How do I configure transparent authentication (user-injection) for SmartPAC?

Setup for iPads

iPad use in schools is notably higher for lower grade levels. Their intuitive design and touchscreen make them a great candidate for combining technology and education in the classroom. The one thing that remains a sticking point is authentication. It’s difficult if not impossible, for an entire classroom of kindergartners to log in in order to get internet connectivity through the school’s web filter. The only workarounds we’ve seen in the field are either assigning an IP-based policy that would reduce logging visibility (and not work off-site) or having the teacher and teacher’s aide log the students into the iPads each morning. In an effort to combat this issue, Securly developed “User-Injection” for SmartPac. User-Injection allows the school’s IT admin to add a URL parameter to the SmartPac via MDM (iPads) or GPO (Windows) which will automatically authenticate the student and allow them access to the Internet without losing attribution for the student’s browsing activity. 

Note that you will need to contact the Securly support team at to enable this feature for you. 


  1. Confirm if MDM supports variable payloads with iPad configuration profile. The variable will be used for SmartPac to inject the username. For example, Securly MDM uses the “$email” variable to pass the email address. (See the list of variables for other MDMs below.)
  2. Make sure the MDM has an email address associated with each user. 

Generic Examples Using Securly MDM Payload Variable:

Format: SMART PAC URL + &user= + MDM variable (in lower case)


To break it down:  

Smart PAC URL:

Constant variable used by Securly: &user=

MDM Variable: $email (lower case) 


On your iPad, the PAC URL will display the actual user's email of the user assigned to the iPad.

Setup for Windows 

For Windows, we can pass the logon user. This is great for shared Windows Labs to filter and report each student's activity when they are logged in.

Windows -

Note: If you are on Windows build 1903, you will need to set the PAC URL to HTTP, not HTTPS. You can refer to this forum to read more. It is speculated Windows may revert to this change and once again support PAC URLs over HTTPS. If they do, we will update this article.

Setup for shared accounts 

In addition to using a variable for user injection, a shared account can be used in the SmartPac URL. Shared accounts must exist in G-Suite or AD/Azure to auto-authenticate with Securly. Using a shared account can be done if the MDM solution does not support using payload variables.


Shared Account =

 Additional Info

We have a running list of variable payloads with iPad configuration profiles:

Securly MDM: $email (lower case)

Jamf: $EMAIL


Jamf School (formerly ZuluDesk): %Email%

Lightspeed: %email%

Filewave %email%

Mosyle - %Email%

Airwatch MDM - {EmailAddress}

Other- Try %email%

Windows - %USERNAME%@<> (Ex:

Supporting links:

Was this article helpful?
7 out of 12 found this helpful
Have more questions?
Submit a request



Article is closed for comments.

Articles in this section

See more