| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
•
Attendances (hr_attendance)
• Discuss (mail) • Employees (hr) |
| Community Apps Dependencies | Show |
| Lines of code | 3205 |
| Technical Name |
eh_hr_attendance_geofence |
| License | LGPL-3 |
| Website | https://www.erpheritage.com.au/ |
| Versions | 16.0 17.0 18.0 19.0 |
Mobile Geofence Clock-in
Field and remote staff clock in from their own phone, and the server only accepts the punch when the device is physically inside one of your work sites.
Why this module
Mobile Geofence Clock-in
The phone cannot self-certify
The mobile shell sends only a device token and raw lat/lng. The server computes haversine distance to every active geofence-enabled site in the employee's company and posts the punch only if the phone is inside a site radius. A clock from outside is rejected and logged.
One PIN, one phone, one employee
A manager issues a 6-digit pairing PIN that is one-shot and expires in 5 minutes. Redeeming it binds an opaque token to that employee. The PIN lives in a DB row, so pairing is correct across workers and restarts, and a race cannot pair one PIN to two devices.
Reaches the staff a kiosk misses
Field crews, off-site contractors, and home-based staff clock in from a plain mobile web page with large touch targets. No native app, no store download. A per-employee toggle lets true off-site roles record location for audit without it gating the punch.
Day in the life
A site supervisor and a field tech, one morning
The supervisor opens the tech's employee record and taps Issue mobile pairing PIN. A sticky notification shows a 6-digit code valid for 5 minutes. The tech opens /eh_hr/mobile on their phone, enters the PIN, and the server issues a device token stored on the phone. At the job site the tech taps Clock in; the browser reads location and posts it. The server measures the distance to the company's geofenced sites, finds the tech is 18 metres from the depot, and writes a check-in on hr.attendance with a geofence_pass event. Later, a tech who drove home and tried to clock out from the couch gets a clean Not allowed message, and a geofence violation exception lands in the manager's queue.
Edge cases
The cases most modules quietly ignore.
In the shipped code today, each one a place where a cheaper module silently does the wrong thing.
Pairing PINs are claimed atomically in the redeem step and marked used before returning, so two simultaneous pair requests cannot pair one PIN to two devices. Issuing a fresh PIN expires any prior active PIN for that employee.
Both the pairing PIN store and the rate-limit counters are DB-backed, not in-process dicts, so they survive a restart and are shared across gunicorn or gevent workers rather than living in one worker's memory.
The public pair, clock, and whoami endpoints are rate-limited per IP or per token through an atomic SQL upsert counter (eh.hr.rate.limit), returning HTTP 429 over budget. The pair budget is deliberately tight because a 6-digit PIN is otherwise guessable online.
Devices carry a stored company derived from the employee, and a global record rule restricts visibility to the user's companies. Geofence checks only ever consider sites in the clocking employee's own company.
A clock from outside every site, or with location withheld while geofence is required, is refused and recorded: a kiosk event row plus an eh.hr.attendance.exception of type geofence_violation for the manager to review. Passing clocks log a geofence_pass event with the matched site and distance.
Through the Odoo UI a standard HR user can read only their own paired devices and cannot create, rewrite, or revoke them; managers get full control and admins can delete. Token rotation and revocation are manager or admin actions, not user actions.
An isolated daily cron marks lapsed PINs expired and unlinks terminal pairing rows older than a day, so the PIN table does not accumulate stale or already-used codes.
What is inside
Built to do the job, end to end.
- Mobile device registry. eh.hr.mobile.device stores the employee binding, a unique server-issued opaque token, last seen, last IP, user agent, and last known coordinates, with manager actions to rotate the token or revoke the device. A unique constraint guards against token collisions.
- One-shot pairing PIN model. eh.hr.mobile.pairing issues, redeems, and garbage-collects short-lived 6-digit PINs with explicit active, used, and expired states, a 5-minute time to live, and a uniqueness retry loop on generation.
- Public mobile shell and endpoints. A vanilla-JS mobile page served at /eh_hr/mobile with pair, clock, and whoami routes. No Odoo web framework dependency, so it works on locked-down corporate browsers and basic Android or iOS WebViews.
- Geofence distance engine. A haversine calculation finds the closest active geofence-enabled site and compares against the site radius, falling back to a company default radius when a site declares none. Coordinate validity is enforced on the site record itself.
- Employee controls and settings. Employee form additions to issue a PIN, view paired devices, and toggle whether geofencing is required for that person, plus a company-level default mobile radius exposed in Settings.
- Security, audit, and housekeeping. Per-company record rules, role-based access for user, manager, admin, and auditor, immutable kiosk event logging for every register and clock action, and a daily PIN cleanup cron.
Honest about the edges
What this does not do, so nothing surprises you.
- Location trust is only as strong as the browser. Standard browser geolocation is reasonably hard to fake on a stock device but can be spoofed with developer tools or rooted hardware. For higher assurance, pair this with a face-match kiosk at the start of a shift.
- No face capture or biometric on mobile. The device pairing token is the identity binding; this module does not photograph or biometrically verify the person holding the phone.
- Geolocation consent is not auto-captured on the page on this branch. The mobile shell asks the browser for location, but the formal eh.hr.consent record of type geolocation is created by a manager from the employee record, not by a tap on the phone.
- Geofences are your kiosk sites. Mobile clock-in checks distance against geofence-enabled kiosk sites; it does not yet treat customer, project, or task addresses as geofences.
- Location is read only at the moment of clock-in and clock-out. There is no background or continuous tracking of the device between punches.
- Attendance follows a simple open-shift toggle: a clock event closes the open attendance if one exists, otherwise it opens a new one. It does not model breaks or multiple overlapping shifts.
odoo 17 mobile attendance, geofence attendance odoo, gps clock in odoo, field worker attendance, remote clock in odoo, off-site attendance tracking, mobile clock in clock out, location based attendance, phone pairing attendance, odoo 17 community hr attendance, device token attendance, geofence violation exception
Need this fitted to the way you work?
ERP Heritage delivers end to end Odoo work: Odoo Implementation, Customization and Development, Integration, Migration, Consultation, Support and Training. We help teams put this module into production, shape it to their process, and keep it running.
We work with businesses across Australia (Melbourne, Sydney, Brisbane, Perth, Adelaide, Canberra) and the Middle East (Dubai, Abu Dhabi, Riyadh, Jeddah, Doha, Kuwait City, Muscat). Start a conversation at erpheritage.com.au or email info@erpheritage.com.au.
Languages
Available in 19 languages
The interface ships translated out of the box. Switch language in Odoo and the fields, menus, and messages follow.
Please log in to comment on this module