| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
•
Attendances (hr_attendance)
• Discuss (mail) • Employees (hr) |
| Community Apps Dependencies | Show |
| Lines of code | 3205 |
| Technical Name |
eh_hr_attendance_geofence |
| License | LGPL-3 |
| Website | https://www.erpheritage.com.au/ |
| Versions | 16.0 17.0 18.0 19.0 |
Mobile Geofence Clock-in
Let off-site staff clock in from their own phone, with the server checking GPS distance to your sites before it accepts the punch.
Why this module
Mobile Geofence Clock-in
Off-site staff have no honest clock
Field, remote, and home-based workers never reach a wall kiosk, so their hours arrive as untethered manual entries with no location anchor. This gives them a phone clock-in that the server only accepts when GPS puts them inside one of your sites.
Enforcement is server-side, not in the app
The phone only sends its token and coordinates. The server computes Haversine distance to every active geofence-enabled site in the employee's company and decides. A tampered client cannot talk itself inside the fence.
Every punch leaves a trail
Pairing, geofence pass, geofence fail, check-in, and check-out each write a timestamped row to the shared attendance audit log with IP and event type. Out-of-range attempts also raise a geofence violation exception for a manager to see.
Day in the life
A site supervisor and a roaming technician
The supervisor opens the technician's employee record and clicks Issue mobile pairing PIN. A 6-digit code shows for five minutes. The technician opens the mobile page on their phone, enters the PIN once, and the phone is now bound to them by an opaque token. At the first job that morning they tap Clock in; the browser asks for location, the phone posts its coordinates, and because they are within the site radius the server creates the attendance and logs a geofence pass. At lunch they tap again from a cafe two streets away, fall outside every fenced site, and the punch is refused with a geofence violation that lands in the manager's exception list. Back on site after lunch, the next tap toggles them to check-out cleanly.
Edge cases
The cases most modules quietly ignore.
In the shipped code today, each one a place where a cheaper module silently does the wrong thing.
Pairing PINs live in a database row, not a process dict, so they survive restarts and are shared across workers. Redeem marks the row used before returning, making the PIN single-use; issuing a new PIN expires any prior active one for that employee.
The public pair route is throttled to 10 calls per minute per IP through a database-backed, worker-shared, restart-durable counter that increments with a single atomic SQL upsert, so a six-digit PIN cannot be ground down online.
When an employee is geofence-required and lands outside every fenced site, the clock is refused, the closest site distance is logged, and an attendance exception of type geofence violation is raised for review.
A geofence-required employee whose phone returns no coordinates is refused with a geofence_required reason and the attempt is logged, rather than silently posting an unanchored punch.
Flip the per-employee Require mobile geofence toggle off and location is still recorded for audit but no longer gates the punch, so legitimately mobile staff are not blocked by an empty site list.
Devices are scoped by a global company rule; the geofence check only walks sites in the employee's own company, and ordinary users can read only their own paired devices while managers and auditors see the company set.
Each tap inspects the employee's last open attendance: if one is open it is closed as a check-out, otherwise a fresh check-in is created, so a double tap cannot leave two open attendances.
A manager can rotate a device token or revoke the device outright, immediately invalidating the phone without disturbing the employee's attendance history.
What is inside
Built to do the job, end to end.
- Mobile device and pairing models. eh.hr.mobile.device holds a server-issued opaque token, last seen, IP, user agent, and last coordinates, with rotate and revoke actions. eh.hr.mobile.pairing is a short-lived, one-shot PIN model with a five-minute TTL and a daily garbage-collection cron.
- Public mobile shell and endpoints. A dependency-free web page at /eh_hr/mobile plus pair, clock, and whoami JSON endpoints. The shell stores the token locally, prompts for browser geolocation only at clock time, and is styled for large touch targets, so it runs on locked-down phone browsers.
- Server-side geofence engine. A Haversine distance check against every active geofence-enabled kiosk site in the company. The first site whose radius contains the position wins; otherwise the closest distance is logged. Radius falls back from the site value to a company default.
- Audit trail and exceptions. Pairing, geofence pass and fail, and each attendance write to the shared eh.hr.kiosk.event log. Out-of-range punches raise an eh.hr.attendance.exception so they surface in the suite's exception workflow.
- Configuration and security. A company-level default geofence radius in Settings, a per-employee enforcement toggle, role-based access for user, manager, admin, and auditor, and a global multi-company record rule. Public routes are rate-limited per scope.
Honest about the edges
What this does not do, so nothing surprises you.
- This module reuses the geofence-enabled sites defined in the attendance base module; you must create and position those sites there before mobile enforcement has anything to check against.
- There is no face capture or other biometric on mobile. Identity is bound to the paired device and its token, so a phone handed to a colleague would clock in as the device owner.
- The mobile shell does not itself capture a geolocation consent record. The browser permission prompt governs location access, and any internal consent record is created by a manager from the employee record, not by the page.
- Accuracy depends on the device GPS and browser. Indoor, urban-canyon, or low-signal fixes can be off by tens of metres, so set site radii with that margin in mind.
- Location is read only at the instant of clock-in and clock-out. There is no continuous or background tracking and no movement history between punches.
- This is a web page clock-in, not a native app. It needs a working browser and network connection at the moment of the punch and does not queue offline punches.
Odoo mobile attendance, GPS geofence clock in, geofence attendance Odoo 18, field worker attendance, remote employee clock in, location based attendance, mobile time clock Odoo, phone clock in out, off site attendance tracking, Odoo 18 Community attendance, geofenced check in, PIN pairing attendance, home based worker attendance, attendance geofence enforcement
Need this fitted to the way you work?
ERP Heritage delivers end to end Odoo work: Odoo Implementation, Customization and Development, Integration, Migration, Consultation, Support and Training. We help teams put this module into production, shape it to their process, and keep it running.
We work with businesses across Australia (Melbourne, Sydney, Brisbane, Perth, Adelaide, Canberra) and the Middle East (Dubai, Abu Dhabi, Riyadh, Jeddah, Doha, Kuwait City, Muscat). Start a conversation at erpheritage.com.au or email info@erpheritage.com.au.
Languages
Available in 19 languages
The interface ships translated out of the box. Switch language in Odoo and the fields, menus, and messages follow.
Please log in to comment on this module