Enrolling iPads via Jamf Pro

Enrolling iPads via Jamf Pro

This guide provides step-by-step instructions for enrolling your school's iPads into KyberGate using Jamf Pro as your MDM (Mobile Device Management) solution. Once enrolled, iPads will be protected by KyberGate's web filtering, SSL inspection, and activity monitoring.

Before You Begin

• Jamf Pro account with admin access
• iPads must be supervised (enrolled via Apple Business Manager or Apple School Manager)
• KyberGate admin access to download the enrollment assets
• Network connectivity — iPads must be able to reach *.kybergate.com on ports 80, 443, 8080, and 8443
• Estimated time: 15–20 minutes for setup, plus MDM propagation time

Step 1: Download KyberGate Enrollment Assets

1. Log in to dashboard.kybergate.com
2. Navigate to Devices → Enrollment → iPad
3. Download the following:
   • KyberGate CA Certificate (.cer file) — Required for SSL/HTTPS inspection
   • Note the PAC File URL — This is unique to your organization (format: https://pac.kybergate.com/proxy.pac?org=YOUR_ORG_ID)

Step 2: Upload the CA Certificate to Jamf Pro

1. Log in to your Jamf Pro dashboard
2. Navigate to Computers/Devices → Configuration Profiles (or Mobile Devices → Configuration Profiles for iPad-specific)
3. Click + New to create a new Configuration Profile
4. Give it a name: "KyberGate Web Filtering"
5. Under the Certificate payload:
   • Click Configure
   • Upload the KyberGate CA Certificate (.cer file)
   • Set Certificate Name to "KyberGate CA"
   • Ensure Allow all apps access is checked
6. Do not save yet — continue to Step 3

⚠️ Important: The CA certificate is essential for HTTPS filtering. Without it, students will see browser certificate errors instead of the KyberGate block page, and HTTPS sites cannot be inspected or categorized.

Step 3: Configure the Global HTTP Proxy

In the same Configuration Profile:

1. Click the Global HTTP Proxy payload
2. Click Configure
3. Set the following:
   • Proxy Type: Auto
   • Proxy PAC URL: Paste your PAC file URL from Step 1
   • Proxy PAC Fallback Allowed: No (recommended — this enforces filtering even if the PAC file is temporarily unavailable)
   • Allow bypassing proxy to access captive networks: Yes (allows iPads to connect to captive portal Wi-Fi networks like hotels or airports)
4. Click Save

Step 4: Scope the Profile

1. Click the Scope tab
2. Choose your target:
   • All Mobile Devices — For district-wide deployment
   • Specific Device Groups — For grade-level or building-level deployment
   • Specific Devices — For testing on individual devices
3. For initial testing, we recommend scoping to a test group of 2–3 devices

Step 5: Deploy and Verify

1. Click Save to deploy the Configuration Profile

2. Jamf Pro will push the profile to targeted devices on their next check-in

3. To force an immediate check-in:

   • In Jamf Pro: Select the device → Management → Send MDM Command → Update Inventory
   • On the iPad: Go to Settings → General → VPN & Device Management and look for the KyberGate profile

4. Verify enrollment in KyberGate:

   • Go to Devices in the KyberGate dashboard
   • The iPad should appear with a 🟢 green status
   • Open Safari on the iPad and browse to a blocked category site
   • You should see the KyberGate block page

5. Verify SSL inspection:

   • Browse to an HTTPS site that should be blocked
   • You should see the KyberGate block page (not a browser certificate error)
   • If you see a certificate error, the CA certificate was not properly installed

Step 6: Deploy to All Devices

Once testing is successful:

1. Edit the Configuration Profile in Jamf Pro
2. Update the Scope to include all target devices
3. Click Save
4. Monitor the KyberGate dashboard — devices will appear as they check in with Jamf

💡 Pro Tip: Schedule the deployment during off-hours or a maintenance window. While the profile installation doesn't disrupt the user, it's good practice to monitor the first full rollout.

Advanced Configuration

Per-App VPN Exception

If certain apps (like your SIS or assessment tools) need to bypass the proxy:

1. In Jamf Pro, create a Per-App VPN configuration
2. Exclude specific apps from the Global HTTP Proxy

Captive Portal Detection

If your school uses captive portal Wi-Fi:

• Set Allow bypassing proxy to access captive networks to Yes in the proxy payload
• This allows iPads to authenticate with captive portals before filtering begins

Multiple Proxy Profiles

You can create different KyberGate profiles for different device groups with different PAC file URLs (e.g., elementary vs. high school), each pointing to different filtering policies.

Troubleshooting

Profile stuck in "Pending" state:

• Ensure the iPad has internet connectivity
• Force a Jamf check-in: Settings → General → VPN & Device Management → tap the Jamf profile → check for updates
• Verify the iPad is supervised — non-supervised iPads cannot receive Global HTTP Proxy profiles

Certificate not trusted:

• Go to Settings → General → About → Certificate Trust Settings on the iPad
• Ensure the KyberGate CA certificate is toggled to "Full Trust"
• If the certificate doesn't appear, redeploy the Configuration Profile

Browsing not working after enrollment:

• Check that the PAC file URL is correct and accessible
• Try loading the PAC file URL in Safari — it should download a .pac file
• Verify your network allows outbound connections to KyberGate proxy servers

iPad showing in KyberGate but no activity:

• The device may be using a VPN that bypasses the proxy
• Check for any conflicting Configuration Profiles in Jamf Pro

Related Articles

• How to Enroll Devices
• Enrolling Devices via Mosyle
• Certificate Installation Issues
• Network and Proxy Settings