JAMF Safe Internet - Disable when onsite and other deployment questions


We have access to JAMF Safe Internet due to buying the EDU ultimate bundle for some of our devices.  Is there a way to only apply it to devices when they are offsite?  I do think you could do this with a configuration profile that only applies when the device is not onsite in JAMF school, but those don't always change quickly and it sounds like when the profile is applied and removed it would disrupt Internet activity on the device.

Here are some secondary questions and thoughts from my testing so far: 

  • Privacy - While I understand why some places would want this, in our environment we tell the students they should have no expectation of privacy when using our devices.  We really need to be able to see which students accessed what sites when something gets passed the filter that should not have.  
  • Local DNS - Having to create an entry for every local DNS resource will be time consuming and hard to maintain.  I wonder if they could allow you to do a domain level redirect to your local DNS server.
  • Apple Caching - Does anyone know if JAMF safe internet will block your local caching servers from working.  I'm guessing it does due to it blocking local DNS, but I have not tested it yet.

New Contributor III

Maybe a bit of a laborious idea, but you could create a LaunchDaemon, which triggers a script every 15 minutes to check the IP and if it is from the onsite IP Range. If it doesn't fit the IP Range it triggers a "jamf recon", which should speed up your profile deployment/removal. 

If you do not want to work with network segments in Jamf, you could just use an extension attribute, whether it's onsite or offsite and create a Smart Group based on that value, which you add to the scope of the profile.

A similar example of the LaunchDaemon / Script workflow is the "Casper Check" : https://github.com/rtrouton/CasperCheck

Thanks for the reply and idea.  We need this to work on iPads too so network segments might be our only hope.