Blocking VPN access on high school supervised/unsupervised devices.


Some of my students have now worked out they can bypass our content filter using VPN with their iPads. Does anyone have a system where I can track who has done this? Many thanks.


Honored Contributor II
Honored Contributor II

I saw a thread about this a few months ago. I don't think there was a solution posted.

You could check for VPN ports being used and possibly block the offending ports or URLs.

New Contributor II

We're running into this issue as well. The best I was able to do was set up a Configuration Profile that was triggered by a VPN App and would then lock the device in a Single App mode thereby freezing the iPad. the student would have to see Administration, suffer and then I would exclude them from the Configuration, they would remove the App and everyone was happy. Relatively. Hope this helps.
I do wish there was a way to just remove the VPN option and this whole issue.

New Contributor III

We also take the discipline route. It is spelled out explicitly in their Responsible Use Policy that they are not allowed to install VPNs on their iPads. I created a Smart Group that looks for the VPN apps and any associated profiles. The profiles sometimes help you catch apps that you wouldn't otherwise know were VPNs (without looking each app up in the app store). I then have the smart group set to notify me on membership change.

We don't currently do this for VPNs, but have found it effective for other issues... We provide access to wifi via a profile. Excluding the VPN Smart Group from that wifi profile sure gets students' attention!

New Contributor

The use of the VPNs is not a privilage. It is a right to the internet that should not be taken away. If it is in there own devices, just leave them alone. Watching students' privacy on their rightful property is wrong and should be illegal. How would you feel if Schoology was blocked by another organization and no one can access to it? Some sites I understand why they should be banned to the public, such as pornagraphy, racist sites, and the web site I hate the most, "God Hates Fags" (forgive my french, and no, I am not homophobic), which is ran by Westboro Baptist Church, but that is beyond the point. I really don't understand why you school districts have to deprive human rights to students, especially property rights. As long as it is not illegal , vulgar, or advertising tobacco or alcohol products, leave those kids alone. They are not doing any harm to you. I have a teacher at school who said students do not have rights, but she is wrong. If you are the same way, you are wrong, too. What's worse, you are violating the constitution. I don't care if you are school staff, work staff, guardians or even parents. Everyone has rights. End of discussion.

Contributor II
Contributor II

@FreedomRights I really don't think this requires a political discussion.
There are many reasons to want to block VPNs, including but not limited to the use of the VPN to bypass all content filtering.
When a student is attending the school and connected to the school network they follow the rules or they don't get network access :)

Valued Contributor III

@FreedomRights Sigh. This is a technical forum, not your political soapbox. You want to discuss that, fine but here is not the place for it. We're here to help each other, not to get preached at. (and i'm aware of the irony of this post too). Go hang out in the SlymePit, A+, FtB or whatever other forum floats your boat.

@jgwatson This really is something that's best dealt with at a firewall end of things. Most of the VPN's i'm aware of like using UDP on Port 443. I'm assuming these are school devices and aren't taken home? You may wish to consider a cloud based web proxy, as that hard coded into the device will defeat VPN's.


Thanks for your help. I went with the policy to wipe all apps if a VPN app is detected. All I needed to do was find the top three, write up a few detentions, and the students got the message. Some of the students were caught surfing adult sites so this ended up being a big deal for the school to combat.



Can you help me and tell me how you created the policy i think we will have to use this approach.


New Contributor II

We're dealing with this at the network level. Currently using protocol filtering by Cisco at the WLAN. I'd think there must be the same at the wired level so you could do it at wireless and wired at the same time.

Watchguard has an application blocker for TinyVPN and OpenVPN.