Reflections on a Reliable SEB-Setup with OPAL LMS for Digital Exams

R
Statistics
Digital
Exam
Teaching
SEB
OPAL
LMS
Author

Johannes Titz

Published

September 21, 2025

Our teaching team has been using the safe exam browser (SEB) for examinations for quite some time. In this note, I would like to share some thoughts on a practical configuration and a few recurring issues.

In general, the SEB configuration file (XML) can be edited directly in a standard text editor rather than through the SEB Configurator. At present, I prefer this approach, as it is considerably faster and, at least for me, easier to manage. I also choose not to encrypt the configuration file, since I store it in a Git repository and want to keep track of all changes. In my view, encryption is not necessary, as the learning management system (LMS) OPAL validates the configuration in any case. Moreover, I consider it unlikely that our students would be able to manipulate SEB or the configuration file successfully. Even if they did, proctors would likely detect that something is amiss.

Important Configuration Options

Some important configuration options include:

  • startURL: Defines the starting URL of the LMS.

  • SendBrowserExamKey (true): Required so that the LMS validates the configuration. If the configuration differs, participants will not be able to start the exam.

  • allowVirtualMachine and allowedDisplaysIgnoreFailure (both true): Necessary in our PC pools, which rely on virtual Windows environments. Note, however, that at least at TU Chemnitz (TUC), virtual Windows instances should never be launched from GNU/Linux, as this would allow switching back to Linux and circumventing restrictions.

  • hashedQuitPassword: Stores the hash of the quit password. A quit password should generally be set. The hash can be found when opening the config in the SEB-configurator.

  • examKeySalt: Adds a salt to the configuration hash. I keep this empty to ensure the hash remains stable for a constant configuration. When using the SEB Configurator, however, this field cannot be left empty.

  • RemoveBrowserProfile, examSessionClearCookiesOnEnd, examSessionClearCookiesOnStart (all set to false): I prefer keeping the browser profile and cookies, as this allows logging into the LMS only once. So if a student has to quit SEB or the connection is lost, they do not have to login again.

  • quitURL: We currently do not use this option, but it seems useful. It provides a link that allows SEB to be closed without a password, typically displayed once the exam has been submitted.

  • permittedProcesses: Used to specify additional programs that are allowed during the exam.

Permitted Processes

Regarding permittedProcesses, we currently allow a restricted version of R for our statistics exams. The configuration for this is somewhat complex; at present, it looks as follows

<key>permittedProcesses</key>
<array>
  <dict>
    <key>active</key>
    <true />
    <key>autostart</key>
    <false />
    <key>iconInTaskbar</key>
    <false />
    <key>runInBackground</key>
    <false />
    <key>allowUserToChooseApp</key>
    <false />
    <key>strongKill</key>
    <false />
    <key>os</key>
    <integer>1</integer>
    <key>title</key>
    <string>cmd</string>
    <key>description</key>
    <string />
    <key>executable</key>
    <string>cmd.exe</string>
    <key>originalName</key>
    <string>Cmd.Exe.MUI</string>
    <key>windowHandlingProcess</key>
    <string />
    <key>path</key>
    <string />
    <key>identifier</key>
    <string />
    <key>arguments</key>
    <array></array>
    <key>signature</key>
    <string />
  </dict>
  <dict>
    <key>active</key>
    <true />
    <key>autostart</key>
    <false />
    <key>iconInTaskbar</key>
    <true />
    <key>runInBackground</key>
    <false />
    <key>allowUserToChooseApp</key>
    <false />
    <key>strongKill</key>
    <false />
    <key>os</key>
    <integer>1</integer>
    <key>title</key>
    <string>psR</string>
    <key>description</key>
    <string />
    <key>executable</key>
    <string>psR.bat</string>
    <key>originalName</key>
    <string />
    <key>windowHandlingProcess</key>
    <string />
    <key>path</key>
    <string>\\afs\tu-chemnitz.de\project\fome_klausur</string>
    <key>identifier</key>
    <string />
    <key>arguments</key>
    <array></array>
    <key>signature</key>
    <string />
  </dict>
</array>

The first part of the configuration allows cmd.exe to be started, which is required because R itself is launched through cmd.exe. The attributes active, title, executable, and originalName are set. A path is not required in this case, since cmd.exe is already included in the system PATH.

If you need to enable another program, it is advisable to check in the Task Manager which processes are actually associated with it. Sometimes the “root” process is not the one you might expect. According to the documentation, the option windowHandlingProcess can be set in such cases, but I have not yet been able to make this work.

The second part of the configuration permits the execution of a batch script. This script contains a custom command that launches R via PowerShell script (which itself can be started via cmd.exe). In this case, the full path must be specified. The PowerShell script loads a customized .Rprofile, which restricts R to a limited set of functions—especially those related to sampling distributions—so that students do not need to rely on statistical tables.

If you are interested in the .Rprofile and the PowerShell script, feel free to leave a message.

This setup works quite well overall, but there is an important caveat: Windows 11 uses wt.exe as the default terminal, even for cmd.exe. If this setting cannot be changed, the current approach with R will not work, since wt.exe is a tabbed terminal that allows users to open additional tabs. In these tabs, one could freely open files or run programs, which undermines the exam restrictions.

In such cases, it may be advisable to adapt Rgui.exe. I have experimented with this approach: one needs to obtain the R source code and modify rui.c to remove menu entries for opening scripts and files. But since the PC pools at TUC currently still have Win10 with a normal cmd console, we can still employ the old approach.

This concludes the general setup regarding SEB. The following section addresses relevant settings on the LMS side.

OPAL LMS Settings

On the LMS side, a SHA hash of the SEB-configuration is required. This hash can be copied from the SEB Configurator. I would prefer to generate the hash independently of SEB, but I do not yet know the exact procedure involved. The documentation provides some guidance, though it seems that studying the source code may still be necessary to implement it correctly.

There are several ways to configure SEB and secure an exam. The simplest setup is to require SEB and enforce a specific configuration, which is verified via the configuration hash. In addition, the exam should only be startable by a tutor. With this setup, it is not even necessary to restrict the exam by date and time, since students will not be able to launch it on their own. That said, BPS (the company behind OPAL) still recommends enabling both tutor start and a defined date/time.

Moreover, participants should always be organized into groups, with exam access restricted to those groups. A practical approach is to create one large group containing all participants and, in addition, smaller subgroups (e.g., for assigning rooms).

I prefer not to set a date and time, as in the last exam an incorrect setting caused significant problems. The difficulty is that errors in the date/time configuration are not immediately apparent, and there are two separate settings involved (access and visibility). When starting from SEB, no clear error message is provided if the exam fails to start due to this issue.

Testing the date/time settings is also cumbersome, as it has to be done manually. This creates considerable potential for mistakes—especially since the date and time must be reconfigured every semester. By contrast, the alternative setup (tutor start) remains stable unless the SEB configuration itself is modified.

When managing exams via OPAL, it is important to understand the role of tutors. In OPAL, tutors are not limited to course owners—they also include group tutors (Betreuer).

⚠️ Do not add students as tutors in exam courses.

If you grant students tutor status, they will be able to start exams on behalf of other students, which compromises exam security.

Several OPAL settings can interfere with starting an exam. The most common sources of problems are:

  • Safe Exam Browser (SEB) not used: If SEB is required but not used, the exam cannot be started.
  • Incorrect SEB configuration: The configuration hash is checked in OPAL. If the hash does not match, the exam cannot be started and an error is displayed.
  • Number of trials set incorrectly: If the number of trials is limited to 1, participants who are logged out during an attempt cannot always continue and sometimes must start a new exam. Students who already attempted an exam in a previous semester may also be blocked from starting again. It is unclear whether OPAL displays an explicit error message in these cases (not tested yet).
  • Incorrect exam number in OPAL: To start an exam, the correct exam number is required. If an invalid number is entered, the system displays a clear error message.
  • Incorrect IP address when network access is restricted: For example, in our case only addresses in 134.109.0.0/16 are permitted. It is not entirely clear what error message OPAL generates if the address is outside this range (not tested yet).

Note that these settings are usually constant and normally do not require changes. The only setting that may change is the SEB configuration hash.

AFS

We use an AFS folder both for the SEB configuration (which launches the exam) and for the custom R setup. This setup can cause issues if the AFS permissions are not configured correctly.

Required Permissions:

  • AFS rights should be set to rl (read and lookup).
  • Unix permissions should be set to 777 (rwx for everyone). Although AFS normally overrides these, the execute flag can still cause problems if it is missing.
  • A misconfigured setup can prevent students from starting SEB. This has already occurred in practice when incorrect permissions were applied.

Transparency and Risks:

Students can read both the SEB configuration and the R setup script. This provides full transparency, but also implies some security risks. In practice, exploits should still be very difficult for the average student.

R

If the R batch file does not start, this may be caused by problems in the shell script. The R version is retrieved from the system registry, and several automatic tests are in place to verify that R can be started and is configured correctly.

Another possible source of error is the SEB configuration for launching the batch file. This configuration may require adjustment when a new SEB version is introduced.

If R does not start within SEB but is visible after closing SEB, the ‘root’ process has not been configured correctly. Use the Task Manager to identify which additional processes need to be allowed. This consideration applies to other programs as well. It is also helpful to review the logs, located at %LOCALAPPDATA%\SafeExamBrowser\Logs.

Some general security risks need to be kept in mind when conducting digital exams.

Security risks

  • Logging in under another student’s name is theoretically possible, either on site or remotely via VPN. This vulnerability can be exploited in combination with collusion among students, leaving the exam room early, or attempting to forcibly terminate SEB.
  • A student may present their ID on site, then leave and start the exam from home. A potential safeguard is to verify that the number of participants in the exam room matches the expected number. However, this measure can be undermined if another student cooperates by occupying the seat and displaying a fake exam on the screen. A more reliable measure is to check each student individually upon entry.

One potential risk concerns the tutor start exam function. If there were a software bug, students might be able to start the exam before the scheduled start time. However, even in this unlikely scenario, students would still require the correct exam configuration and access via the Safe Exam Browser (SEB) in order to proceed.

Finally a checklist:

Checklist

The following checklist only works if the recommended settings above are used consistently. Never change a setting in OPAL without documenting it in the checklist. Exception: uploading a new exam and updating the SEB configuration hash.

    • Access to fome_ordner, psR.bat, RRunner.ps1, methodenlehre.seb, and .Rprofile confirmed (files present and AFS rights set to anyuser rl).
    • R starts and is configured correctly.