How to configure transparent authentication (user-injection) for SmartPac? 

Follow

Setup for iPads

Background
iPad use in schools is notably high for lower grade levels. Their intuitive design and touchscreen make them a great candidate for combining technology and education in the classroom. The one thing that remains a sticking point is authentication. It’s difficult if not impossible for an entire classroom of kindergartners to log in in order to get internet connectivity through the school’s web filter. The only workarounds we’ve seen in the field were either assigning an IP-based policy which would reduce logging visibility (and not work offsite) or having the teacher and teacher’s aide log the students into the iPads each morning. In an effort to combat this issue, Securly developed “User-Injection” for SmartPac. User-Injection allows the school’s IT admin to add a URL parameter to the SmartPac via MDM (iPads) or GPO (Windows) which will automagically authenticate the student and allow them access to the Internet without losing attribution for the student’s browsing activity. 

Note that you would need to contact the Securly support team at support@securly.com to enable this feature for you. 

Prerequisites

  1. Confirm if the MDM supports variable payload with iPad configuration profile. The variable will be used for SmartPac to inject the username. For example, Securly MDM uses “$email” variable to pass the email address. (See the list of variables for other MDMs below.)
  2. Make sure the MDM has an email address associated with each user. 

Generic Example using Securly MDM Payload Variable:

Format: SMART PAC URL + &user= + MDM variable (in lower case)

Example

https://www.securly.com/smart.pac?fid=admin@securlyqa1.com&user=$email

To break it down:  

Smart PAC URL: https://www.securly.com/smart.pac?fid=admin@securlyqa1.com

Constant variable used by Securly: &user=

MDM Variable: $email (lower case) 

 Screen_Shot_2020-04-20_at_4.16.57_PM.png

On your iPad, the PAC URL would display the actual user's email of the user assigned to the iPad.

Setup for Windows 

For Windows, we can pass the logon user. This is great for shared Windows Lab to filter and report each student activity when they are logged in.

Windows - %USERNAME%@schooldomain.com

http://www.securly.com/smart.pac?fid=securly@schooldomain.tld&user=%USERNAME%@schooldomain.com

Note: If you are on Windows build 1903, you will need to set the PAC URL to HTTP, not HTTPS. You can refer to this forum to read more. It is speculated Windows may revert this change and once again support PAC URLs over HTTPS. If they do we will update this article.

Setup for shared accounts 

In addition to using a variable for user injection, a shared account can be used in the SmartPac URL. The shared account must exist in G-Suite or AD/Azure to auto-authenticate with Securly. Using a shared account can be done if MDM solution does not support using payload variables.

Example:

Shared Account = https://www.securly.com/smart.pac?fid=securly@schooldomain.com&user=sharedaccount@schooldomain.com

 Additional Info

We have a running list of variable payload with iPad configuration profile:

Securly MDM: $email (lower case)

Jamf: $EMAIL

Meraki: $OWNEREMAIL

Jamf School (formerly ZuluDesk): %Email%

Lightspeed: %email%

Filewave %email%

Mosyle - %Email%

Other- Try %email%

Windows - %USERNAME%@<schooldomain.com> (Ex: %USERNAME%@k12publicschools.org)

Supporting links:

https://docs.jamf.com/9.9/casper-suite/administrator-guide/iOS_Configuration_Profiles.html

https://documentation.meraki.com/SM/Profiles_and_Settings/Variables_in_Custom_Apple_Profiles_with_Systems_Manager

https://support.zuludesk.com/hc/en-us/articles/115002302573-Payload-Variables

http://community.lightspeedsystems.com/documentation/mobile-manager/administration/policies/policy-variables/

https://kb.filewave.com/display/KB/Parameterized+Profile

https://help.apple.com/profilemanager/mac/5.4/#/apd073333AA-30C6-4FD2-B2E0-E0C95658A2C4

Have more questions? Submit a request

Comments