f https://microsoft.com temp.html.
ping
Sends Internet Control Message Protocol (ICMP) echoes to verify connectivity to another TCP/IP computer.[9] The threat actor used ping -n 2 apple.com to either test their internet connection or to detect and avoid virtualization and analysis environments or network restrictions.
taskkill
Used to end tasks or processes.[10] The threat actor used taskkill /F /PID 8952 to probably disable security features. CISA was unable to determine what this process was as the process identifier (PID) numbers are dynamic.
PowerShell Compress-Archive cmdlet
Used to create a compressed archive or to zip files from specified files and directories.[11] The threat actor used parameters indicating shared drives as file and folder sources and the destination archive as zipped files. Specifically, they collected sensitive contract-related information from the shared drives.
On the second day, the APT cyber actors executed the commands in Table 3 to perform discovery as well as collect and archive data.
Command
Description / Use
ntfsinfo.exe
Used to obtain volume information from the New Technology File System (NTFS) and to print it along with a directory dump of NTFS meta-data files.[12]
WinRAR.exe
Used to compress files and subsequently masqueraded WinRAR.exe by renaming it VMware.exe.[13]
On the third day, the APT cyber actors returned to the organization’s network and executed the commands in Table 4.
Command
Description / Use
powershell -ep bypass import-module .\vmware.ps1;export-mft -volume e
Threat actors ran a PowerShell command with parameters to change the execution mode and bypass the Execution Policy to run the script from PowerShell and add a module to the current section: powershell -ep bypass import-module .\vmware.ps1;export-mft -volume e. This module appears to acquire and export the Master File Table (MFT) for volume E for further analysis by the cyber actor.[14]
set.exe
Used to display the current environment variable settings.[15] (An environment variable is a dynamic value pointing to system or user environments (folders) of the system. System environment variables are defined by the system and used globally by all users, while user environment variables are only used by the user who declared that variable and they override the system environment variables (even if the variables are named the same).
dir.exe
Used to display a list of a directory’s files and subdirectories matching the eagx* text string, likely to confirm the existence of such file.
tasklist.exe and find.exe
Used to display a list of applications and services with their PIDs for all tasks running on the computer matching the string “powers”.[16][17][18]
ping.exe
Used to send two ICMP echos to amazon.com. This could have been to detect or avoid virtualization and analysis environments, circumvent network restrictions, or test their internet connection.[19]
del.exe with the /f parameter
Used to force the deletion of read-only files with the *.rar and tempg* wildcards.[20]
Macros can add a lot of functionality to Office, but they are often used by people with bad intentions to distribute malware to unsuspecting victims.
Macros aren’t required for everyday use like reading or editing a document in Word or using Excel workbooks. In most cases you can do everything you need to do in Office without allowing macros to run.
❒ Were you expecting to receive a file with macros? Never open a file attachment you weren’t expecting, even if it appears to come from somebody you trust. Phishing attacks often appear to come from a person or organization you trust in an effort to get you to open them.
❒ Are you being encouraged to enable content by a stranger? A common tactic of attackers is to create some pretense such as cancelling an order or reading a legal document. They’ll have you download a document and try to persuade you to allow macros to run. No legitimate company will make you open an Excel file to cancel an order and you don’t need macros just to read a document in Word.
❒ Are you being encouraged to enable content by a pop-up message? If you downloaded the file from a website, you may see pop-ups or other messages encouraging you to enable active content. Those are also common tactics of attackers and should make you suspicious that the file is actually unsafe.
If a downloaded file from the internet or a file opened from a network share wants you to allow macros, and you’re not certain what those macros do, you should probably just delete that file.
If you’re sure the file is safe and want to unblock macros
There are a few different ways to do it, depending on your situation.
Unblock a single file
In most cases you can unblock macros by modifying the properties of the file as follows:
Open Windows File Explorer and go to the folder where you saved the file.
Right-click the file and choose Properties from the context menu.
At the bottom of the General tab, select the Unblock checkbox and select OK.
If you don’t see the Unblock checkbox in properties, then try one of the options below.
Unblock all files from a specific network share or website
If you often download files or directly open files from a trusted cloud location, such as your company’s website or an internal file server, you can set the site as a trusted site in Windows so macros from the site won’t be checked.
Important: You’ll trust all the macros from this site if you choose to apply this setting, so only do this if you know that every file opened from this location is trustworthy.
Tap the start button or Windows key and type Internet Options.
Select Internet Options from the search results and the Internet Properties dialog box will appear.
On the Security tab, select Trusted Sites, then select Sites.
Type the URL of the site or server that contains the Office files with the macros you want to run, and then select Add.Note: If you want to add URLs that begin with http:// or network shares, uncheck Require server verification (https:) for all sites in this zone.
Select Close and then OK.
Select a heading below for more information
Unblock a single file you received through email
Unblock all files from a trusted folder on your computer’s hard drive
VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet.
With this change, when users open a file that came from the internet, such as an email attachment, and that file contains macros, the following message will be displayed:
The Learn More button goes to an article for end users and information workers that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros (if absolutely needed).
In some cases, users will also see the message if the file is from a location within your intranet that’s not identified as being trusted. For example, if users are accessing files on a network share by using the share’s IP address. For more information, see Files centrally located on a network share or trusted website.
Important
Even before this change we’re introducing, organizations could use the Block macros from running in Office files from the Internet policy to prevent users from inadvertently opening files from the internet that contain macros. We recommend enabling this policy as part of the security baseline for Microsoft 365 Apps for enterprise. If you do configure the policy, your organization won’t be affected by this default change.
To prepare for this change, we recommend that you work with the business units in your organization that use macros in Office files that are opened from locations such as intranet network shares or intranet websites. You’ll want to identify those macros and determine what steps to take to keep using those macros. You’ll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher.
Also, review the following information:
Preparation action
More information
Understand which versions and which update channels have this change (as we roll out this change)
Steps to take to allow VBA macros to run in files that you trust
How you allow VBA macros to run in files that you trust depends on where those files are located or the type of file.
The following table list different common scenarios and possible approaches to take to unblock VBA macros and allow them to run. You don’t have to do all possible approaches for a given scenario. In the cases where we have listed multiple approaches, pick the one that best suits your organization.
Scenario
Possible approaches to take
Individual files
• Select the Unblock checkbox on the General tab of the Properties dialog for the file • Use the Unblock-File cmdlet in PowerShell
Files centrally located on a network share or trusted website
Unblock the file using an approach listed under “Individual files.”
If there isn’t an Unblock checkbox and you want to trust all files in that network location: • Designate the location as a Trusted site • Add the location to the Local intranet zone
Files stored on OneDrive or SharePoint, including a site used by a Teams channel
• Have users directly open the file by using the Open in Desktop App option • If users download the file locally before opening it, remove Mark of the Web from the local copy of the file (see the approaches under “Individual files”) • Designate the location as a Trusted site
Macro-enabled template files for Word, PowerPoint, and Excel
If the template file is stored on the user’s device: • Remove Mark of the Web from the template file (see the approaches under “Individual files”) • Save the template file to a Trusted Location
If the template file is stored on a network location: • Use a digital signature and trust the publisher • Trust the template file (see the approaches under “Files centrally located on a network share or trusted website”)
• [recommended] Deploy the public code-signing certificate for the trusted publisher to your users and prevent your users from adding trusted publishers themselves. • Remove Mark of the Web from the file, and have the user add the publisher of the macro as a trusted publisher.
This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word.
The change began rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Monthly Enterprise Channel and Semi-Annual Enterprise Channel.
The following table shows the forecasted schedule of when this change will be available in each update channel. Information in italics is subject to change.
Update channel
Version
Date
Current Channel (Preview)
Version 2203
Started rolling out on April 12, 2022
Current Channel
Version 2206
Started rolling out on July 27, 2022
Monthly Enterprise Channel
Version 2208
October 11, 2022
Semi-Annual Enterprise Channel (Preview)
Version 2208
October 11, 2022
Semi-Annual Enterprise Channel
Version 2208
January 10, 2023
Note
As we roll out this change to Current Channel over the next few weeks, not all customers will see the change right away.
The change doesn’t affect Office on a Mac, Office on Android or iOS devices, or Office on the web.
How Office determines whether to run macros in files from the internet
The following flowchart graphic shows how Office determines whether to run macros in a file from the internet.
The following steps explain the information in the flowchart graphic, except for Excel Add-in files. For more information about those files, see Macro-enabled add-in files for PowerPoint and Excel. Also, if a file is located on a network share that isn’t in the Local intranet zone or isn’t a trusted site, macros will be blocked in that file.
A user opens an Office file containing macros obtained from the internet. For example, an email attachment. The file has Mark of the Web (MOTW).
Note
Mark of the Web is added by Windows to files from an untrusted location, such as the internet or Restricted Zone. For example, browser downloads or email attachments. For more information, see Mark of the Web and zones.
Mark of the Web only applies to files saved on an NTFS file system, not files saved to FAT32 formatted devices.
If the file is from a Trusted Location, the file is opened with the macros enabled. If the file isn’t from a Trusted Location, the evaluation continues.
If the macros are digitally signed and the matching Trusted Publisher certificate is installed on the device, the file is opened with the macros enabled. If not, then the evaluation continues.
Policies are checked to see if macros are allowed or blocked. If the policies are set to Not Configured, the evaluation continues to Step 6.
(a) If macros are blocked by policy, the macros are blocked. (b) If the macros are enabled by policy, the macros are enabled.
If the user had previously opened the file, before this change in default behavior, and had selected Enable content from the Trust Bar, then the macros are enabled because the file is considered trusted.
For perpetual versions of Office, such as Office LTSC 2021 or Office 2019, this step occurs after Step 3 and before Step 4, and isn’t affected by the change coming to Current Channel.
This step is where the change to the default behavior of Office takes effect. With this change, macros in files from the internet are blocked and users will see the Security Risk banner when they open the file.
Note
Previously, before this change in default behavior, the app would check to see if the VBA Macro Notification Settings policy was enabled and how it was configured.
If the policy was set to Disabled or Not Configured, then the app would check the settings under File > Options > Trust Center > Trust Center Settings… > Macro Settings. The default is set to “Disable all macros with notification,” which allows users to enable content in the Trust Bar.
Guidance on allowing VBA macros to run in files you trust
Remove Mark of the Web from a file
For an individual file, such as a file downloaded from an internet location or an email attachment the user has saved to their local device, the simplest way to unblock macros is to remove Mark of the Web. To remove, right-click on the file, choose Properties, and then select the Unblock checkbox on the General tab.
Even if the Unblock checkbox is available for a file on a network share, selecting the checkbox won’t have any effect if the share is considered to be in the Internet zone. For more information, see Mark of the Web and zones.
You can also use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file. For more information about the ZoneId value, see Mark of the Web and zones.
Files centrally located on a network share or trusted website
If you have your users access files from a trusted website or an internal file server, you can do either of the following steps so that macros from those locations won’t be blocked.
Designate the location as a Trusted site
If the network location is on the intranet, add the location to the Local intranet zone
Note
If you add something as a trusted site, you’re also giving the entire site elevated permissions for scenarios not related to Office.
For the Local intranet zone approach, we recommend you save the files to a location that’s already considered part of the Local intranet zone, instead of adding new locations to that zone.
In general, we recommend that you use trusted sites, because they have some additional security compared to the Local intranet zone.
For example, if users are accessing a network share by using its IP address, macros in those files will be blocked unless the file share is in the Trusted sites or the Local intranet zone.
Tip
To see a list of trusted sites or what’s in the Local intranet zone, go to Control Panel > Internet Options > Change security settings on a Windows device.
To check if an individual file is from a trusted site or local intranet location, see Mark of the Web and zones.
For example, you could add a file server or network share as a trusted site, by adding its FQDN or IP address to the list of trusted sites.
If you want to add URLs that begin with http:// or network shares, clear the Require server verification (https:) for all sites in this zone checkbox.
Important
Because macros aren’t blocked in files from these locations, you should manage these locations carefully. Be sure you control who is allowed to save files to these locations.
You can use Group Policy and the “Site to Zone Assignment List” policy to add locations as trusted sites or to the Local intranet zone for Windows devices in your organization. This policy is found under Windows Components\Internet Explorer\Internet Control Panel\Security Page in the Group Policy Management Console. It’s available under both Computer Configuration\Policies\Administrative Templates and User Configuration\Policies\Administrative Templates.
Files on OneDrive or SharePoint
If a user downloads a file on OneDrive or SharePoint by using a web browser, the configuration of the Windows internet security zone (Control Panel > Internet Options > Security) will determine whether the browser sets Mark of the Web. For example, Microsoft Edge sets Mark of the Web on a file if it’s determined to be from the Internet zone.
If a user selects Open in Desktop App in a file opened from the OneDrive website or from a SharePoint site (including a site used by a Teams channel), then the file won’t have Mark of the Web.
If a user has the OneDrive sync client running and the sync client downloads a file, then the file won’t have Mark of the Web.
Files that are in Windows known folders (Desktop, Documents, Pictures, Screenshots, and Camera Roll), and are synced to OneDrive, don’t have Mark of the Web.
If you have a group of users, such as the Finance department, that need to use files from OneDrive or SharePoint without macros being blocked, here are some possible options:
Have them open the file by using the Open in Desktop App option
Set the Windows internet security zone assignment for OneDrive or SharePoint domains to Trusted Sites. Admins can use the “Site to Zone Assignment List” policy and configure the policy to place https://{your-domain-name}.sharepoint.com (for SharePoint) or https://{your-domain-name}-my.sharepoint.com (for OneDrive) into the Trusted Sites zone.
This policy is found under Windows Components\Internet Explorer\Internet Control Panel\Security Page in the Group Policy Management Console. It’s available under both Computer Configuration\Policies\Administrative Templates and User Configuration\Policies\Administrative Templates.
SharePoint permissions and OneDrive sharing aren’t changed by adding these locations to Trusted Sites. Maintaining access control is important. Anyone with permissions to add files to SharePoint could add files with active content, such as macros. Users who download files from domains in the Trusted Sites zone will bypass the default to block macros.
Macro-enabled template files for Word, PowerPoint, and Excel
Macro-enabled template files for Word, PowerPoint, and Excel that are downloaded from the internet will have Mark of the Web. For example, template files with the following extensions:
.dot
.dotm
.pot
.potm
.xlt
.xltm
When the user opens the macro-enabled template file, the user will be blocked from running the macros in the template file. If the user trusts the source of the template file, they can remove Mark of the Web from the template file, and then reopen the template file in the Office app.
If you have a group of users that need to use macro-enabled templates without macros being blocked, you can take either of the following actions:
Use a digital signature and trust the publisher.
If you’re not using digital signatures, you can save the template file to a Trusted Location and have users get the template file from that location.
Macro-enabled add-in files for PowerPoint and Excel
Macro-enabled Add-in files for PowerPoint and Excel that are downloaded from the internet will have Mark of the Web. For example, Add-in files with the following extensions:
.ppa
.ppam
.xla
.xlam
When the user tries to install the macro-enabled Add-in, by using File > Options > Add-ins or by using the Developer ribbon, the Add-in will be loaded in a disabled state and the user will be blocked from using the Add-in. If the user trusts the source of the Add-in file, they can remove Mark of the Web from the Add-in file, and then reopen PowerPoint or Excel to use the Add-in.
If you have a group of users that need to use macro-enabled Add-in files without macros being blocked, you can take the following actions.
For PowerPoint Add-in files:
Remove Mark of the Web from the .ppa or .ppam file.
Use a digital signature and trust the publisher.
Save the Add-in file to a Trusted Location for users to retrieve.
For Excel Add-in files:
Remove Mark of the Web from the .xla or .xlam file.
Save the Add-in file to a Trusted Location for users to retrieve.
Note
Using a digital signature and trusting the publisher doesn’t work for Excel Add-in files that have Mark of the Web. This behavior isn’t new for Excel Add-in files that have Mark of the Web. It’s worked this way since 2016, as a result of a previous security hardening effort (related to Microsoft Security Bulletin MS16-088).
Macros that are signed by a trusted publisher
If the macro is signed and you’ve validated the certificate and trust the source, you can make that source a trusted publisher. We recommend, if possible, that you manage trusted publishers for your users. For more information, see Trusted publishers for Office files.
All macros validly signed with the same certificate are recognized as coming from a trusted publisher and are run.
Adding a trusted publisher could affect scenarios beyond those related to Office, because a trusted publisher is a Windows-wide setting, not just an Office-specific setting.
Trusted Locations
Saving files from the internet to a Trusted Location on a user’s device ignores the check for Mark of the Web and opens with VBA macros enabled. For example, a line of business application could send reports with macros on a recurring basis. If files with macros are saved to a Trusted Location, users won’t need to go to the Properties for the file, and select Unblock to allow the macros to run.
Because macros aren’t blocked in files saved to a Trusted Location, you should manage Trusted Locations carefully and use them sparingly. Network locations can also be set as a Trusted Location, but it’s not recommended. For more information, see Trusted Locations for Office files.
Additional information about Mark of the Web
Mark of the Web and Trusted Documents
When a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. Currently, when a user opens a file with Mark of the Web, a SECURITY WARNING banner appears, with an Enable content button. If the user selects Enable content, the file is considered a Trusted Document, and macros are allowed to run. The macros will continue to run even after the change of default behavior to block macros in files from the internet is implemented, because the file is still considered a Trusted Document.
After the change of default behavior to block macros in files from the internet, users will see a different banner the first time they open a file with macros from the internet. This SECURITY RISK banner doesn’t have the option to Enable content. But users will be able to go to the Properties dialog for the file, and select Unblock, which will remove Mark of the Web from the file and allow the macros to run, as long as no policy or Trust Center setting is blocking.
Mark of the Web and zones
By default, Mark of the Web is added to files only from the Internet or Restricted sites zones.
Tip
To see these zones on a Windows device, go to Control Panel > Internet Options > Change security settings.
You can view the ZoneId value for a file by running the following command at a command prompt, and replacing {name of file} with your file name.
ConsoleCopy
notepad {name of file}:Zone.Identifier
When you run this command, Notepad will open and display the ZoneId under the [ZoneTransfer] section.
Here’s a list of ZoneId values and what zone they map to.
0 = My Computer
1 = Local intranet
2 = Trusted sites
3 = Internet
4 = Restricted sites
For example, if the ZoneId is 2, VBA macros in that file won’t be blocked by default. But if the ZoneId is 3, macros in that file will be blocked by default.
You can use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file.
Use the Readiness Toolkit to identify files with VBA macros that might be blocked
To identify files that have VBA macros that might be blocked from running, you can use the Readiness Toolkit for Office add-ins and VBA, which is a free download from Microsoft.
The Readiness Toolkit includes a standalone executable that can be run from a command line or from within a script. You can run the Readiness Toolkit on a user’s device to look at files on the user’s device. Or you can run it from your device to look at files on a network share.
When you run the standalone executable version of the Readiness Toolkit, a JSON file is created with the information collected. You’ll want to save the JSON files in a central location, such as a network share. Then you’ll run the Readiness Report Creator, which is a UI wizard version of the Readiness Toolkit. This wizard will consolidate the information in the separate JSON files into a single report in the form of an Excel file.
To identify files that might be impacted by using the Readiness Toolkit, follow these basic steps:
Download the most current version of the Readiness Toolkit from the Microsoft Download Center. Make sure you’re using at least Version 1.2.22161, which was released on June 14, 2022.
Install the Readiness Toolkit.
From a command prompt, go to the folder where you installed the Readiness Toolkit and run the ReadinessReportCreator.exe command with the blockinternetscan option.For example, if you want to scan files in the c:\officefiles folder (and all its subfolders) on a device and save the JSON file with the results to the Finance share on Server01, you can run the following command.
After you’ve done all your scans, run the Readiness Report Creator.
On the Create a readiness report page, select Previous readiness results saved together in a local folder or network share, and then specify the location where you saved all the files for the scans.
On the Report settings page, select Excel report, and then specify a location to save the report.
When you open the report in Excel, go to the VBA Results worksheet.
In the Guideline column, look for Blocked VBA file from Internet.
You can only use policies if you’re using Microsoft 365 Apps for enterprise. Policies aren’t available for Microsoft 365 Apps for business.
Block macros from running in Office files from the Internet
This policy prevents users from inadvertently opening files containing macros from the internet. When a file is downloaded to a device running Windows, or opened from a network share location, Mark of the Web is added to the file identifying it was sourced from the internet.
We recommend enabling this policy as part of the security baseline for Microsoft 365 Apps for enterprise. You should enable this policy for most users and only make exceptions for certain users as needed.
There’s a separate policy for each of the five applications. The following table shows where each policy can be found in the Group Policy Management Console under User Configuration\Policies\Administrative Templates:
Application
Policy location
Access
Microsoft Access 2016\Application Settings\Security\Trust Center
Excel
Microsoft Excel 2016\Excel Options\Security\Trust Center
PowerPoint
Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
Visio
Microsoft Visio 2016\Visio Options\Security\Trust Center
Word
Microsoft Word 2016\Word Options\Security\Trust Center
Which state you choose for the policy determines the level of protection you’re providing. The following table shows the current level of protection you get with each state, before the change in default behavior is implemented.
Icon
Protection level
Policy state
Description
Protected [recommended]
Enabled
Users will be blocked from running macros in files obtained from the internet.
Part of the Microsoft recommended security baseline.
Not protected
Disabled
Will respect the settings configured under File > Options > Trust Center > Trust Center Settings… > Macro Settings.
Not protected
Not Configured
Will respect the settings configured under File > Options > Trust Center > Trust Center Settings… > Macro Settings.
Note
If you set this policy to Disabled, users will see, by default, a security warning when they open a file with a macro. That warning will let users know that macros have been disabled, but will allow them to run the macros by choosing the Enable content button.
This warning is the same warning users have been shown previously, prior to this recent change we’re implementing to block macros.
We don’t recommend setting this policy to Disabled permanently. But in some cases, it might be practical to do so temporarily as you test out how the new macro blocking behavior affects your organization and as you develop a solution for allowing safe usage of macros.
After we implement the change to the default behavior, the level of protection changes when the policy is set to Not Configured.
Icon
Protection level
Policy state
Description
Protected
Not Configured
Users will be blocked from running macros in files obtained from the internet.
Users will see the Security Risk banner with a Learn More button
VBA Macro Notification Settings
If you don’t use the “Block macros from running in Office files from the Internet” policy, you can use the “VBA Macro Notification Settings” policy to manage how macros are handled by Office.
This policy prevents users from being lured into enabling malicious macros. By default, Office is configured to block files that contain VBA macros and display a Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but can’t use any disabled functionality until they select Enable Content on the Trust Bar. If the user selects Enable Content, then the file is added as a Trusted Document and macros are allowed to run.
There’s a separate policy for each of the five applications. The following table shows where each policy can be found in the Group Policy Management Console under User Configuration\Policies\Administrative Templates:
Application
Policy location
Access
Microsoft Access 2016\Application Settings\Security\Trust Center
Excel [1]
Microsoft Excel 2016\Excel Options\Security\Trust Center
PowerPoint
Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
Visio
Microsoft Visio 2016\Visio Options\Security\Trust Center
Word
Microsoft Word 2016\Word Options\Security\Trust Center
Note
[1] For Excel, the policy is named Macro Notification Settings.
The “VBA Macro Notification Settings” policy is also available for Project and Publisher.
Which state you choose for the policy determines the level of protection you’re providing. The following table shows the level of protection you get with each state.
Icon
Protection level
Policy state
Policy value
Protected [recommended]
Enabled
Disable all except digitally signed macros (and select “Require macros to be signed by a trusted publisher”)
Protected
Enabled
Disable all without notification
Partially protected
Enabled
Disable all with notification
Partially protected
Disabled
(Same behavior as “Disable all with notification”)
Not protected
Enabled
Enable all macros (not recommended)
Important
Securing macros is important. For users that don’t need macros, turn off all macros by choosing “Disable all without notification.”
Our security baseline recommendation is that you should do the following:
Enable the “VBA Macro Notification Settings” policy.
For users that need macros, choose “Disable all except digitally signed macros” and then select “Require macros to be signed by a trusted publisher.” The certificate needs to be installed as a Trusted Publisher on users’ devices.
If you don’t configure the policy, users can configure macro protection settings under File > Options > Trust Center > Trust Center Settings… > Macro Settings.
The following table shows the choices users can make under Macro Settings and the level of protection each setting provides.
Icon
Protection level
Setting chosen
Protected
Disable all macros except digitally signed macros
Protected
Disable all macros without notification
Partially protected
Disable all macros with notification (default)
Not protected
Enable all macros (not recommended; potentially dangerous code can run)
Note
In the policy setting values and the product UI for Excel, the word “all” is replaced by “VBA.” For example, “Disable VBA macros without notification.”
Tools available to manage policies
There are several tools available to you to configure and deploy policy settings to users in your organization.
You can use Cloud Policy to configure and deploy policy settings to devices in your organization, even if the device isn’t domain joined. Cloud Policy is a web-based tool and is found in the Microsoft 365 Apps admin center.
In Cloud Policy, you create a policy configuration, assign it to a group, and then select policies to be included in the policy configuration. To select a policy to include, you can search by the name of the policy. Cloud Policy also shows which policies are part of the Microsoft recommended security baseline. The policies available in Cloud Policy are the same User Configuration policies that are available in the Group Policy Management Console.
In the Microsoft Endpoint Manager admin center, you can use either the Settings catalog (preview) or Administrative Templates to configure and deploy policy settings to your users for devices running Windows 10 or later.
To get started, go to Devices > Configuration profiles > Create profile. For Platform, choose Windows 10 and later and then choose the profile type.
If you have Windows Server and Active Directory Domain Services (AD DS) deployed in your organization, you can configure policies by using Group Policy. To use Group Policy, download the most current Administrative Template files (ADMX/ADML) for Office, which include the policy settings for Microsoft 365 Apps for enterprise. After you copy the Administrative Template files to AD DS, you can use the Group Policy Management Console to create Group Policy Objects (GPOs) that include policy settings for your users, and for domain joined devices.
This article describes how to use your UniFi Talk devices once they’re set up and configured in the Talk application. For more information on how to set up and configure your devices, please refer to these articles on adopting devices and using the Talk application.
For optimal performance, make sure you’re using the latest firmware for your devices and the latest UniFi Talk application version.
To configure voicemail on the Touch and Touch Max phone:
From the Keypad, dial *86 or long-press 1 to access voicemail configuration.
Follow the audio prompts to complete voicemail configuration.
Note: Visual voicemail configuration is coming soon.
To configure voicemail on the Flex phone:
Press the MESSAGE button to access voicemail configuration.
Follow the audio prompts to complete voicemail configuration.
Forward an incoming call
To forward an incoming call on the Touch and Touch Max phone:
From the incoming call screen, press the blue Forward button to view your contact list.
Select a contact to forward the incoming call.
Start a parallel call
To start a parallel call (i.e., start a new call while one or more calls are already ongoing) on the Touch and Touch Max phone:
From the active call screen, press the Add / Transfer button.
There are two options for starting a parallel call:
From the Contacts tab of the Add / Transfer screen, select a contact from your contact list.
From the Keypad tab of the Add / Transfer screen, dial a number and press the green button at the bottom of the screen.
Press the Call button to start a parallel call. The current active call will be placed on hold.
When two or more calls are active in parallel, swipe left or right to navigate between active calls.
Transfer an active call
To transfer an active call on the Touch or Touch Max phone:
From the active call screen, press the Add / Transfer button.
There are two options for transferring an active call:
From the Contacts tab of the Add / Transfer screen, select a contact from your contact list.
From the Keypad tab of the Add / Transfer screen, dial a number and press the green button at the bottom of the screen.
You will have the option to press Transfer or Warm Transfer.
If you press the Transfer button, this will utilize a cold (blind) transfer. The active call will immediately be transferred and will ring the destination phone once you press the Transfer button.
If you select the Warm Transfer option, the original caller is placed on hold while the transfer destination is dialed. The transfer destination has to pick up, at which point you have to again press the blue transfer button to complete the transfer.
To transfer an active call on the Flex phone:
While the call is active, press the TRANSFER button.
From here, you can either transfer to a specific number or a contact.
To transfer to a specific number, enter the number you’d like to transfer the call to and press the DIAL soft key.
To transfer to a contact, press the CONTACT soft key to load your contact list. Navigate the contact list using the up/down keys and dial the desired contact by pressing the DIAL soft key or the OK button.
You’re now calling the transfer destination. Once the transfer destination answers the call, press the TRANSFER button again to connect the original caller with the transfer destination.
Note: The Flex phone utilizes a warm (attended) transfer. The original caller will be placed on hold while a second call is established with the transfer destination. Once the second call is connected, the transfer can be completed to connect the original caller with the transfer destination.
Start a conference call
To start a conference call on the Touch and Touch Max phone:
From the active call screen, press the Add / Transfer button.
There are two options for adding additional parties to a conference call:
From the Contacts tab of the Add / Transfer screen, select a contact and press the Add to Call button.
From the Keypad tab of the Add / Transfer screen, dial the additional party’s number, press the green button at the bottom of the screen, and select the Add to Call option.
To start a three-way conference call on the Flex phone:
While the call is active, press the CONF soft key.
From here, you can either start a call with a specific number or a contact.
To call a specific number, enter the number you’d like to transfer the call to and press the DIAL soft key.
To call a contact, press the CONTACT soft key to load your contact list. Navigate the contact list using the up/down keys and dial the desired contact by pressing the DIAL soft key or the OK button.
You’re now calling the third party. Once the third party answers the call, press the CONF soft key again to start a conference call.
Manage your status
To manage your status on the Touch and Touch Max phone:
Press the App Selector button, located below the phone’s touchscreen to the left of the Ubiquiti logo.
Select Settings and click on My Status.
From here, you can select between three status settings:
Create a DND Allow List to allow specific numbers to ring your device when your status is set to Do Not Disturb.
Specify a redirect number using the Change Redirect Number button on the My Status page.
Available: Incoming calls will ring your device.
Do Not Disturb (DND): Incoming calls will be sent to voicemail.
Redirect: Incoming calls will be forwarded to the specified redirect number.
To manage your status on the Flex phone:
Do Not Disturb (DND): Incoming calls will be sent to voicemail.
Press the DND soft key to place your device in Do Not Disturb mode. Incoming calls will go to voicemail. When DND is enabled you will see the word DND with a symbol in the top-left corner of the screen.
Press the DND soft key again to disable Do Not Disturb mode.
Redirect: Incoming calls will be forwarded to the specified redirect number.
Press the MENU soft key, then select 2. SETTINGS.
Use the up/down keys to navigate the settings menu and select 5. CALL FORWARD.
Press the YES soft key to set a redirect status.
On the CALL FORWARD NUMBER screen, press the EDIT soft key, enter your redirect number with the keypad, and press the CONFIRM soft key.
Troubleshooting
My Talk device is showing a Connection Error screen
This error means that your Talk device cannot communicate with the Talk application.
To troubleshoot a Connection Error state:
Ensure that the Talk application is running. To check on Talk’s status, open unifi.ui.com, select your UniFi OS Console, go to Settings> Updates, and locate the Talk application tile. If Talk is stopped, click on the three dots menu in the Talk application tile and select Start.
Restart the Talk application. See this section for instructions on how to restart Talk.
Restart your UniFi OS Console by going to its Settings > Advanced and clicking Restart Console under the Console Controls header. If you’re still encountering this issue after the troubleshooting steps above, please contact Ubiquiti Support.
You can configure UniFi Protect location-based activity notifications so you are only notified when the user(s) are off-site. This article outlines the steps needed to set this up for your account.
In the UniFi OS settings, go to Console Settings > Time Zone / Location>Edit Location on Map.
Search for the Address or drag your UOS Console to the correct location.
Adjust the Geofencing Radius slider to define your console’s on-site radius (i.e, “geofence”).
Click Apply Changes when you’ve set the desired geofence.
If you experience unexpected status changes while on site, increase the geofence’s radius.
Configure your primary mobile device
Your primary mobile device will be the one used to determine whether you are on or off-site (i.e., within the geofence).
To configure your primary mobile device:
Make sure cellular data is enabled on your mobile device.
Make sure that the UniFi Protect mobile app has proper location permissions:
For iOS devices, set the Protect mobile app’s Location Setting permission to Always. Precise Location should also be enabled.
For Android devices, make sure that Protect mobile app’s location access is set to Allow all the time.
Open the Protect mobile app, tap the Settings icon on the bottom-left corner of the screen followed by Primary Device; then, select the desired mobile device from the list.
To activate your UniFi OS Console’s geofence, use the Protect mobile app to go to Settings > UniFi OS Console > Network and enable the Geofencing toggle.
Configure location-based activity notifications
After you’ve configured the locations of your UniFi OS Console and primary mobile device, you can create activity notifications using your UniFi Protect web application or mobile app.
To create activity notifications using the UniFi Protect mobile app:
Go to Settings > Notificationsto create a new activity notification or edit an existing one.
Select from Off, Default, or Custom.
If you choose Custom, click the Activity tab to customize the notification for each camera.
To create or edit activity notifications using the Protect web application:
Log in and go to Settings > Notifications > Activity.
Adjust When to Send> Location Based to receive notifications when you are off site (When I’m Away) or when all users are off site (When Everyone is Away).
Go back and customize the notifications for your cameras.
Troubleshooting inaccurate location tracking
The Protect mobile app uses GPS and communication with the UniFi OS Console to provide an accurate location.
If you are experiencing location inaccuracies, follow the device-specific steps below to improve the mobile app’s location tracking:
For iOS / iPadOS devices:
Disable Low Power mode, as it may prevent the app from sending location status updates.
Enable Background App Refresh and Cellular Data for the UniFi Protect mobile app.
Disable VPN or Mobile Hotspot if they interfere with location accuracy.
For Android devices:
Select High Accuracy mode for mobile phone location tracking, if available.
Disable data saving settings.
Disable battery optimization for the UniFi Protect mobile app by tapping Settings > Battery > Battery Optimization > Don’t Optimize.
Disable power saving mode to ensure it isn’t auto-enabled once your phone battery is low.
If your mobile has a Deep Sleep feature, disable it for the UniFi Protect mobile app to make sure you don’t receive location status updates after opening it.
There are three different types of camera zone settings you can use:
MotionZones, which tell the camera to recognize motion in specific zones and trigger certain actions, e.g. record footage and create Motion Detections for you to review later
PrivacyZones, which let you block out certain areas on the video recordings
SmartDetection (AI and G4 camera series), which let you create Events for certain types of motion, e.g. when the camera detects a person
Set up motion zones
Motion zones are specific zones where the camera will detect and record motion.
To trigger and record motion events and also trigger motion alerts, the camera recording settings must be set to Always or Detections.
Go to the Devices section and select the desired camera.
On the right side panel, select Zones > Expand Motion Zones > Add Motion Zone.
Create the Motion Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.
Adjust the zone’s detection sensitivity based on your camera’s surroundings using the slider node below the feed window.”
To set up a motion zone on the mobile app:
Select the desired camera on the home screen.
Tap on the Settings icon in the upper-right corner of your screen, then select Motion Zones > Add Motion Zone.
Create the Motion Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.
Adjust the zone’s detection sensitivity based on your camera’s surroundings using the slider node below the feed window.
Please note that adjusting the recording setting to Never disables motion detection recording and alerts.
When setting up zones, you can adjust the zone sensitivity. Setting a higher value will make your camera more sensitive, making it more likely to detect and log more subtle motions (e.g., small object movements).
If you’re getting an increased amount of motion events due to minor movements such as moving branches, decrease zone sensitivity to prevent excessive minor motion event logging.
Set up Smart Detection zones
Smart Detection Zones create events when specific motions are detected (e.g., a person’s movement).
Currently Smart Detection zones only supports person detection, meaning that you will only be notified when this specific motion event occurs.
The Smart Detection feature is only available for G4 and AI series cameras, except for G4 Instant.
To set up Smart Detection zones:
Go to Devices > Propertiespanel > Recordings and enable Person detection.
Go to the Zones section, click Add new zone, and name it.
Create the Smart Detection Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.
Adjust the zone’s detection sensitivity based on your camera’s surroundings using the slider node below the feed window.
Set up privacy zones
You can set privacy zones for each of your cameras, which block live playback and recordings of content within the specified area. Instead, you will see a blacked-out image.
To set up a privacy zone on the web application:
Go to the Devices section and select the desired camera.
On the right side panel, select Zones > Expand Privacy Zones > Add Privacy Zone.
Create the Privacy Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.
To set up a privacy zone on the mobile app:
Select the desired camera on the home screen.
Tap on the Settings icon in the upper-right corner of your screen, then select Privacy Zones > Add Privacy Zone.
Create the Privacy Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.
The UniFi Protect mobile and web applications allow you to view live and recorded footage as well as adjust the image and video playback quality.
Live View
By default, the video bitrate of your cameras is automatically reduced during prolonged periods of low motion frequency in order to reduce storage utilization. You may choose a specific resolution by changing the Viewer Quality to Low or High on the Protect web application by hovering over the Live View, or on the mobile app within the Live View’s specific settings.
Note: If your bandwidth is limited, you may experience unstable playback while viewing a high quality live feed.
Recordings and Detections
Your recording’s duration and quality will depend on the camera’s Recording Mode. The When to Record setting can be set to Always, Never or Detections. Image quality and frame rate can be adjusted using the Recording Quality setting.
Note that:
A higher frame rate will give you smoother video playback while a lower frame rate will ensure better picture quality.
Recording with higher image quality will require more storage space than lower quality ones.
You can download the Detection clips from the mobile app by tapping the Share icon > Export clip, or from the web application by selecting the detection and clicking the Download icon.
Adjust the Camera Picture Settings
Most image quality issues can be resolved by adjusting the camera picture settings, which are specific to each camera and found within Devices > select a camera > Settings.
The camera’s image is dull, dark, or distorted
To correct imagery that appears dark, dull, or distorted:
Open the camera’s settings and select Adjust Camera Picture.
Adjust the Brightness, Contrast, and Hue settings for the camera.
Note: There is no definite way of setting this for all cameras in any environment. Try adjusting these settings to achieve the desired image quality outcome.
The camera recording quality is low
To improve a camera’s recording quality, open its Recording Mode settings and increase the Frame Rate and Image Quality settings as described above.
The camera’s image is harshly lit
Harsh lighting creates a strong contrast that can make it difficult to see smaller, finer details in your live feeds and recordings. To resolve this, try enabling the HDR feature (or WDR depending on the camera model) in the Camera Picture settings.
The camera is out of focus (G3 Pro, G4 Pro, G4 PTZ cameras only)
If your G3 Pro, G4 Pro, or G4 PTZ cameras appear to be out of focus:
Make sure there are no objects between the camera and its focal point that may affect its ability to auto-focus.
Try manually setting the focal point with the Focus Camera Picture setting.
The camera isn’t switching to Night (IR) Mode
If your cameras are not switching to Night (IR) mode, or are rapidly alternating between Night and Day Mode, verify that:
Each camera’s infrared setting is set to Auto.
There are no external light sources, such as ambient lights in front of a camera, affecting integrated light sensors.
There are no obstructions near the front of the camera. Obstructions can cause the camera’s infrared light to reflect back at its sensor, causing it to switch back and forth between Night and Day Modes.
Night (IR) Mode imagery is blurry
If your Night (IR) Mode imagery is blurry:
Carefully clean your camera’s lens or dome using a soft cloth and isopropyl alcohol. The alcohol’s concentration should not exceed 70%; otherwise, you risk damaging its surface. Be sure to remove all residue to prevent unwanted reflections.
Ensure that no obstructions near the camera’s lens are causing IR reflections.
(For Dome cameras) Make sure that the dome cover is tightly secured to the lens housing. The rubber gasket should be firmly fastened to the dome’s surface and the dome should be in the locked position.
The G4 Dome camera is equipped with infrared LEDs to give it night vision. However, some factors may cause these LEDs to produce glares on the camera’s feed. The most common causes of glaring and poor resolution are:
Per its installation guide, the G4 Dome should be installed at least 60 centimeters (cm), or 24 inches, away from neighboring walls and the ceiling. If nearby objects or fixtures, such as a wall corner or overhang, are closer than that, they may reflect infrared light into the camera and create a glare.
Ceiling-mounting near a wall corner
Below, you can see how mounting the G4 Dome to the ceiling with objects in the foreground can result in poor image quality.
Ceiling-mounting near overhangs
The camera below is too close to the pillar so it appears in the camera’s field of view (FoV).
Wall-mounting too close to the ceiling
The camera below doesn’t have at least 60 cm of separation from the ceiling and its image quality is diminished as a result.
Residue on the bubble cover or lens
While installing the G4 Dome, its lens and bubble cover may collect dust, oil stains, and fingerprints. This can also occur if you wipe the lens or bubble cover incorrectly.
If there is residue on the G4 Dome’s lens or bubble cover, clean them with either lens wipes, a lens cloth with a lens cleaning solution, or a soft cleaning cloth and rubbing alcohol. Continue to do this periodically to prevent distorted image quality due to dirty lens and cover surfaces.
Oil stains or fingerprints on the bubble cover or lens
When oil stains stick to the bubble cover or lens, the infrared lights become diffused by the foggy surface.
The image below shows the camera’s bubble cover marked with fingerprints.
The image below shows a lens with oil stains.
Below, you can see how image quality with a clean bubble cover is markedly better than that of an oil-stained equivalent.
Moisture droplets on the bubble cover
When moisture droplets stick to the bubble cover, the camera’s infrared lights become scattered by the trapped moisture, like in the example directly below.
To avoid reduced image quality due to moisture droplets, wipe the bubble cover’s exterior with a lens cloth.
Bubble cover not properly locked in place
The G4 Dome’s removable bubble cover has a locking mechanism to ensure an airtight seal. When the bubble cover is not attached properly, the camera’s infrared lights can be reflected back into its lens.
To mount the bubble cover correctly:
Align the small indentations on the cover and camera.
Rotate the cover clockwise to securely fasten its rubber lining. The sealing strips should not be visible.
The example images below show the G4 Dome when its bubble cover is properly attached (left), and when it’s not (right).
Here, you can see the G4 Dome’s image quality when its bubble cover is properly attached.
Here, you can see how its image quality is greatly reduced by an incorrectly attached cover.
The rubber seal surrounding the lens is damaged
When the rubber seal surrounding the lens is damaged, infrared light can leak in and distort the camera feed.
The images below show a normal seal (left) and a damaged one (right).
This article describes how to access your UniFi Protect application locally or remotely, the factors that create access issues, and how to solve said issues.
Note: Remote access must be enabled in your Protect application. It is enabled by default.
To enable Remote Access in your UniFi Protect application:
Access the UniFi OS Console hosting Protect via its IP address.
If you don’t know your UniFi OS Console’s IP address , use the WiFiman app (iOS / Android ) to locate it on your WiFi network.
Log in to your Ubiquiti SSO account.
Go to the System Settings > Advanced menu, and enable the Remote Access toggle.
Identifying issues
To identify potential reasons for Protect connectivity issues:
Try accessing your UniFi OS Console locally by entering its IP address in your web browser, or remotely via Protect web application (unifi.ui.com ) or mobile app.
Use different mobile devices, ideally running different operating systems (iOS, Android).
Use different supported browsers, such as Chrome, Firefox, or Safari, on different computers.
Connect to different client locations, such as:
A local network with the same subnet as the Protect application.
A mobile carrier network via a mobile device or tethering.
A remote network, such as a workplace or public WiFi network.
Have multiple users, ideally with different system roles, attempt to access the Protect application.
Note: Note your observations. They may be helpful if you need to contact our technical support team.
My camera streams load slowly or buffer frequently
To identify potential reasons for slow stream loading and/or frequent buffering:
Check the stability of network connection:
Perform a speed test using the Wifiman app while connected to the same network as your UniFi OS Console. UniFi Protect should perform well with a network connection better than 5 Mbps and decently with a connection of at least 2.5 Mbps. Below this, performance may suffer.
Ensure that your computer or mobile network is not limiting bandwidth:
A VPN could be preventing client devices from making a peer-to-peer connection with your UniFi OS Console, meaning that all data is first relayed through Ubiquiti’s Remote Management Service—leading to diminished performance. If so, disable the VPN.
Check if there’s a subnet conflict where the UniFi OS Console is on a different subnet than the client, but still on LAN. If the client needs to reach your UniFi OS Console’s subnet but doesn’t have a route, it will hit the gateway (the local router), which knows how to route to the UniFi OS Console. If a VPN is enabled and there’s a configured route on the VPN that goes to another network with the same subnet, it will override.
Inspect your UniFi OS Console’s performance data by making sure you haven’t exceeded its maximum supported camera limit . If so, streaming performance will be diminished.
Check your computer’s CPU utilization. A lower-specialization computer may not be capable of playing back multiple video streams. If the CPU utilization is nearing 100%, try playing back fewer video streams (e.g., fewer cameras on the live view matrix).
I can access Protect locally but not remotely
If you can’t access the Protect application remotely:
Check if Remote Access is enabled:
If it is enabled , try disabling it and enabling again.
Visit status.ui.com to see if there are any issues with Ubiquiti’s Remote Management Service currently being resolved.
I can’t access Protect from the mobile app
If you can’t access Protect from the mobile app:
Verify that the UniFi Protect mobile app is updated to the latest version.
Ensure that the UniFi Protect mobile app is not restricted from accessing WiFi or cellular data:
For iOS devices , go to the Settings > Cellular Data menu and make sure UniFi Protect is toggled on.
For Android devices , go to the Settings > WiFi & Internet > Data Usage > Cellular Data Usage menu, select UniFi Protect, and make sure WiFi and cellular data are not disabled in the App data usage section.
Disable VPN if one is enabled since some VPNs may block WebRTC connectivity, which is used by Protect.
For Android devices with VPN enabled , try disabling the Private DNS in the Settings > WiFi & Internet > Private DNS menu. On some WiFi and mobile carrier networks, certain Private DNS providers such as CloudFlare’s 1.1.1.1 may interfere with WebRTC.
Disable or remove any third-party security or privacy apps that may interfere with network connectivity.
Force-quit the mobile app and open it again.
Uninstall the mobile app, reinstall, and open it.
I can’t access Protect from my web browser
If you’re having trouble accessing Protect from a web browser, but you can connect with the mobile app or a web browser on a different network, there may be an issue with your network configuration. For more information, see the Advanced troubleshooting processes section.
If you have a UniFi Cloud Key Gen2 Plus (UCK G2 Plus) updated to Version 2.0.24 running Protect application Version 1.14.0 or higher , it operates via UniFi OS and, therefore, can be accessed remotely at unifi.ui.com , not protect.ui.com.
If your Cloud Key’s firmware is up to date and can see the Protect application at unifi.ui.com but can’t access it , check if Remote Access is enabled. The recent firmware upgrade might have disabled Remote Access functionality. Follow the steps in the How to connect to UniFi Protect section.
I can’t access Protect on a specific browser
Browser-specific access failures are most often caused by third-party software, such as a browser extension or an application on the host computer.
Common extensions, software, and other features known to cause issues include:
uBlock Origin
Privacy Badger
WebRTC Leak Prevent
Various VPN services, such as Tunnelbear
Ad or traffic blockers that interfere with WebRTC connectivity used by UniFi Protect
To troubleshoot browser issues:
Disable all suspected third-party security or privacy-related browser extensions and software.
If you can now access Protect , re-enable the extensions and software, one at a time, and test your Protect access after each one. This will help you identify the inhibiting software.
(For Chrome only ) Disable the feature flag, Anonymize local IPs exposed by WebRTC :
Copy and paste the following into your address bar: chrome://flags/#enable-webrtc-hide-local-ips-with-mdns
Select Disabled , then restart Chrome.
Once you’ve found the inhibiting software, leave it disabled or uninstall it. If it’s essential, however, contact the developer’s support team for further guidance on how to configure it so it doesn’t prevent Protect access.
I’m a new user and see a No Controllers Detected notification
If you’re a new user signing in via unifi.ui.com or the Protect mobile app and the UniFi OS Console that hosts your Protect application isn’t appearing , make sure that your user permissions include remote access to the UniFi OS Console. For more information on creating users, see UniFi Protect – Add and manage users .
In some cases, a new user can accept a Protect application invitation, log in to their Ubiquiti account via web browser, initially see their UniFi OS Console, then receive a No Controllers Detected notification.
If you’re a new user and see a No Controllers Detected notification after trying to access Protect web application :
Make sure that your UniFi OS Console and Protect application versions are up to date.
Make sure that you have permission to remotely access the UniFi Protect application. For more information, see UniFi Protect – Add and manage users .
Verify that you are a verified and active user by going to unifi.ui.com , clicking on your UniFi OS Console, navigating to the Users menu, and checking your user status.
If this doesn’t resolve the issue , delete the custom users and user roles created, reboot the UniFi OS Console, and recreate the users:
Log in to your UniFi OS Console from the Owner account.
Go to unifi.ui.com , click on your UniFi OS Console, navigate to the Users menu, and delete all custom users and user groups.
Click on the dot grid icon in the top-right corner of the dashboard, navigate to Protect > Roles , and delete all custom user roles.
Click on the dot grid icon in the top-right corner of the dashboard, click the Settings > Advanced tab on the left side of the following screen, and click Restart Device .
Once the device reboots, log in again with the Owner account and recreate all desired users, groups, and roles.
Advanced troubleshooting processes
Check if a WebRTC connection can be established
UniFi Protect uses WebRTC technology to establish connections between your UniFi OS Console and client devices through NAT and firewalls, such as a UniFi gateway, without requiring explicit port forwarding or the revision of firewall rules.
Typically, you won’t need to make any changes to your network, device, or client configurations in order to access Protect locally or remotely.
However, to establish a WebRTC connection needed to access Protect, both networks (i.e., the one that your Protect application connects to and the one that your client device(s) connect to) must meet these requirements:
Reliable access to Internet and DNS service
Adequate bandwidth for basic connectivity and video transfer
Outbound TCP connection capability on Port 443
Outbound UDP connection capability on Ports 0–65535
Note: Port forwarding is not required for TCP or UDP connectivity.
A firewall configured to accept solicited, inbound UDP traffic
No network security appliances (e.g., IPS) or services blocking WebRTC (e.g., STUN or DTLS)
No gateways configured to use Symmetric NAT, which either block peer-to-peer connections, force the use of a relay server (i.e., TURN), or cause said relay to fail
Note: For more information on the technical aspects of WebRTC, please visit webrtc.org .
Troubleshooting WebRTC connection issues caused by Symmetric NAT
Symmetric NAT , while uncommon, can cause issues when establishing WebRTC and other peer-to-peer connections because it does not maintain a 1:1 port mapping ratio for established connections, causing them to fail.
If that happens, WebRTC will attempt to connect via a relay server (i.e., TURN), which will result in either diminished connection quality or outright connection failure.
If you are behind a Symmetric NAT , you can either:
Establish a VPN connection between the client and Protect; or
Configure your router to a mode other than Symmetric NAT, such as Cone NAT.
The UniFi OS Console hosting your UniFi Protect application will automatically detect and log Symmetric NAT on its side but will be unable to determine the NAT type on the clients’ side.
If you suspect Symmetrical NAT on the console-side connection:
Execute the following command: grep -Ri “symmetric” /srv/unifi-protect/logs
Any results will confirm that the connection failed due to Symmetric NAT.
Troubleshooting issues with a particular network
If you identify connectivity problems within a particular network , focus your troubleshooting efforts there. For example, if you can connect to your business’s Protect deployment from home, but not while at a friend’s house, focus on troubleshooting the latter network.
If you can’t access Protect from any remote location , focus first on the application’s on-site network.
In both cases:
Verify that the UniFi OS Console hosting Protect and all client device(s) have a stable internet connection, including a valid gateway IP and DNS servers. Some DNS providers are known to cause problems, such as 1.1.1.1. Try changing it to Google’s 8.8.8.8.
Verify that selected DNS servers properly resolve the following domains:
Device.svc.ubnt.com
Device.amplifi.com
Global.stun.twilio.com
Global.turn.twilio.com
Review your firewall configuration to ensure it meets the requirements listed in the Check if a WebRTC connection can be established section. If you’ve configured custom firewall rules, try disabling them temporarily to test.
Remove any port forwards for UniFi Protect that may have been configured incorrectly.
Disable any network-level security appliance or service rules intended to block WebRTC’s internal protocols, STUN or DTLS. If you are using a UniFi gateway , the UniFi Intrusion Prevention System (IPS) does not require a specific configuration to prevent WebRTC connectivity blockage.
