Setup for iPads
iPad use in schools is notably high for lower grade levels. Their intuitive design and touchscreen make them a great candidate for combining technology and education in the classroom. The one thing that remains a sticking point is authentication. It’s difficult if not impossible for an entire classroom of kindergartners to log in in order to get internet connectivity through the school’s web filter. The only workarounds we’ve seen in the field were either assigning an IP-based policy which would reduce logging visibility (and not work offsite) or having the teacher and teacher’s aide log the students into the iPads each morning. In an effort to combat this issue, Securly developed “User-Injection” for SmartPac. User-Injection allows the school’s IT admin to add a URL parameter to the SmartPac via MDM (iPads) or GPO (Windows) which will automagically authenticate the student and allow them access to the Internet without losing attribution for the student’s browsing activity.
Note that you would need to contact the Securly support team at firstname.lastname@example.org to enable this feature for you.
- Confirm if the MDM supports variable payload with iPad configuration profile. The variable will be used for SmartPac to inject the username. For example, SecurlyMDM uses “$EMAIL” variable to pass the email address. (See the list of variables for other MDMs below.)
- Make sure the MDM has an email address associated with each user.
Generic Example using SecurlyMDM Payload Variable:
To break it down:
Smart PAC URL: https://email@example.com
Constant variable used by Securly: &user=
MDM Variable: $EMAIL
On your iPad, the PAC URL would display the “$EMAIL” as the email address of the user tied to the iPad.
Setup for Windows
For Windows, we can pass the logon user. This is great for shared Windows Lab to filter and report each student activity when they are logged in.
Windows - %USERNAMEfirstname.lastname@example.org
Note: If you are on Windows build 1903, you will need to set the PAC URL to HTTP, not HTTPS. You can refer to this forum to read more. It is speculated Windows may revert this change and once again support PAC URLs over HTTPS. If they do we will update this article.
Setup for shared accounts
In addition to using a variable for user injection, a shared account can be used in the SmartPac URL. The shared account must exist in G-Suite or AD/Azure to auto-authenticate with Securly. Using a shared account can be done if MDM solution does not support using payload variables.
We have a running list of variable payload with iPad configuration profile:
Mosyle - %email%
Other- Try %email%
Windows - %USERNAME%@<schooldomain.com> (Ex: %USERNAMEemail@example.com)