In 2022 with the proliferation of TLS encryption, the best place to filter is on the endpoint. If you take eRate money, you also need to filter on the network itself as part of CIPA compliance. The best balance I’ve found is to use separate networks to isolate managed (Owned) and unmanaged (BYOD) devices, and use network filtering (typically DNS based) for those unmanaged devices and allow for more nuanced policy and security on the managed devices network. A NAC or your endpoint agent itself can control admission to the managed devices network, but there should be no manual path forward for devices to connect there.
Reality typically puts us in a compromise somewhere, but that’s what I like to work towards.
As far as ContentKeeper goes, it’s in the class of solutions that is sufficiently complex that each implementation will have different trade-offs. I’d recommend letting their sales team show you how the product can work with the features you need. With student devices, if they’re managed they should automatically sign into your filtering solution and I’d advise against trying really hard to filter unmanaged devices outside of your network unless ContentKeeper’s sales team can show you a compelling configuration.