Jamf Nation Community

I just tried it out and got it working. Follow the lightspeed directions to register on mobile.lsfilter.com http://community.lightspeedsystems.com/documentation/web-filter/mobile-filter/using-the-mobile-lsfilter-com-website-to-manage-devices/

Then set up a configuration profile in casper:
Content Filter payload
Filter Type: Plug-in
Filter Name: I used my filter's URL, but I don't know that this matters
Identifier: com.lightspeedsystems.iosmobilefilter (from the Lightspeed Mobile Filter app)
Service Address: I used my filter's URL, I have my filter open to a public IP and some ports open for global proxy now, I'm not sure how open it has to be for this filter to work.
User Name: $USERNAME (which passes their Casper username to the lightspeed filter. You'd need to have both systems with the same username for this to work correctly.)
checked Filter WebKit Traffic
checked Filter Socket Traffic Everything else is default.

And the Lightspeed Mobile Filter app needs to be installed on the iPad. Which is where I will probably stop with this myself, as I don't want to disable app deletion, because I like them being able to use Self Service and manage what apps are on their iPads, but I don't want them to go unfiltered just because they've deleted the filter app. Too bad there isn't a way to keep only one app from being removed.

Did you try setting the proxy to point at your rocket? We push that thru the MDM and it can't be removed

I was able to get this to work now too. There is an issue with they deploying of the configuration after it has been first deployed. You have to totally remove the scope to the device and the Lightspeed Config. Update inventory, make your changes to the config, then re-scope to the device. This was the only way I would get the config to install.

Not sure if my username information is coming through though. I wasn't sure if I needed to use. $USERNAME or %username%

One issue, if the app is removed then the students will have unfiltered access to the internet.

We just use this config and have the filter do the rest. If they want access to other sites they have to log into the filter on the blocked screen

Was able to get this to work as well using %short_name% using a different MDM but felt the need to post here as well. We set the devices to be named the auth name thru DEP and then use that name to pass to lightspeed mobile filter app. This helps us leverage AD for lightspeed and in the future for wifi configuration based around the user.

As noted above, the profile can't be modified once it is installed. It had to be removed, model updated, and then reinstalled.

We were able to get the Lightspeed iOS web filter to work off campus on student iPads and all works as advertised by Lightspeed. Thanks in no small part to the kind folks on this post.

We have a new problem though. Keywords are "as advertised".

Even prior to iOS 9 filtering and taking iPad specific issues off the table, we have had long-standing issues filtering Google-owned sites and other similar SSL-based sites. Problem happens on Windows with the Mobile Filter installed as well.

Lightspeed has instructed us that for on campus side, the only way to solve is with a trusted, transparent man in the middle proxy that decrypts/re-encrypts SSL traffic. This proxy is actually present on the network side. The problem is off-campus. Off campus with iOS 9-style web filtering (similar to Lightspeed Mobile Filter on Windows) we only get standard filtering which doesn't filter inappropriate SSL traffic.

The short of this post is this...how do we achieve proper SSL filtering off campus with iOS 9 style plugin if it's even possible? If it is not, then we may face having to proxy all traffic (internal and external) back on campus with a Global proxy setting like we used to have to do prior to iOS 9 filtering becoming available.

Any other Lightspeed rocket users filtering SSL traffic well off campus? Any tips or tricks welcome.

cpoole How did you handle launching the Smart Agent App on each device. The Lightspeed instructions say to use Single App.

@blackholemac

I hope this helps.

We have the following installed on each student owned iPad:

• MobileFilter App
  -- We have set restrictions not to allow students to remove the Apps
  -- We opened each app ensuring they were configured for our account. We missed about 34 out of 200 and something. We had to visit each class requesting the students open the app. Once done problem solved.

• SSL Cert
  -- we have also installed the SSL cert from Rocket

• PAC File
  -- we created a PAC file and deployed it
  ---- while on campus the content filter will do its job
  ---- while off campus, the App handles the filtering but we noticed inappropriate content getting through
  ---- we created a PAC File to filter while off campus for Google, Bing, Yahoo, and Amazon searches. This prevents the inappropriate content from getting through while also tracking what the students are searching for.

Here is a sample of our PAC File

function FindProxyForURL(url, host)
{
var proxy_yes = "PROXY (your proxy address here)";
var proxy_no = "DIRECT";
if (dnsResolve("cf.cpalions.org") == "(Your IP Address Here)"){ if (dnsDomainIs (host, "google.com")) { return proxy_yes; } if (dnsDomainIs (host, "gstatic.com")) { return proxy_yes; } if (dnsDomainIs (host, "youtube.com")) { return proxy_yes; } if (dnsDomainIs (host, "amazon.com/*")) { return proxy_yes; } if (dnsDomainIs (host, "bing.com")) { return proxy_yes; } if (dnsDomainIs (host, "yahoo.com")) { return proxy_yes; }
}
return proxy_no;
}

Again, I hope this helps