Posted on 06-06-2012 05:48 AM
So we're finding that we are not in compliance with state mandates because we are not currently filtering internet content on the iOS devices as they leave district. Currently all devices (mixture of iPad and iPad 2) are being used by administrators and teachers in district, and normally while they are in-district our firewalls take care of content filtering for safari. However this is obviously not the case as soon as they walk out of our campus.
In order to counter act that i've come up with a couple of ideas, and hope that the community could give me a hand with how to implement them and a workflow that might work. Also, please, if you have a simpler or more stable workflow that you use, I'd be quite grateful for the push in the right direction.
1) Disable Safari when outside network segment:
- In this case we’d have to have Safari disable as soon as the device falls out of scope (ip segment in a smart group?) and force the user to run a 3rd party filtered browser when not in district (any suggestions? I’ve used a few and they’re not exactly terrific).
- Is this possible? The JAMF support didn’t know of a workflow that was stable but hoping someone has done something to this effect.
2) A second option would be to disable Safari completely and just run a 3rd party browser. But will this interrupt JSS communications. I’m assuming the filter will not allow me to hit the JSS outside of the district if at all through what I’d imagine is a proxied browser…
3) And the third idea would be to set up a proxy server in-district that the ipads had to connect to using safari. Is this viable and has anyone attempted this?
Please let me know which if any of these processes have been attempted and whether they are successful. Also, if you have any other workflow which will help us to filter content outside of the district, I’d greatly appreciate hearing about it.
Thanks in advance,
Chris Guay
South Windsor Public Schools
Solved! Go to Solution.
Posted on 07-03-2012 07:03 AM
So, i just wanted to update...
Aside from a rather expensive hardware/software solution, it doesn't seem like it's overly possible to set up a proxy to allow for safari or another in-house filtered browser to work.
For now, until our hardware providers come out with a browser solution to match our hardware, we have decided to go with the Mobicip application for iOS which will at least allow us to filter (whitelist and blacklist) as we see necessary. Though rather pricey, we hope it will be a temporary solution.
Thank you all again for the responses.
Chris
Posted on 06-06-2012 09:20 AM
Chris-
Sounds like you're up against the classic case of non-technical people making technical decisions. I haven't had to go up against anything like this, but it seems like item #3 is the most viable. 1 and 2 seem like a lot of engineering to go to the same end result.
The only issue with #3 is that proxy settings are set via each wifi network. So, unless you can program in everyone's wifi settings for their home network and then lock them all down, it's going to be tough.
I don't envy you on this one.
Posted on 06-06-2012 12:14 PM
So we're finding that we are not in compliance with state mandates because we are not currently filtering internet content on the iOS devices as they leave district.
What is the state mandate that you're suppose to follow? What are you suppose to be filtering?
Another option is that iPads can't go home. Wouldn't be popular but then again you can't be responsible for browsing habits while offsite.
Forcing iPads to use a proxy that you control and then placing that proxy outside your district firewall should work. The Internet is full of proxy servers to enable you to do things like stream BBC content in the USA or anonymize your IP address while surfing. Home users don't have proxies so they should be able to hit yours directly by FQDN.
Posted on 06-06-2012 12:35 PM
Thanks for the responses. The proxy idea was where I was looking to start as well, hoping it would be the most simple. I'll work with my boss (the one with firewall access) to open us up a proxy and give it a shot.
I believe the mandate is simply standard content filtering (pornography, etc) that was subject in the grants used to get the devices, but i will confirm.
Thanks, and will post back with an update once I've attempted this route and if I run into any snags.
thanks for the help!
Chris
Posted on 06-06-2012 01:01 PM
Have you thought about looking into filtering companies with iOS browser apps that offer at home filtering options?
I heard about some school doing home filtering on iPads using Cisco Anyconnect I believe to get traffic to go through your network.
Posted on 06-15-2012 06:09 AM
Unfortunately through trial and error, it appears a proxy is not going to work out of district. Apple's proxy settings are not by browser but by individual network connection and therefore as soon as they leave campus the ipads will again be open to the unfiltered internet...
back to the drawing board.
Looks like we're going to have to find some third party browser setup... either through your suggestion CasperSally and find a hardware / app based solution or use one of the apps with subscriptions such as "MobiCip" to combat these issues.
Thank you for the responses and I will update once we find a solution and what my workflow turns out to be in case anyone is in a similar situation.
Just for note the reason for all of this is to be CIPA compliant when district-owned devices leave our campus-filtered internet.
Thanks again for all the responses and ideas.
Chris
Posted on 06-15-2012 07:06 AM
Take a look at Bascom http://www.bascom.com/ I'm not affiliated with them in any way, but I've talked to them in the past. They're very aware of what JAMF's iOS management is capable of and feel their product compliments it. It seems to allow for filtering of web content on iOS devices no matter where they're located. Their Anywhere Filter product is what I'm thinking of in particular.
Posted on 07-03-2012 07:03 AM
So, i just wanted to update...
Aside from a rather expensive hardware/software solution, it doesn't seem like it's overly possible to set up a proxy to allow for safari or another in-house filtered browser to work.
For now, until our hardware providers come out with a browser solution to match our hardware, we have decided to go with the Mobicip application for iOS which will at least allow us to filter (whitelist and blacklist) as we see necessary. Though rather pricey, we hope it will be a temporary solution.
Thank you all again for the responses.
Chris
Posted on 07-03-2012 08:13 AM
you could also force a vpn connection from the devices, thus enforcing filtering by routing all web traffic back to your proxy. there's at least one MDM vendor that works this way, though you should be able to do similar by applying a profile.