Content Filtering Offsite for church/school

We are currently evaluating content keeper for web filtering. The youtube videos I watched makes it look like students have to login to a captive portal everyday when they are home on the iPad. Is that correct? It seems like this could cause problems for some of the younger students as the device connects to home wifi but doesn’t go anywhere until the authentication has occurred.

Any wisdom on content keeper/filtering overall would be appreciated.

If these are school owned devices you could consider GoGuardian or Securly (we use GoGuardian on Chromebooks). I do not have experience with Content Keeper. If the devices are not school owned, you may have issues filtering on a home network. The best way to filter a network, like school, is at the firewall level, then everyone is filtered, and you can block some sites at the app level, rather than in the filter.

  • Greg Brenneman
    -Technology Director, Wooster Christian School.

In 2022 with the proliferation of TLS encryption, the best place to filter is on the endpoint. If you take eRate money, you also need to filter on the network itself as part of CIPA compliance. The best balance I’ve found is to use separate networks to isolate managed (Owned) and unmanaged (BYOD) devices, and use network filtering (typically DNS based) for those unmanaged devices and allow for more nuanced policy and security on the managed devices network. A NAC or your endpoint agent itself can control admission to the managed devices network, but there should be no manual path forward for devices to connect there.

Reality typically puts us in a compromise somewhere, but that’s what I like to work towards.

As far as ContentKeeper goes, it’s in the class of solutions that is sufficiently complex that each implementation will have different trade-offs. I’d recommend letting their sales team show you how the product can work with the features you need. With student devices, if they’re managed they should automatically sign into your filtering solution and I’d advise against trying really hard to filter unmanaged devices outside of your network unless ContentKeeper’s sales team can show you a compelling configuration.

Not for classroom, but I have used for church content filtering DNSFilter and Windows Defender for Endpoint. Neither is probably top of class, but both were sufficient and require very little touch. I’d consider them for the church side.

Thanks for the insights as @codatory said the BYOD will be our only real
challenge to figure out. That’s leaning towards agentless DNS based
filtering at this point.

We use DNSFilter as well. It gets the job done and has the ability to whitelist false positives. DNS based filtering is pretty easy to get around but you can lock down devices and block access to all other DNS providers as a way to prevent getting around it.

Yeah; an application aware firewall is great at being able to detect bypass protocols (VPN, DoH, DNS on alternative ports) and block them. I also hold the stance that filtering should be a reasonable-effort type situation, where we are protecting people as best we can from accidentally accessing things they didn’t mean to see but above and beyond that is a human issue (classroom/hr/ministry, etc) not a technical one.

1 Like

We evaluated a solution called Content Keeper which is cloud based. It basically forces the student iPad to use their VPN. So far I think it’ll do what we need and has the controls in place to segment different populations with different restrictions.