Device Management

Enrolling iPads via Jamf Pro

Enrolling iPads via Jamf Pro This guide provides step-by-step instructions for enrolling your school's iPads into KyberGate using Jamf Pro as your MDM (Mobile Device Management) solution. Once enrolled, iPads will be protected by KyberGate's web filtering, SSL inspection, and activity monitoring. Before You Begin - Jamf Pro account with admin access - iPads must be supervised (enrolled via Apple Business Manager or Apple School Manager) - KyberGate admin access to download the enrollment assets - Network connectivity — iPads must be able to reach *.kybergate.com on ports 80, 443, 8080, and 8443 - Estimated time: 15–20 minutes for setup, plus MDM propagation time Step 1: Download KyberGate Enrollment Assets 1. Log in to dashboard.kybergate.com 2. Navigate to Devices → Enrollment → iPad 3. Download the following: - KyberGate CA Certificate (.cer file) — Required for SSL/HTTPS inspection - Note the PAC File URL — This is unique to your organization (format: https://pac.kybergate.com/proxy.pac?org=YOUR_ORG_ID) Step 2: Upload the CA Certificate to Jamf Pro 1. Log in to your Jamf Pro dashboard 2. Navigate to Computers/Devices → Configuration Profiles (or Mobile Devices → Configuration Profiles for iPad-specific) 3. Click + New to create a new Configuration Profile 4. Give it a name: "KyberGate Web Filtering" 5. Under the Certificate payload: - Click Configure - Upload the KyberGate CA Certificate (.cer file) - Set Certificate Name to "KyberGate CA" - Ensure Allow all apps access is checked 6. Do not save yet — continue to Step 3 ⚠️ Important: The CA certificate is essential for HTTPS filtering. Without it, students will see browser certificate errors instead of the KyberGate block page, and HTTPS sites cannot be inspected or categorized. Step 3: Configure the Global HTTP Proxy In the same Configuration Profile: 1. Click the Global HTTP Proxy payload 2. Click Configure 3. Set the following: - Proxy Type: Auto - Proxy PAC URL: Paste your PAC file URL from Step 1 - Proxy PAC Fallback Allowed: No (recommended — this enforces filtering even if the PAC file is temporarily unavailable) - Allow bypassing proxy to access captive networks: Yes (allows iPads to connect to captive portal Wi-Fi networks like hotels or airports) 4. Click Save Step 4: Scope the Profile 1. Click the Scope tab 2. Choose your target: - All Mobile Devices — For district-wide deployment - Specific Device Groups — For grade-level or building-level deployment - Specific Devices — For testing on individual devices 3. For initial testing, we recommend scoping to a test group of 2–3 devices Step 5: Deploy and Verify 1. Click Save to deploy the Configuration Profile 2. Jamf Pro will push the profile to targeted devices on their next check-in 3. To force an immediate check-in: - In Jamf Pro: Select the device → Management → Send MDM Command → Update Inventory - On the iPad: Go to Settings → General → VPN & Device Management and look for the KyberGate profile 4. Verify enrollment in KyberGate: - Go to Devices in the KyberGate dashboard - The iPad should appear with a 🟢 green status - Open Safari on the iPad and browse to a blocked category site - You should see the KyberGate block page 5. Verify SSL inspection: - Browse to an HTTPS site that should be blocked - You should see the KyberGate block page (not a browser certificate error) - If you see a certificate error, the CA certificate was not properly installed Step 6: Deploy to All Devices Once testing is successful: 1. Edit the Configuration Profile in Jamf Pro 2. Update the Scope to include all target devices 3. Click Save 4. Monitor the KyberGate dashboard — devices will appear as they check in with Jamf 💡 Pro Tip: Schedule the deployment during off-hours or a maintenance window. While the profile installation doesn't disrupt the user, it's good practice to monitor the first full rollout. Advanced Configuration Per-App VPN Exception If certain apps (like your SIS or assessment tools) need to bypass the proxy: 1. In Jamf Pro, create a Per-App VPN configuration 2. Exclude specific apps from the Global HTTP Proxy Captive Portal Detection If your school uses captive portal Wi-Fi: - Set Allow bypassing proxy to access captive networks to Yes in the proxy payload - This allows iPads to authenticate with captive portals before filtering begins Multiple Proxy Profiles You can create different KyberGate profiles for different device groups with different PAC file URLs (e.g., elementary vs. high school), each pointing to different filtering policies. Troubleshooting Profile stuck in "Pending" state: - Ensure the iPad has internet connectivity - Force a Jamf check-in: Settings → General → VPN & Device Management → tap the Jamf profile → check for updates - Verify the iPad is supervised — non-supervised iPads cannot receive Global HTTP Proxy profiles Certificate not trusted: - Go to Settings → General → About → Certificate Trust Settings on the iPad - Ensure the KyberGate CA certificate is toggled to "Full Trust" - If the certificate doesn't appear, redeploy the Configuration Profile Browsing not working after enrollment: - Check that the PAC file URL is correct and accessible - Try loading the PAC file URL in Safari — it should download a .pac file - Verify your network allows outbound connections to KyberGate proxy servers iPad showing in KyberGate but no activity: - The device may be using a VPN that bypasses the proxy - Check for any conflicting Configuration Profiles in Jamf Pro Related Articles - How to Enroll Devices - Enrolling Devices via Mosyle - Certificate Installation Issues - Network and Proxy Settings

Enrolling Chromebooks via Google Admin

Enrolling Chromebooks via Google Admin KyberGate protects Chromebooks through a Chrome browser extension that's force-installed via Google Admin Console. This guide covers the complete setup process for deploying KyberGate across your Chromebook fleet. Before You Begin - Google Admin Console access with super admin or Chrome management privileges - Google Workspace for Education account (the Chromebooks must be managed) - KyberGate admin access to retrieve your extension ID and org credentials - Chromebooks must be running ChromeOS 100 or later - Estimated setup time: 10–15 minutes Step 1: Get Your KyberGate Extension ID 1. Log in to dashboard.kybergate.com 2. Navigate to Devices → Enrollment → Chromebook 3. Copy the Chrome Extension ID (a 32-character alphanumeric string) 4. Also note your Organization ID — the extension uses this to identify your school Step 2: Force-Install the Extension in Google Admin 1. Log in to admin.google.com 2. Navigate to Devices → Chrome → Apps & Extensions → Users & Browsers 3. Select the Organizational Unit (OU) where you want to deploy KyberGate - For district-wide deployment, select the top-level OU - For grade-level deployment, select the appropriate sub-OU 4. Click the + (Add) button at the bottom right 5. Select Add Chrome app or extension by ID 6. Paste the KyberGate Extension ID 7. Choose From the Chrome Web Store 8. Click Save 9. The extension entry will appear in the list. Click on it to configure: - Installation policy: Set to Force install (this ensures students cannot remove it) - Update URL: Leave as default (Chrome Web Store) - Allow incognito mode: Set to Force (ensures filtering works in incognito) 10. Click Save at the top right 💡 Pro Tip: The "Force install" setting is critical. If set to "Allow install," students can remove the extension and bypass filtering entirely. Step 3: Configure Extension Policy (Optional) You can pass configuration parameters to the extension via Google Admin: 1. In the extension settings, find Policy for extensions 2. Enter the JSON configuration: { "orgId": "YOUR_ORG_ID", "proxyMode": "auto", "reportingLevel": "full" } 3. Click Save Step 4: Block Extension Removal and Developer Mode To prevent students from bypassing KyberGate: 1. In Google Admin, go to Devices → Chrome → Settings → Users & Browsers 2. Select your target OU 3. Configure: - Developer tools: Set to Never allow use of built-in developer tools - Incognito mode: Set to Disallow incognito mode OR ensure the extension is forced in incognito - Chrome Web Store permissions: Restrict to approved extensions only Step 5: Verify Enrollment 1. Have a student sign in to a Chromebook in the targeted OU 2. Open Chrome and click the puzzle piece icon (Extensions) in the toolbar 3. The KyberGate extension should appear with "Installed by your administrator" 4. Browse to a site in a blocked category — the KyberGate block page should appear 5. In the KyberGate dashboard: - Navigate to Devices - The Chromebook should appear with: - Device name - Student email (from Google account) - Status: 🟢 Online - Last check-in time Step 6: Roll Out to All Chromebooks Once testing is successful: 1. Return to Google Admin → Devices → Chrome → Apps & Extensions 2. Either: - Apply the extension to higher-level OUs to cover more students - Or move students/devices into the OU where KyberGate is deployed 3. Extensions propagate to devices on next Chrome restart or within ~15 minutes Advanced Configuration Different Policies for Different OUs You can configure different KyberGate organizations or policies for different OUs: - Create separate KyberGate "groups" in the dashboard - Pass different orgId values in the extension policy for different OUs Managed Guest Sessions / Kiosk Mode KyberGate works in managed guest sessions and kiosk mode. Ensure the extension is force-installed for the managed guest session OU. Handling Shared Chromebooks On shared Chromebooks, KyberGate identifies users by their Google account. Different students on the same device are tracked and filtered individually. Troubleshooting Extension not appearing on Chromebooks: - Verify the OU assignment — the student's account must be in the OU where the extension is deployed - Force a Chrome policy refresh: Open chrome://policy and click Reload policies - Restart Chrome completely (close all windows) - Check the extension ID is correct — a single typo will prevent installation Students see "Not installed by your administrator": - The installation policy is set to "Allow install" instead of "Force install" - Update the policy in Google Admin to "Force install" Filtering not working despite extension being installed: - Open the extension popup — it should show "Connected" and your school name - If it shows "Disconnected," check network connectivity - Verify the orgId in the extension policy matches your KyberGate organization Extension crashes or becomes unresponsive: - Update ChromeOS to the latest version - Go to chrome://extensions, find KyberGate, and check for error logs - Contact KyberGate support with the error details Related Articles - How to Enroll Devices - Google Workspace Integration - Chrome Extension Troubleshooting - System Requirements and Supported Devices

Enrolling Devices via Mosyle

Enrolling Devices via Mosyle Mosyle is a popular MDM solution for Apple devices in education. This guide walks you through configuring Mosyle to deploy KyberGate's web filtering to your iPads and Macs. Before You Begin - Mosyle Business or Mosyle Manager account with admin access - Devices enrolled in Mosyle (supervised via Apple Business/School Manager) - KyberGate admin access to download enrollment assets - Estimated setup time: 15–20 minutes Step 1: Download KyberGate Assets 1. Log in to dashboard.kybergate.com 2. Go to Devices → Enrollment → iPad (or macOS) 3. Download the KyberGate CA Certificate (.cer file) 4. Copy the PAC File URL Step 2: Upload the CA Certificate 1. Log in to your Mosyle dashboard 2. Navigate to Management → Profiles 3. Click Add new profile 4. Select Certificate from the payload options 5. Upload the KyberGate CA Certificate 6. Name it "KyberGate CA Certificate" 7. Under assignment, select your target device groups or all devices 8. Save the profile ⚠️ Important: On iOS, you must also ensure the certificate is set to full trust. Mosyle handles this automatically for supervised devices when the certificate payload is configured correctly. Step 3: Configure the HTTP Proxy 1. In Mosyle, create another profile (or add to the existing one) 2. Select the Global HTTP Proxy payload 3. Configure: - Proxy Type: Automatic / PAC - PAC URL: Paste your KyberGate PAC file URL - Allow Direct Connection if PAC is Unavailable: No (recommended for security) 4. Assign to the same device groups 5. Save the profile Step 4: Deploy and Verify 1. Mosyle will push the profiles to devices on next check-in 2. To force immediate deployment: Select target devices → Actions → Push Configuration 3. On the device, verify: - Settings → General → VPN & Device Management → KyberGate profile should be installed - Settings → General → About → Certificate Trust Settings → KyberGate CA should be trusted 4. Open Safari and browse to a blocked site — the KyberGate block page should appear 5. Check the KyberGate dashboard — the device should appear under Devices Step 5: Deploy KyberGate Agent for macOS (Optional) For macOS devices, you can also deploy the KyberGate native agent: 1. Download the KyberGate macOS agent (.pkg) from the dashboard 2. In Mosyle, go to Management → Install macOS App 3. Upload the .pkg file 4. Configure: - Installation type: Required - Target devices: Select your Mac fleet 5. The agent installs silently and configures proxy + CA certificate automatically Troubleshooting Profile fails to install: - Ensure the device is supervised — non-supervised devices reject Global HTTP Proxy profiles - Check Mosyle's Commands section for error logs - Verify the certificate file is valid (.cer format) Certificate not trusted on the device: - For supervised iPads, trust is managed automatically via MDM - If using a non-supervised Mac, the user must manually trust the certificate in Keychain Access - Redeploy the profile and check Mosyle command status Devices enrolling but no filtering: - Verify the PAC file URL is correct (test by loading it in a browser) - Check that Mosyle didn't strip any URL parameters from the PAC URL Related Articles - How to Enroll Devices - Enrolling iPads via Jamf Pro - Certificate Installation Issues - Network and Proxy Settings

Managing Device Groups and Assignments

Managing Device Groups and Assignments Device groups let you organize your enrolled devices by grade level, building, device type, or any other criteria. Groups make it easy to assign filtering policies, manage classroom sessions, and generate targeted reports. Before You Begin - Admin access to the KyberGate dashboard - At least one enrolled device to start creating groups - A plan for how you want to organize devices (by grade, building, department, etc.) Understanding Device Groups Device groups in KyberGate serve three main purposes: 1. Policy assignment — Assign different filtering policies to different groups (e.g., stricter filtering for elementary, more open for high school) 2. Reporting — Generate reports and analytics filtered by group 3. Organization — Keep your device inventory manageable as you scale Devices can belong to multiple groups simultaneously (e.g., a device can be in both "5th Grade" and "Building A" groups). Creating a Device Group 1. Navigate to Devices → Groups 2. Click Create Group 3. Enter: - Group Name — Use a clear, descriptive name (e.g., "Elementary iPads," "HS Chromebooks," "Library Devices") - Description (optional) — Add context for other admins 4. Click Create Adding Devices to a Group Method 1: Individual assignment 1. Go to Devices 2. Click on a device to open its detail page 3. Under Groups, click Edit 4. Select the groups to add the device to 5. Click Save Method 2: Bulk assignment 1. Go to Devices 2. Use the checkboxes to select multiple devices 3. Click Actions → Assign to Group 4. Select the target group 5. Click Apply Method 3: Automatic assignment via directory sync If you've integrated Google Workspace, Clever, or ClassLink: - Devices can be automatically assigned to groups based on the student's Organizational Unit, grade level, or school building - Go to Settings → Integrations → Directory Sync → Group Mapping to configure automatic assignment rules 💡 Pro Tip: Use automatic group assignment whenever possible. It eliminates manual work and ensures new devices are immediately placed in the correct group with the right filtering policy. Assigning Policies to Groups 1. Go to Web Filtering → Policies 2. Select the policy you want to assign 3. Click Assignment 4. Select one or more device groups 5. Click Save Policy priority: If a device belongs to multiple groups with different policies, KyberGate uses the most restrictive policy. To override this, you can assign a specific policy directly to an individual device. Managing Group Membership Removing devices from a group: 1. Go to Devices → Groups 2. Click on the group 3. Select the devices to remove 4. Click Remove from Group Deleting a group: 1. Go to Devices → Groups 2. Click the three-dot menu on the group 3. Select Delete Group 4. Confirm the deletion 5. Note: Deleting a group does not delete the devices — they remain enrolled but unassigned from that group Best Practices for Group Organization | Strategy | Example Groups | Best For | |----------|---------------|----------| | By grade level | K-2, 3-5, 6-8, 9-12 | Schools with age-appropriate filtering needs | | By building | Elementary, Middle School, High School | Districts with multiple buildings | | By device type | iPads, Chromebooks, MacBooks | Mixed-device environments | | By purpose | 1:1 Devices, Cart Devices, Library, Lab | Shared vs. personal device management | | By department | Math, Science, English, Art | Subject-specific filtering needs | 💡 Pro Tip: Start simple with 3–5 groups. You can always add more granularity later. Over-segmenting from the start creates management overhead. Troubleshooting Devices not automatically assigned to groups: - Verify your directory sync integration is active and healthy - Check the group mapping rules under Settings → Integrations - Force a directory sync by clicking Sync Now Policy not applying to a group: - Confirm the policy is published (not in draft mode) - Check that the policy is assigned to the correct group - Wait 2–3 minutes for policy propagation Device appears in wrong group: - Check if the device was manually assigned or auto-assigned - Review your automatic assignment rules - Manually move the device to the correct group Related Articles - Setting Up Web Filtering Policies - How to Enroll Devices - Google Workspace Integration - Clever SSO Integration

Enrolling Windows Devices

Enrolling Windows Devices Deploy KyberGate on Windows devices using the KyberGate Windows Agent. The agent installs as a system service, configures proxy settings automatically, installs the root certificate, and provides persistent web filtering without requiring MDM. Before You Begin - Windows 10 (version 1903+) or Windows 11 - Administrator access on the device for installation - Your organization's enrollment token (found in Settings → Devices → Add Device → Windows in your dashboard) - .NET 6.0 Runtime or later (the installer will prompt if missing) Installation Methods Method 1: Manual Installation (Single Device) 1. In your KyberGate dashboard, go to Devices → Add Device 2. Select Windows as the platform 3. Click Download Agent Installer to get the MSI file 4. Copy your enrollment token from the dashboard 5. Run the MSI installer on the Windows device 6. When prompted, paste your enrollment token 7. Click Install and accept the UAC prompt 8. The agent installs, configures proxy settings, and connects automatically Method 2: Silent Installation (Multiple Devices) For deploying across many devices via script, Group Policy, or RMM: msiexec /i KyberGateAgent.msi /quiet /norestart ENROLLMENT_TOKEN="your-token-here" Via Group Policy (GPO): 1. Copy the MSI to a network share accessible by target devices 2. Create a new GPO → Computer Configuration → Software Installation 3. Add the MSI package with the enrollment token parameter 4. Link the GPO to the appropriate OU Via RMM (ConnectWise, Datto, NinjaRMM, etc.): 1. Upload the MSI to your RMM platform 2. Create a deployment script using the silent install command above 3. Deploy to your Windows device group Method 3: Intune / Microsoft Endpoint Manager 1. In Microsoft Intune, go to Apps → Windows → Add 2. Select Line-of-business app and upload the MSI 3. Set command-line arguments: ENROLLMENT_TOKEN="your-token-here" 4. Assign the app to your device group 5. Devices install the agent on next sync What the Agent Does Once installed, the KyberGate Windows Agent: - Configures system-wide proxy settings (PAC file) - Installs the KyberGate root certificate in the Windows certificate store - Runs as a Windows service (starts automatically on boot) - Reports device info, browsing activity, and health status to your dashboard - Updates automatically when new versions are available Verifying Installation 1. Check the system tray — the KyberGate icon should appear with a green indicator 2. Right-click the icon → Status to see connection details 3. In your dashboard, the device should appear in Devices within 2-5 minutes 4. Visit a blocked site to verify filtering is active Tips - The agent works on any network (school, home, public Wi-Fi) — filtering follows the device - Use the silent install method for deploying to 10+ devices - The agent updates itself automatically — no need to redeploy for updates - To uninstall: use Add/Remove Programs or msiexec /x KyberGateAgent.msi /quiet Troubleshooting - UAC prompt doesn't appear: Right-click the MSI → Run as administrator - Agent not connecting: Check Windows Firewall isn't blocking KyberGateAgent.exe. Allow outbound connections to *.kybergate.com on ports 443 and 8080 - Certificate not trusted: Open certmgr.msc → verify the KyberGate certificate appears under Trusted Root Certification Authorities - Device not appearing in dashboard: Restart the KyberGate service via services.msc or reboot the device Related Articles - System Requirements and Supported Devices - Network and Proxy Settings - Device Not Appearing in Dashboard

Enrolling macOS Devices with KyberGate Agent

Enrolling macOS Devices with KyberGate Agent Deploy KyberGate on macOS devices using the KyberGate Agent app. Available on the Mac App Store, the agent provides system-wide web filtering, automatic proxy configuration, and certificate management for macOS laptops and desktops. Before You Begin - macOS 13 (Ventura) or later - Administrator access on the Mac - Your organization's enrollment token (found in Settings → Devices → Add Device → macOS in your dashboard) - For MDM deployment: Jamf Pro, Mosyle, Kandji, or another macOS MDM Installation Methods Method 1: Mac App Store (Individual Devices) 1. Open the App Store on the Mac 2. Search for KyberGateAgent 3. Click Get → Install 4. Open KyberGateAgent from Applications or Launchpad 5. Enter your enrollment token when prompted 6. Grant the requested permissions: - Network Extension: Required for proxy configuration - System Proxy: Required to route traffic through KyberGate 7. Enter your Mac admin password to authorize system changes 8. The agent connects and the device appears in your dashboard Method 2: MDM Deployment (Fleet) Jamf Pro: 1. In Jamf, go to Computers → Configuration Profiles → New 2. Add a Global HTTP Proxy payload with PAC URL from your dashboard 3. Add a Certificate payload with the KyberGate root certificate 4. Deploy KyberGateAgent via App Store Apps in Jamf 5. Pass enrollment token via managed app configuration key enrollmentToken Mosyle: 1. In Mosyle, go to Management → Install Apps 2. Add KyberGateAgent from the App Store 3. Create a proxy profile with your PAC URL under Network 4. Deploy certificate profile and push to your macOS device group Kandji: 1. Add a Custom App library item for KyberGateAgent 2. Create a Network profile with PAC file URL 3. Add a Certificate profile with the KyberGate root certificate 4. Assign to your Mac blueprint Method 3: MDM Auto-Enrollment If deployed via MDM with managed app configuration, it can auto-enroll without user interaction: 1. Set the enrollmentToken key in the MDM's managed app configuration 2. The agent reads the token on first launch and enrolls automatically 3. No manual token entry required — ideal for zero-touch deployment What the Agent Does - Configures system proxy settings using your organization's PAC file - Installs and trusts the KyberGate root certificate in the System Keychain - Monitors web traffic and reports activity to your dashboard - Runs as a Launch Agent (starts on login) - Supports network extension for advanced traffic inspection Verifying Installation 1. Check the menu bar — the KyberGate icon should appear with a green dot 2. Click the icon → Status to see connection info and last check-in time 3. The device should appear in your dashboard under Devices within 2-5 minutes 4. Visit a blocked site to confirm filtering is working Tips - For large deployments, use MDM auto-enrollment — it's zero-touch - The agent persists across macOS updates - System Extension approval may require MDM pre-approval for silent installation Troubleshooting - Network Extension permission denied: Go to System Settings → Privacy & Security → Network Extensions and enable KyberGateAgent - Certificate not trusted: Open Keychain Access → System → Certificates, find the KyberGate certificate, set trust to Always Trust - Agent not starting: Check System Settings → Login Items to ensure KyberGateAgent is listed - MDM profile conflicts: Ensure only one proxy configuration is active Related Articles - System Requirements and Supported Devices - Network and Proxy Settings - Device Not Appearing in Dashboard - Certificate Installation Issues