Introduction
Control who can access Level and how your technicians connect to devices. The Security page covers three org-wide settings: mandatory two-factor authentication (2FA) for all technicians, end-user approval for remote control sessions, and an IP allowlist that restricts where technicians can log in from.
Remote control approval applies org-wide by default, but can be configured independently per device group for more granular control.
Mandatory Two-Factor Authentication
Two-factor authentication (2FA) requires technicians to verify their identity with a third-party authenticator app each time they sign in. Enabling it org-wide means every technician on your team must have 2FA configured — they can't skip it.
To require 2FA for all technicians:
Go to Settings → Security.
Under Mandatory two-factor authentication (2FA), check Require two-factor authentication.
Click Update preferences.
⚠️ WARNING: Once enabled, any technician without 2FA configured will be prompted to set it up on their next login. They won't be able to access Level until they complete setup. Give your team a heads-up before enabling this org-wide.
ℹ️ NOTE: Technicians manage their own 2FA from Settings → Password / 2FA. Admins can disable 2FA for an individual technician from Workspace → Team if someone gets locked out.
Remote Control Approval
By default, Level notifies the end user when a technician starts a remote control session — no action required from the end user. You can change this so end users must explicitly approve the connection before it goes through.
This matters in regulated industries. In healthcare, a technician connecting to a doctor's workstation could inadvertently see patient records they're not authorized to view. In legal environments, the same concern applies to privileged client documents. Requiring approval gives the end user control over when a connection happens, keeping your team compliant with regulations like HIPAA.
To configure remote control approval:
Go to Settings → Security.
Under Remote control approval, select your preferred mode:
Notify end-user — The end user sees a notification when a technician connects. No approval required.
Ask for approval — The end user receives a prompt to approve or deny the connection before it's established.
If you selected Ask for approval, use the dropdown to choose what happens if the end user doesn't respond:
Connect if the end-user doesn't answer — The session proceeds automatically after the prompt times out.
Require approval — The connection is blocked unless the end user actively approves it.
Click Update approval settings.
💡 TIP: In high-compliance environments, set the fallback to Require approval. This ensures a technician can never connect without explicit consent — even if the end user misses the prompt.
Pushing Settings to All Groups
Device groups inherit the org-wide approval setting by default, but individual groups can have their own override configured. If you want the org-wide setting to take over everywhere and clear all group-level overrides, check Force this selection to all descendant device groups, clearing all overrides before clicking Update approval settings.
⚠️ WARNING: Checking Force this selection overwrites any group-level remote control approval settings across your entire organization. Groups would need to be manually reconfigured if you want different settings per group afterward.
Configuring Approval Per Device Group
You can set a different approval mode for a specific device group without affecting the org-wide default. For full details, see Group Security.
Go to Devices and locate the group in the sidebar.
Click the three-dot menu (⋮) next to the group name and select Settings.
Navigate to the Security tab.
Configure the remote control approval setting for this group and click Update approval settings.
ℹ️ NOTE: The group-level security page shows "Inherited from Level" next to the approval setting when no group-level override is active, indicating it's following the org-wide default.
IP Allowlist
The IP allowlist restricts Level access to specific IP addresses or ranges. When enabled, technicians can only log in from listed IPs — anything else is blocked. Use this to ensure your team can only access Level from the office network, a VPN, or other trusted locations.
Adding IP Addresses
Go to Settings → Security.
Scroll to IP allowlist.
Click + Add IP address.
Enter the IP address or CIDR range and an optional description to identify it (for example, "Dallas Office" or "VPN Egress").
Click to save the entry.
Repeat for any additional addresses.
ℹ️ NOTE: The allowlist accepts individual IP addresses (e.g., `203.0.113.47`), CIDR ranges (e.g., `192.0.2.0/24`), and both IPv4 and IPv6 formats. Use CIDR notation when you need to allowlist an entire subnet.
💡 TIP: The Add IP address dialog shows your current IP address at the top. Add it before enabling the allowlist to make sure you don't lock yourself out.
Enabling and Managing Entries
Each entry in the allowlist has its own enable/disable toggle — you can add an IP to the list without activating it yet. The three-dot menu on each entry gives you Edit and Delete options.
Once your entries are configured, toggle the IP allowlist from Disabled to enabled to activate the restriction org-wide.
⚠️ WARNING: Enable the IP allowlist only after you've added all required IP addresses. If you enable it without including your current IP, you'll be locked out of Level immediately. Contact Level support to recover access — they'll walk you through a verification process before restoring it.
ℹ️ NOTE: If your team uses dynamic IPs, allowlisting a static VPN or office egress IP is more reliable than tracking individual addresses.
FAQ
Who can change these security settings? Only admins have access to the Settings → Security page. Standard technician accounts won't see these options.
Does the IP allowlist affect my devices or the Level agent? No. The allowlist only controls where technicians can log in to Level from. Devices with the Level agent installed communicate with Level independently — the allowlist has no effect on them.
What happens to technicians who don't have 2FA set up when I enable mandatory 2FA? They'll be prompted to configure 2FA on their next login and won't be able to access Level until they do. Give your team a heads-up before enabling this.
Can I set different remote control approval rules for specific client groups? Yes. The setting in Settings → Security is the org-wide default. You can override it per device group by going to the group's three-dot menu → Settings → Security. Groups that haven't been overridden show "Inherited from Level" and follow the org-wide default.
What's the difference between "Notify end-user" and "Ask for approval"? "Notify end-user" shows the end user a notification when a technician connects, but the session starts immediately. "Ask for approval" holds the connection until the end user explicitly approves it. Use "Ask for approval" in environments where your team needs documented consent before accessing a device.
I added IPs to the allowlist but my technicians are still getting blocked. What's wrong? Check that the master IP allowlist toggle is enabled — adding entries alone doesn't activate the restriction. Also confirm the IPs you've listed match the actual egress IPs your technicians are connecting from. If your team uses a VPN, make sure they're connected before trying to log in.
I accidentally locked myself out by enabling the IP allowlist. How do I get back in? Contact Level support. They'll verify your identity through a confirmation process before restoring your access.