Securly FAQs

New

Uploading small student photos that were less than 250 pixels wide would fail with no warning. We now provide a warning message.

It's now possible to block the iOS apps for Shortcuts and Find My by adding their Bundle ID to the iOS Blocked Apps list: Find My = com.apple.findmy,Shortcuts = com.apple.shortcuts

There is now a link to login to Device Console on the Securly web site. From securly.com click Login, then choose Device Console.

Fixes

A bug prevented us from retaining the token that allows teachers to clear the passcode on student devices if the device upgraded to iOS 13 prior to November 4, 2019. It will not be possible to clear the passcode on these devices unless they are re-enrolled in MDM again. For devices in this state, we now disable the "Clear Passcode" button in teacher tools when such a device is selected and display a message when hovering over the button that reads "We cannot clear the passcode because we don't have an unlock token on file. We can store it again when the devie is removed and reenrolled into MDM"

Manually-created classes were no longer being sent to teacher devices for use along with ASM classes in the Apple Classroom app. We resolved this and now the combined list of classes should be available to the teacher.

For Securly Classroom (formerly ChromeTools) to work properly, devices need to be able to receive push notifications from Google's Firebase Cloud Messaging (FCM), formerly Google Cloud Messaging (GCM).

The following information was taken from an article on the Google Firebase web site :

Your firewall rule should allow incoming traffic on ports: 5228, 5229, and 5230.

Therefore, your firewall rule should be set to allow these ports from any source IP (outside) to any destination IP (inside device).

For the source on the incoming connection FCM doesn't provide specific IPs because Google's IP range changes too frequently and your firewall rules could get out of date impacting your users' experience. Ideally, you will whitelist ports5228-5230with no IP restrictions.

However, if you absolutely must have an IP restriction, you should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google's ASN of 15169 (over 500 ranges). This is a large list and you should plan to update your rules monthly. Problems caused by firewall IP restrictions are often intermittent and difficult to diagnose.

If your network implements Network Address Translation (NAT) or Stateful Packet Inspection (SPI), implement a 30 minute or larger timeout for our connections over ports5228-5230. This enables us to provide reliable connectivity while reducing the battery consumption of your users' mobile devices.

New

There is now a link to login to Device Console on the Securly web site. From securly.com click Login, then choose Device Console.

When unlinking Google Classroom, Schoology, or Canvas for roster sync, you will now be warned that classes created as a result of the sync will also be deleted from the system if they have no class session history (they will get created again if relinked). You will also be prompted with the option of deleting the ones with history too.

Google Classroom Sync does not sync classes that are marked as "archived" and will delete archived classes from Chrometools. With this release, we will not delete them if they have any class session history so that they can continue to be accesses for historical purposes.

Canvas sync will now exclude classes with a status of "complete". When sync encounters a course that changes to "complete" it will delete the class unless it has class history, in which case it will be retained so that history can be accessed.

Canvas Class Sections: Prior to this release we did not support Canvas courses that had multiple sections. The system would combine all sections into a single class. With this release, each section will be created as a class. The name of the class will be the course name appended with the section name.

Delete retained classes: Because of the new feature that will retain synced classes that have session history even after they are complete or archived in Canvas, Schoology, or Google Classroom, we have added the ability to delete these classes manually at a later time. To delete a class, use the new checkbox that appears next to each class in the class list, then use the new delete button at the top. Note that if the class is still active in the LMS it will be added back automatically on the next sync.

When new versions of the Chrome extension are released, Google doesn't always do a great job of pushing it out automatically. We now have our service run a periodic check of the Chromebooks and attempt to force push the extension update to help all devices get updated faster.

The system can now detect when a student is online but has not yet opened a browser on their Chromebook. Previously, some teachers would think that the system was not properly showing student screens in this case. We now display the text "Device online, Browser not opened" in both thumbnail view and tab view when this is detected.

When switching from Thumbnail View to Tab View, the list of tabs open on each device will populate faster.

When pinning or unpinning student from the list, the screen will no longer require a refreshed thumbnail or tabs list before displaying all devices again, resulting in a smoother experience during pin and unpin operations

Fixes

In some instances, class sessions would not always stop on all devices, particularly if the student closed the lid of the device prior to the end of class, in which case it would not receive the "end class" command when reopened.

Sometimes teachers would not get an email with the class summary.

When time zone settings changed, scheduled classes remained on old time zone schedule.

The Securly SSL Certificate is important to help us effectively filter categorized HTTPS sites. The SSL Certificate is only required when on a network that is forwarding its internet traffic to Securly (with the exception of traffic being applied the Guest Network Policy ). If a BYOD device is no longer on such a network, the SSL Certificate is inert and provides no function whatsoever. If a user is no longer on a network filtered by Securly and would like to remove our SSL Certificate, this document will explain the simple steps necessary for its removal. We do caution that it's important you only remove the Securly SSL Certificate as all other SSL Certificates in the Trusted Root are necessary for successful everyday web browsing.

Windows devices

To uninstall the Securly SSL certificate from Windows devices navigate to Microsoft Management Console > Trusted Root Certification Authorities folder > Certificates. Look for the Securly SSL certificate and right-click to get the Delete option. Click Delete to remove the SSL certificate.

iOS and iPadOS

To uninstall the Securly SSL certificate from an iPad or any iOS device, navigate to Settings > General > Profiles and look for the Securly SSL profile. Tap the Delete Profile option to delete the Securly SSL certificate from that device.

macOS

To uninstall the Securly SSL certificate from the MacOS go to the Keychain Access > System > Certificates and look for the Securly SSL certificate. Right-click the certificate and delete it. This should remove it from your device completely.

ChromeOS

To uninstall the Securly SSL certificate from your ChromeOS go to chrome://settings -> Advanced -> Manage Certificates -> Authorities. Look for the Securly SSL certificate in there and click Delete. This should delete the certificate from your Chromebook or another ChromeOS device.

Android

To uninstall the Securly SSL certificate installed on an Android device, go to Settings > Security > User Credentials and look for the Securly certificate. When you tap the certificate you will be asked if you want to Remove it. Click Remove to uninstall the certificate from your device. Note that navigations for Android might differ from device to device, but it would still be available under Settings > Security.

Securly currently does not support IPv6 and it is therefore recommended that you disable it for your Windows Server DNS. To learn what it means as a Securly user, click here.

To disable IPv6:

Navigate to Start > DNS Manager.

Expand out the DNS options.

Right-click the DNS server name and select properties.

Under the Listen On field select the Only the following IP addresses radio button and uncheck any IPv6 address that is listed under it.

Click Ok to complete the process.

YouTube recently implemented bot detection similar to what has been running on www.google.com for a few years. As far as we can tell, this was released in the summer of 2019. Google/YouTube are very tight-lipped regarding the specifics around these protections to ensure bot developers can't easily code their way around them.

After careful traffic observation, we have a few ideas on how to mitigate impact to schools using YouTube as an educational resource.

Steps we've taken

1. Javascript- It was immediately clear to us that if we were to create a bot performing likes/commenting on videos the first iteration would not have Javascript support. It is much harder to create a bot that can easily interact with Javascript. So we developed and released a Javascript block for the bots. This is a basic page that detects if the application communicating to YouTube has Javascript support or not. If this is a simple bot, it will not be automatically redirected to YouTube. If this is a normal browser or application, it will be redirected without interruption.

2. YouTube ban- Since we are still seeing CAPTCHAs coming from YouTube, we developed a YouTube Ban. This sounds scary, but we've developed it to be very passive. We have also coded a lot of intelligence into it so we can easily modify actions based on what we see happening in the field. YouTube ban will look for x number of CAPTCHA events within y minutes and block the USER for z minutes. All of the variables are real-time configurable so we can ensure we are stopping the bots and not causing unnecessary blocks.

What to do if users are seeing YouTube ban block pages

From conversations with Google developers, they claim only users with malware, spyware, malicious toolbars, and the like will receive CAPTCHAs. Similarly, users will only see the YouTube ban block page if they receive multiple CAPTCHAs from YouTube within a short period of time. It would be safe to say, there is something on the device that is causing enough suspicious YouTube traffic to generate our block page.

1.Have the user remove any non-essential toolbars from their browser. Toolbars have been known to cause suspicious traffic.

2. Run an AV scan on the device. This should pick up and remediation any malicious code.

3. Re-image the device. This is a drastic step, but it would ensure the user stops seeing CAPTCHAs from YouTube and thus would stop seeing the YouTube ban block page from Securly.If you are positive the computer is free from any malware, you can contact support to remove the ban for the user. If the ban comes back, YouTube is still detecting something malicious coming from the device.

In closing, we want our customers to know we are working tirelessly to help schools overcome these recent YouTube issues.

You may want to give your school guests parents, visiting teachers, visiting students, etc. limited access to the schools internet. But the guests network access would need to be governed by the schools web filtering policies and block access to inappropriate content and malicious websites.

To begin, you need to set up the Guest Network Policy on a separate IP address. It is important that this public IP address will not be shared by other regular members of the schools such as students, staff etc. because the Guest Network Policy would override any other filtering policy set up for that IP address, and become applicable for all users. To avoid such conflict of interest, it is recommended that schools with at least two different public IP addresses set up Guest Network Policies.

Requirements 1. All guest network DNS and HTTP/S traffic need to use this same public IP address. 2. All guest network traffic can NOT use the same public IP address as non-guest traffic. 3. Set DHCP scope for the guest network to use Securly DNS servers IP addresses only.

Note that guest network DNS traffic cannot mix with internal DNS servers using non-guest traffic.

To set up Guest Network Policy:

Contact Securly Support at [email protected] and request for the Guest Network Policy to be enabled. Please include the public IP addresses you would like to use for this service.

Once the Guest Network Policy is enabled, it would show up on the admin dashboard under the Policy Editor tab.

functionality

Note: Guest Network Policy cannot be deleted or disabled from the admin dashboard by the school admin. It can only be disabled by the Securly Support team.

The school admin can change the blocked categories by navigating to Policy Editor >> Guest Network Policy.

How it works

Guest Network Policy does not require any certs to be deployed for web filtering to work for guests. All traffic would be filtered and blocked according to Guest Network Policy and Global Allow/Deny list.

Guest Network Policy will only log and display the blocked content that a user attempted to visit, under the Reports tab.

You can whitelist and blacklist websites for the Guest Network Policy as and when required. However, wildcards are not supported.

The YouTube Restricted Mode can be enabled all guest users

.Guest Network Policy defaults safe search for Google and Bing search engines.

Please note that the Guest Network Policy would not support:

User-based policies

Keyword scanning

Yahoo search

Forced login

Mapping of OUs

Display of devices signed under GNP on the geolocation map

Restricting Google logins to personal accounts

Wildcards

Image result filtering using the Restrict Image Search to Creative Commons .

Securly offers different filtering solutions depending on the device you use. The Securly Chrome Extension is the preferred method of filtering Chrome OS (Chromebooks / Chromeboxes). It is offered free of cost to K-12 schools across the world.

The Securly Chrome extension is a user based extension that is deployed via the G Suite Admin console. When a user logs into a Chrome browser on Windows, OS X, or into a Chrome OS device they will get the Securly Chrome Filtering Extension, but it will not filter or log traffic. The extension is only active on Chrome OS. The extension works kind of like an ad blocker and blocks entire websites directly on the device. It uses the Google filtering API directly on the device to view the traffic. This provides a deep level of inspection for the traffic without any Man in the Middle (MITM) decryption. If you are using Securly DNS filtering solution in conjunction with the Chrome Extension filter, the SSL certificate should be deployed to G-Suite.

The extension requires that the user is logged into the device with a registered school domain. If a domain is not found, the extension will be deactivated and allow all traffic to pass without filtering or logging.Note: Ensure that you have signed up for a Securly account and have all domains registered before deploying the Securly Chrome extension.

All Securly filtering solutions use unified policies set in the Securly UI. The school admin creates and assigns policies to users and OUs via the Securly Admin UI. Settings in the Securly user interface do not enable filtering. Policies and filtering only affect users with the Securly Chrome extension enabled. When traffic is passed through the Securly extension for filtering it calls out to the Securly server and checks if the site is allowed or blocked. It checks other parameters applicable to the user as per the policy assigned to him and displays or blocks the site accordingly. The users activity is logged by the Securly server and displayed to the school admin via the Securly Admin UI.

The Chrome extension will usually work with onsite proxy-based filtering solutions because Securly works directly on the device at a different level. Note that if you have another filtering solution that also uses a Chrome extension to filter, it can conflict with the Securly solution.

To ensure you are getting the most out of the Securly extension, make sure you check out our best practices guides. These will help you prevent users from circumventing Securly filtering solutions.

If you are looking for an easy and efficient way to filter your Chromebooks, the Securly Chrome Extension is the perfect fit for you. There is no cap on the number of devices you filter, nor does it compromise any CIPA requirements. The Securly Chrome extension simply ensures that your students stay safe online at all times.

https://support.apple.com/en-us/HT203122

Error Message

support.apple.com/ipad/restore

support.apple.com/iphone/restore

If you see the Connect to iTunes screen onyour iPhone, iPad, or iPod touch, learn what to do.

the latest version of iTunes

Restart your device

If you see the Connect to iTunes screen, restart your device:

On an iPhone X or later, or iPhone 8 or later:Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then, press and hold the Side button until you see the Apple logo.

On an iPhone 7 or iPhone 7 Plus: Press and hold both theSide and Volume Down buttons for at least 10 seconds, until you see the Apple logo.

On an iPhone 6s and earlier, iPad, or iPod touch:Press and hold both theHome and Top (or Side) buttons for at least 10 seconds, until you see the Apple logo.

On an iPad Pro 11-inch or iPad Pro 12.9-inch (3rd generation): Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then, press and hold the Top button for at least 10 seconds, until you see Apple logo.

Reinstall iOS

If you still see the Connect to iTunes screen after you restart, you need to reinstall iOS:

Make sure that you're using.

Make sure Apple configurator is closed.

Connect your device to your computer using the cable that came with your device. You should see this message: "There's a problem with the iPhone [your device name]that requires it to be updated or restored."

Accept Terms of Service and Licencse agreement

Click Update (not Restore) to reinstalliOS and keep your personal data.

For testing devices do an restore.

The CIPA guidelines require schools to block students access to inappropriate matter on the internet which includes obscene and pornographic content. Securlys web filtering solution helps to ensure that all such content is blocked.

To ensure that kids are protected from all forms of inappropriate and malicious content on the internet we have categorized our database into 14 categories including Pornography, Drugs, Gambling, Social Media, Hate, Games, Social Networking, etc. (These categories are listed under Blocked Categories in your Policy Editor.) Any new website that does not exist in the database is automatically scanned by our PageScan tool when a user visits it the first time and categorized appropriately.

Identifying the category of a blocked site

You can find out why a particular site was blocked by looking at the user activity reports in your Securly UI. To do this:

Login to your Securly account

Navigate to Reports

Click the three dots (...) in front of the entry for which you want to identify the category.

You can also determine the reason for why a site was blocked by looking at the blocked page on the users machine.

Note that you can choose to decide which categories would be blocked for specific OUs as per your schools policies. However, we recommend blocking pornography, drugs, gambling, network misuse, other adult content, and hate categories for appropriate protection.

You would want to install the Securly SSL certificate in your Chrome browser to ensure the best browsing experience. The certificate does not control the level of filtering or what sites are allowed. The certificate will prevent errors on sites that Securly decrypts. Without the certificate, sites like Google.com and Facebook.com will show privacy errors, users will perceive this as the internet being broken.

To install the Securly SSL certificate manually in Chrome, open chrome://settings in your Chrome browser (version 59.0.3071 and above)

Installing on Chromebook (ChromeOS)

Download the Securly certificate.

Later this Fall, Securly's current SSL Certificate will expire. We have provisioned a brand new SSL Certificate available below which expires in 2034. While to get up and running today you only need to have the original SSL Certificate Installed, we recommend that you install both SSL Certificates at the same time to ensure when the original expires, you are at no loss of service.

Expires 2020 Cert

Expires 2034 Cert

Chrome

securly_ca_2020.pem

securly_ca_2034.pem

On the chrome://settings page scroll down to Advanced.

3. Under Privacy and Security click Manage Certificates.

4. Under the "Your certificates" tab click "Import" to start the certificate installation process. You can alternatively also click "Import" in the "Authorities" tab as well.

5. Once the certificate is installed it will be displayed under the "Authorities" tab.

Installing in Chrome browser for Windows OS

It is recommended to install this to the Windows Operating system using the automated process by downloading the executable file attached at the end of this article. The Chrome browser will read from the Windows OS certificate store.

On the chrome://settings page complete steps 2-4 as in the section on Installing on Chromebook.

A certificate import wizard is launched. Select the certificate file and finish the wizard.

The installed certificate will be displayed under the Trusted Root Certification Authorities tab.

Note: If you are using a Chrome browser version below 59.0.3071 you might experience some differences in navigation. This is because Google made changes to its Settings page in this version. In such cases you would need to navigate to Show Advanced Settings > HTTPS/SSL > Manage Certificates and click Import under the Authorities tab to import the SSL certificate.

We're announcing an important infrastructure update that will directly affect internet access for your users.

In order for Securly to apply its Student Safety solution and allow more detailed reporting, we perform Man-in-the-Middle SSL Decryption on a large portion of your internet traffic. For this to work, all filtered devices must have our SSL certificate installed.

The SSL certificate you currently have installed will expire in the next few months, butdon'tworry. Weve provisioned a brand new SSL certificate, set to expire in 2034, which you can begin installing alongside your existing 2020 SSL certificate.

If you use Securlys DNS, SmartPAC, or a combination of both for filtering student devices, it is required that you install the 2034 SSL certificate by November 13, 2019. After that date, anyone without the 2034 SSL certificate installed will receive an SSL error.

What does this mean for you?

To ensure that all of your devices have both the 2020 and 2034 SSL certificates installed, weve updatedour knowledge base to include step-by-step instructions on how to install the new SSL certificateboth manually and distributed. You'll need to append your current Group Policies and MDM Payloads to include the new 2034 SSL certificate in addition to the 2020 certificate.

We have also created a BYOD landing page that includesinformationon how to install the new SSL certificate on devices you do not manage. When you navigate to the site, you will be presented with the appropriate SSL certificate to downloadalong with step-by-step instructions on how to install it.

Additionally, we've developed an installer for Windows and Mac to make installing the certificate on any unmanaged computer super simple.

If you need help with updating your GPO or MDM Payloads, have a look at our comprehensive knowledge base or sign up for our upcoming webinar where we will walk you through everything you need to know in order to install your new SSL certificate.

If you need additional help, [email protected] is only an email away.

It is possible for students to kill Chrome extensions and other processes that are essential to ensuring a safe online experience for them. All they need is access to the Task Manager to do this. Givingstudents the ability to access the Task Manager is disruptive to schools' ability to manage and secureChromebooks. It is therefore recommended that you disable the task manager for students on their Chromebooks.

To do this:

Log in to your G Suite admin console at admin.google.com

Navigate to Device Management > Chrome Management > User Settings

Scroll down to Apps and Extensions > Task Manager

Select the Block user from ending processes with the Chrome task manager option from the dropdown.

There are various ways in which students can attempt to bypass filtering set by the school. One such way is to stop or disable extensions or modify settings for their Chromebooks. It is possible to ensure that students do not disable extensions or modify settings by blocking certain URLs in your user settings.

To do this:

Log in to your G Suite account at admin.google.com

Navigate to Device Management > Chrome Management > User Settings here

Scroll down to Content > URL Blocking > URL Blacklist

Input the following URLs in the text field:

chrome://settings

5. You can add more such URLs to the URL blocking field depending upon the pages you want students to stay away from.

The Securly portal also allows you to block or allow specific web pages, websites, and keywords to help you manage your students access effectively. To learn more, click .

Apple recently added a feature to Safari that helps prevent ad, tracking, and other 3rd party cookies. This feature, called Intelligent Tracking Prevention (ITP) uses machine learning and profiling to categorize sites and cookies based on the habit of both how the user and the website interact with each other.

This feature, unfortunately, can cause interruptions when a site uses an authentication service such as Google, which can lead to an error known as Too many redirects. This error occurs as Safaris new ITP is blocking the authentication check between Google and services such as Securly. We were able to reproduce this issue on sites such as Google Drive and other sites using Google Single Sign-On authentication.

https://support.apple.com/en-ie/HT203370

The following is theOfficalresponse from Google about ITP

"It is a known Safari issue that Intelligent Tracking Prevention (ITP) can cause interruptions when a site uses an authentication service such as Google, which can lead to an error known as "Too many redirects". For more information, please follow this official Apple Support article: ."

How to resolve this problem?

At this time, due to limitations caused by this new feature the only way to assure that you will not be affected by the Too Many Redirects error is to turn off a feature inside Safari known as Prevent cross-site tracking.

It has also come to our attention that Apples latest developer release of Safari has disabled this feature upon install. Or you can use other browsers such as Chrome and Firefox which have not yet reported this problem.

Enabling cross-site tracking

Mac OS:

Open Safari

Click on Safari at the top left of your screen

Click on Preferences

Click on the Privacy tab

Uncheck Prevent cross-site tracking

iOS:

Open the Settings app

Scroll down to Safari and tap on it

Scroll down to Prevent Cross-Site Tracking

Toggle it off so that it is white

Note that at this time, the iOS management API does not have the ability to change this setting. This setting must be done manually on each iPad.

Clearing the Safari cache will provide a temporary fix. After 24 hours the problem will most likely appear again.

One of the many ways that students can use to bypass filtering is by tampering with scripts and apps using developer tools. Developer tools allow users to debug network, script, apps, and other issues. It is also possible to gain an unfair advantage over other students by reverse engineering edtech applications that transmit insecure data or have confidential information hidden away in the code. It is therefore recommended that you always disable developer tools for your Chromebooks.

To do this:

Log in to your G Suite account at admin.google.com

Navigate to Device Management > Chrome Management > User Settings

Scroll down to User Experience > Developer Tools

Select the Never allow use of built-in developer tools option from the dropdown.

Similar to the Guest Mode in Chromebooks, it is recommended that you disable the Incognito Mode for Chrome browsers. Users can bypass filtering using the Incognito Mode, potentially exposing them to harmful and age-inappropriate content.

To disable the Incognito Mode:

Log in to your G Suite account at admin.google.com

Navigate to Device Management > Chrome Management > User Settings here

Scroll down to Security

Select the Disallow incognito mode option from the dropdown for the Incognito Mode field.

To learn about how to disable Guest Mode, click .

You may face problems logging into your Securly admin console/Securly account if:

You are attempting to log in using a different domain address that is not registered with Securly. Please verify your email domain and try again. Contact support to add additional domains to your account.

You are not an Azure Global Admin or G Suite Super Admin. Please contact your current Google or Azure administrator for permission. (Click here to learn how to additional admins access to the Securly admin console.)

The API access in your G Suite Admin Console is not enabled. Note that very old G Suite Accounts might have the API access disabled by default.

Unregistered Domain

Lack of permissions

G Suite API Access

You should now be able to login to your Securly admin console.

The Securly web filter scans keywords on Google, Bing, Yahoo, YouTube, and Wikipedia to ensure that students are always displayed safe search results and protected from inappropriate/ malicious content.

Admins can enable or disable the keyword scanning option if they find it necessary for any specific policy. This can be achieved by changing the keyword scanning settings for a particular policy.

Policy Setup

Login to your Securly account and navigate to the Policy Editor.

Choose the policy for which you want to apply the keyword scanning settings.

To enable keyword scanning, check the checkbox in front of Keyword Scanning.

estrict Image Search to Creative Commons 4. Securly has a number of keywords build into our system. These are associated with the blocked categories. Note that enabling a blocked category will add the associated words from that category to keyword scanning.

5.You can add additional keywords to the policy or global level deny list. This requires the format *keyword*. Example *unblockedgames*

User experience

Whenever a user searches for something related to any of the blocked categories he would be displayed a blocked page.

If the user searches for something from categories that are not blocked, but if the safe search has been enabled, then the user will be displayed safe search results.

Keyword scanning thus helps admins ensure that students are always displayed safe search results.

This is in addition to other great search features like Safe Search Mode and R.

Securly gives IT admins the ability to determine if they want to scan search keywords on search engines such as Google, Bing, Yahoo, or sites such as YouTube and Wikipedia. This is a policy level setting and can be enabled by the admin depending upon who it is being applied to. (Click here to learn more.)

DNS Users

If you are a DNS user and keyword scanning is not enabled for a particular policy, then your students parents will not see any flagged searches in the activity reports. If it is enabled, then parents will see the flagged activity in their kids reports.

Chrome Extension Users

If you are a Chrome Extension user then keywords searches are filtered and flagged irrespective of whether your keyword scanning is enabled or not. This means that your parents will also see flagged searches in the activity reports.

Issue: You have a user that needs to troubleshoot an unexpected Securly blocked web page

Solution: Below are some troubleshooting questions and steps to give users when seeing an unexpected Securly blocked page

Is the user logged into securly.com or useast-www.securly.com

Was the user on or off campus when the blocked pageoccurred

Can the usercreate a screen capture video of logging in and browsing to the page that is being blocked.

If you need an application to record a video of your screen, jing.com has a free app that you can use to create the screen capture video with as well as Screencastify (Screen Video Recorder)offered by screencastify.com for Chrome.

Havethe user createa screenshot that contains the URL and the details of the blocked page message (Policy/Category/etc)

Make sure the GAfE domain user account has been imported into the Securly Policy Map editor to insure thatit is being servedthe desired Securly Web Filter policy

the output from http://www.securly.com/app/session or http://useast-www.securly.com/app/session could be useful as well

https://support.securly.com/hc/en-us/articles/203391273-Importing-OUs-into-Securly-

Securly has different clusters around depending on your geographical location. You may need to know your cluster for troubleshooting. This article will help you find this information.

Log in to Securly at https://www.securly.com/app/login

This requires admin privileges. You can give others permissions to the user interface also. How to give other users access to Securly UI?

This will redirect to the URL to the cluster for your account. If it stays onwww.securly.com you are on US West.

Cluster Name

Subdomain Prefix

URL

US West

https://www.securly.com/

US East 1

useast-

https://useast-www.securly.com/

US East 2

useast2-

https://useast2-www.securly.com

Asia Pacific South East

apse-

https://apse-www.securly.com

Canada

ca-

https://ca-www.securly.com

Europe West

euwest-

https://euwest-www.securly.com/

You would need to install Securlys SSL certificate in Firefox to allow users to seamlessly browse HTTPS sites, and also help Securly decrypt them appropriately.

Deploying the Securly SSL Decryption Certificate to Firefox can be difficult because Firefox does not respect the Operating System settings and there is no native way to centrally manage Firefox. This article describes how Firefox can be configured to trust the Windows certificate store which makes certificate management much easier.

Note that the following guidance is provided 'as is' and cannot be directly supported by Securly beyond what is outlined in this article.

Use the Windows Certificate Store

With Firefox 49 a new option has been included which allows Firefox to trust the Windows certificate store. This means certificates can be deployed normally via group policy and Firefox will trust the same Root authorities that Internet Explorer and Edge trusts. For more details visit https://bugzilla.mozilla.org/show_bug.cgi?id=1265113

Unfortunately, this feature is not enabled by default, so this method still requires some additional configuration. To enable this setting the security.enterprise_roots.enabled must be set to true. For more details visit https://bugzilla.mozilla.org/show_bug.cgi?id=1314010

Enable feature on a single computer

Type 'about:config' in the address bar of your Firefox browser

If prompted, accept any warnings

Right-click to create a new boolean value, and enter 'security.enterprise_roots.enabled' as the Name

Set the value to 'true'

To enable this feature on multiple computers you will need to use the method below which will also lock the preferences in Firefox. The benefit is that once enabled you can easily manage certificates using group policy in the future.

Locking Firefox Preferences with the Preferences Files

You can use a preferences file to configure the security.enterprise_roots.enabled setting. To do so use the files attached at the end of this article.

The 'securly.cfg' file must be placed in the root of the Firefox directory. For example:

C:\Program Files\Mozilla Firefox\securly.cfg

The 'local-settings.js' file must be placed in the \defaults\pref sub-directory. For example:

C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.jsThe local-settings.js file should look exactly like the snippet below:

pref("general.config.obscure_value", 0); pref("general.config.filename", "securly.cfg");

The securly.cfg file should look exactly like the snippet below:

// lockPref("security.enterprise_roots.enabled", true); lockPref("network.proxy.type", 5); lockPref("network.trr.mode", 0); lockPref("network.negotiate-auth.allow-proxies", true);

Note that if you are creating the above files manually, then they must be ANSI encoded.

This page contains links to step-by-step instructions and a downloadable SSL certificate that should be installed for a seamless experience on different operating systems and browsers. You will need both the 2020 and 2034 SSL Certificates installed. Installing the SSL certificate ensures that Securly is able to filter all HTTPS sites without the end-user receiving an SSL Error.

Please watch the following webinar where one of our Customer Success Engineers goes on to discuss the SSL Certificate project and how it affects you.

www.securly.com/ssl2020

For more information on what cluster you are on, How do I learn what Cluster I am on?

How to manually install the Securly SSL certificate on iPhones and iPads

How to manually install the Securly SSL certificate on Chromebooks and Chromeboxes

How to manually install the Securly SSL certificate on macOS

How to manually install the Securly SSL certificate on Android devices

How to manually install the Securly SSL certificate on Microsoft Windows

How to manually install the Securly SSL certificate on Firefox browsers

You can also deploy the Securly SSL Certificate en masse via Device Management. This is the preferred deployment method as it ensures all managed devices receive the Trusted SSL Certificate.

How to deploy the Securly SSL certificate with an Active Directory GPO

How to deploy the Securly SSL certificate in the G Suite Admin Console

We have Knowledge Base Articles explaining how to create MDM Payloads which install the Securly SSL Certificate and our SmartPAC. If your macOS and iOS devices aren't filtered by SmartPAC you can still follow the KB Articles below, simply omit the steps necessary for installing the Securly SmartPAC.

Cisco Meraki System Manager

JAMF Pro MDM

VMware AirWatch MDM

FileWave MDM

SchoolMDM by Securly

Apple Configurator

Our SSL Certificates are available in all formats from the following Knowledge Base Article.

Securly CA Certificate All Formats

If you are responsible for BYOD within your environment, we have created two intelligent landing pages that you can point your BYOD users to. These pages will detect which Operating System the user is coming from and present the appropriate SSL Certificate for them to download. In addition to the download, the user will also have a narrated video and links for manual installation instructions. Many schools elect to have these pages set as the first page anyone receives when connecting to BYOD Wireless Networks.

There are two URL's available and it's important to understand their differences.

When you navigate to www.securly.com/ssl, this page will present the end-user with the Securly SSL Certificate which expires in 2034. With the exception of when viewing from a macOS or Windows OS as these users are able to download an executable that installs both the 2020 and 2034 SSL Certificates.

When you navigate to, this page will present the end-user with the Securly SSL Certificate which is currently in production and expires in 2020. With the exception of when viewing from a macOS or Windows OS as these users are able to download an executable that installs both the 2020 and 2034 SSL Certificates.

There may be times when it's useful for troubleshooting to send a log file from Chromebooks to support. Here's how:

Part 1 - Make sure that Developer Tools can be enabled on Chromebooks

In Google Admin, Device management > Chrome Management > User & Browser Settings

Choose the OU on the left for the user accounts where developer tools will be enabled.

Look for Developer Tools in the User experience section

Change the setting to "Always allow use of built-in developer tools" and Save

Note that this does NOT mean that you are enabling students to boot Chromebooks into developer mode.

Part 2: Enable developer mode on the Chromebook

On the Chromebook:

Chrome -> More Tools -> Extensions.

Activate Developer mode using the switch in the upper right corner.

Part 3: Grab the log

Perform this step shortly after the problem you are troubleshooting occurs. Usually this will mean doing it during class, right after the problem occurs. It's helpful to try to recreate the problem early after the initial login and class session so that the log file is shorter and more narrow to the time frame of the problem.

Menu > More Tools > Extensions

Look for the TechPilot extension and click the link "background page" (Note: later this will be re-branded and no longer reflect the TechPilot name).

A window will open with menu along the top. Choose "Console" (2nd item)

Click the 3-dot menu at the top right and choose Settings. Scroll down to the Console section and enable the setting "show timestamps." Click the small X to close (not the top larger one) and return to the console window.

Part 4: Send the log

Copy of everything from the Console. Click any entry in the log, then use CTRL+A to select the entire log. It will highlight.

When using CTRL+A it won't look like it grabbed the timestamps, but when you paste into an email, you'll see them.

Open Gmail on the device. Compose an email message to yourself (it will come from the student ID on the Chromebook). You can then forward that email to us: [email protected]. When sending, please enter info above the log to let us know the Class Name, Student Name, Device ID and a brief description of your case so we know where to match it up.

It is important to mention that accessing and downloading this cert from any other browser other than Safari will result in an error. UsingSafari when downloading and installing the cert will create installation prompts for the certificate.

To install the Securly SSL certificate:

Navigate to securly.com/ssl and click "Download certificate"

Click Allow on the prompt for "This website is trying to download a configuration profile. Do you want to allow this?" securly.com

If the download was successful, you should see a window prompt stating "Profile Downloaded - Review the profile in Settings app if you want to install it." Click "Close" to proceed.

Open your Settings App and navigate to "General".

Scroll down to the bottom to locate "Profile", click "Profile" to view your downloaded profile.

Click on the Profile labeled *. to proceed.

Click "Install" in the top right corner.

Enter your device passcode (if applicable).

Click "Install" in the top right corner again.

A window prompt for "Install Profile" should pop up, click "Install" to complete your installation.

Once the installation is done, navigate to Settings > General > About > Certificate trust settings and turn on the SSL trust for the certificate by toggling the button for Securly.

The Securly SSL Certificate should now be fully installed and trusted.

Later this Fall, Securly's current SSL Certificate will expire. We have provisioned a brand new SSL Certificate available below which expires in 2034. While to get up and running today you only need to have the original SSL Certificate Installed, we recommend that you install both SSL Certificates at the same time to ensure when the original expires, you are at no loss of service.

The confidence level is an indicator of the probability of a suspicious event belonging to a particular category. Our sentiment analysis engines categorize events in grief, bully, and violence. The higher the confidence level, the higher the probability of the event belonging to the identified category. Please note that the confidence level and urgency of the alert are not related. A higher confidence level should not be interpreted to mean a higher level of urgency of the alert.

The content in emails and Google Docs analyzed by our AI engines is rarely straightforward. Students can express a myriad of emotions through a single document which can confuse even the best of engines. However, we pass all content through different engines that can identify if the content is grief, bully, or violence and then provide you with the categorization which presents maximum confidence. For example, if a particular email about locker room problems includes the student talking about the actual incident in detail with consequential emotions the student feels, our engines will analyze how much bullying and grief content is present in that email and then categorize it as the one with the highest number. This ensures that even the grayest of email and GDocs content is thoroughly analyzed and flagged for you to act upon.

Confidence level bands

When you are displayed the confidence level for a particular event it means that our engines are x% confident about their categorization between the three.

Confidence level 1 = 0-60%

For example: well u need to talk about it sometimes, im not say u HAVE to but it will help your mental health, if u want u can talk to me about it, last year i would let people talk to me about how people felt. Category: grief

Confidence level 2 = 60 -70%

For example: "I don't know yet and i do not know what to do with my life is bum" Category: Grief

Confidence level 3 = 70 -80%

For example: am i in a abusive relationship Category: Grief

Confidence level 4 = 80-90%

For example: I have a story to tell about bullying. My family and I had barely moved to Planada, Merced; a small town two hours away from Monterey. I was excited, if only I knew what was going to happen to me. The fear I felt. The trauma it caused me.* Now i feel the need to act tough and mean and thatisn'tme. It is just an act to have people either be afraid of me or not to mess with me. Doing so has cost me friendships, not telling or showing people that are important to me.* I keep everything to myself, Idon'ttalk about my problems or my emotions. I dony like crying because it makes me feel weak* At some point each time someone raised there hand to give me a high five i would cover my head and duck because i thought they were going to hit me* It still affects me today because Idon'twant to show me the real me because i got so used to the toughness act. Category: Grief

Confidence level 5 = 90-100%

For example: Ive never have had so much pain in my life i just want u back thats all and it hurts so fucking bad but im fight. Category: Grief

Note that the confidence level does not impact what activities are flagged by our AI engines. It is a tool to be used as a reference point when determining your threshold level for receiving Auditor+ email alerts.

Read more about setting up email alerts based on the confidence levels.

Securly takes a three-pronged approach in order to filter out inappropriate images.

Keyword Scanning- This scans category-specific keywords to filter out inappropriate words and phrases to provide safer results. (Click here to learn more.)

SafeSearch- This enables the respective version of SafeSearch on Google, Bing, and Yahoo.

Creative Commons- This enables creative commons on Google, Bing, and Yahoo effectively taking advantage of copyrights to provide an additional layer of protection with respect to images.

(Creative Commons is a non-profit organization that advocates for the legal sharing of digital content by filtering image searches on the browser once enabled. This multi-faceted tool works complementary to Google SafeSearch, providing additional criteria that further restricts inappropriate content.)

Policy Setup for Creative Commons

To enable image safe search

Login to your Securly Admin Console

Navigate to Policy Editor > policy you want to apply the setting for

Check the checkbox for Restrict image Search to Creative Commons

We recommend that you enable the Safe Search Mode for high schoolers and other older users as Creative Commons results can seem rather prohibitively locked down for them. The Restrict Image Search to Creative Commons is best suited for smaller children.

User Experience

For image search where the user searches for an explicitly inappropriate keyword, no images will be displayed.

For more ambiguous terms the safe search mode will ensure that the user is displayed only safe results.

Yes. Securly lets you block or allow specific web pages without having to block or allow the entire website. Note that this does not apply to Global Policy/Settings.

To do this:

Login to your Securly portal.

Navigate to the policy you want to allow or block a web page for.

Click Allow/Deny and enter the name of the web page in the appropriate list in the format abc.com/xyz

This will block or allow abc.com/xyz and not the entire site.

here

Note that you cannot block abc.com/xyz if the primary website - abc.com is included in the Allow list.

To learn more about how to allow or deny websites and custom keywords, click .

The Securly SSL certificate is essential to filter HTTPS sites correctly. You can push the Securly SSL certificate usinga Mircosoft Active DirectoryGPO by adding the SSL certificate to the Trusted Root Certification Authorities store onyour Active Directory server for all clients in a Microsoft domain.

Manual Process

Download the Securly certificates.

Later this Fall, Securly's current SSL Certificate will expire. We have provisioned a brand new SSL Certificate available below which expires in 2034. While to get up and running today you only need to have the original SSL Certificate Installed, we recommend that you install both SSL Certificates at the same time to ensure when the original expires, you are at no loss of service.

Expires 2020 Cert

Expires 2034 Cert

Windows / GPO

securly_ca_2020.crt

securly_ca_2034.crt

OpenAdministrative Tools, and then click "Group Policy Management".

In the console tree, under the top level of the domain, right-click and create a new policy and title it Securly Certificate.

Double-click Group Policy Objects in the domain containing the Securly Certificate Group Policy object (GPO) that you want to edit.

In the Group Policy Management Console (GPMC), go to "Computer Configuration > Windows Settings > Security Settings > Public Key Policies".

Right-click the Trusted Root Certification Authorities store.

Click Import and follow the steps in the Certificate Import Wizard to import the downloaded certificate.

The Securly web filtering solutionallows you to create customized policies for various groups of users in your school. Once you create a customized policy you need to assign individual OUs to it to begin filtering users in that OU as per policy.

Note that when you move your G Suite OUs to Securly they are automatically assigned the Default Policy.

To assign OUs to policies:

Log into your Securly admin console

Navigate to Policy Map > Default Policy and select the OUs which you want to assign to a specific policy.

Click Move to Policy and select the policy from the drop-down there.

The assigned OUs will appear white when viewed under the particular policy.

Note that OUs that have already been assigned to a particular policy will appear greyed out and cannot be selected.

5. You can move OUs from other policies in a similar manner.

It is possible for students to download a lot of games and other non-educational apps and time-sinks on their Chromebooks once they are handed over to them by schools. Such apps are easily available on the internet and can at times be also shared via Google Drive. It is therefore important to enforce restrictions on app installations on Chromebooks that are sent home.

To restrict app installations:

Log in to your G Suite account at admin.google.com

Navigate to Device Management > Chrome Management > Apps and Extension

Select the Block all other apps and extension option from the dropdown for the Allow or Block Apps and Extensions field.

Securly supports single sign-on with Azure AD to provide schools that use Azure AD as their primary authentication provider a seamless login experience.

To begin using Securly with Azure AD you would require an IIS server for authentication and user import to Securly.

The diagram lays out the Securly - Azure AD architecture.

[email protected]

It is important to note that Azure Connect uses the User Principal Name (UPN) to sync users between the local Active Directory and the Azure Active Directory. You could also use some other field such as the email field. The Securly IIS server should be configured to use the same syncing field as Azure Connect. This will ensure that users get the correct policy.

Note that Chrome OS is not supported directly by Microsoft authentication. A Google account is required to manage and support the Chromebook. This can be done with SAML SSO setup inside of Google.

Securly supports Active Directory Federation Services (ADFS) authentication for onsite as well as offsite. There is additional configuration to allow your ADFS to be used as an offsite authentication provider. Please contact to add your server.

You would face the root certificate not trusted error is the Securly SSL certificate is not installed on your macOS X.

To stop receiving the error you would, therefore, need to install the SSL certificate.

Download the Securly certificate CRT file.

Expires 2020 Cert

Expires 2034 Cert

Mac OS X

securly_ca_2020.crt

securly_ca_2034.crt

Navigate to Finder > Applications > Utilities > Keychain Access

Select System in the left-hand column.

Open File > Import Items and import the certificate file into the System keychain.

Alternatively, you can automate the installation process via MDM by downloading the executable file at the end of this article.

Later this Fall, Securly's current SSL Certificate will expire. We have provisioned a brand new SSL Certificate available below which expires in 2034. While to get up and running today you only need to have the original SSL Certificate Installed, we recommend that you install both SSL Certificates at the same time to ensure when the original expires, you are at no loss of service.

The Securly web filtering solution not only protects kids from inappropriate content, it also monitors their activity for cyberbullying and self-harm tendencies. The school admin and parents are informed of such suspicious activities to help them intervene and help the kid(s) involved.

Cyberbullying and self-harm activities are detected using a sophisticated machine learning and sentiment analysis algorithm. The database consists of thousands of words, phrases, and sentences that are categorized into different categories to help the engine identify the type of activity. We constantly update our database to ensure that the engine is trained using as comprehensive a list of words, phrases, and sentences as possible.

During training, groups of 2-3 words are used to help the engine understand how they should be categorized. At times some groups of words may co-occur in two different types of sentences, thereby increasing the probability of false categorization. For example, if the group of words - you are a - is used during training, and it appears followed by both genius and ***hole in two different sentences, there is a probability that the engine throws a false positive or a false negative. The engine in this case returns the result for the class with the highest probability. As the size of our training set increases, the incidence of false positive and false negatives will also be reduced.

There is also the possibility that a specific group of words was not used during the training phase and therefore could not be identified accurately by the engine. Whenever we encounter such instances, the training set is updated appropriately to ensure that subsequent instances are categorized correctly.

We recently introduced exact keyword matches so that while depression symptoms will be flagged, great depression will be excluded. This will help us reduce false positives and provide greater accuracy of self-harm detection.

It is very important that Securly know what Public IP Addresses should be associated with your account to ensure that your users receive the filtering policy you customize for them. We do our best to automatically detect which IP Addresses your school internet traffic comes from, but that might not always be complete. If you own more than one Public IP Address and did not go through a formal evaluation with a Sales Engineer, it is highly recommended that you email [email protected] with a list of what IP Addresses should be associated with your account.

If you do not register one or more of your Public IP Addresses with Securly and in-school internet traffic comes from one of them, your students will get either the Default policy of the Take-Home policy. The Take-Home policy is a type of customized policy that you can create to be applied specifically when students carry their school-owned devices home. (To learn more about the different types of policies, click here.)

Additionally, if you have multiple internal DNS servers and one has traffic coming out of a registered IP and the other an unregistered IP, then you will experience split DNS. It is very likely that end-users will experience SSL Certificate errors on sites they shouldn't.

If your IP Address changes or you add additional IP's, or a secondary internet connection. Please submit a support ticket with that information to [email protected] to have your account updated.

This article contains guides to help you deploy Securly.

Attached to this KBare 2 PDFs thatcover the deployment steps and best practices for Securly's Chromebook and DNS filteringsolutions, and 3 certificates for various device platform's SSL inspection support. Please see below to know which certificate you will need.

Expires 2020 Cert

Expires 2034 Cert

G Suite Admin / Chromebooks

securly_ca_2020.pem

securly_ca_2034.pem

Windows, Mac OS X, iPad, Android, and Other

securly_ca_2020.crt

securly_ca_2034.crt

Some Mobile Device Management (MDM) Software

securly_ca_2020.der

securly_ca_2034.der

Base-64 encoded X.509 CER

securly_ca_2020.cer

securly_ca_2034.cer

For iPad deployment instructions and best practices, please refer to this KB: https://support.securly.com/hc/en-us/articles/225774268-How-to-configure-Securly-filtering-on-iPads-

No. If a website is blocked by the schools web filter, it cannot be allowed during a class via a Permission Set.

If you use Securlys web filtering services at your school, it is possible to temporarily allow websites. To learn how to do that, refer to the KB here.

In Canvas go toAdmin > Developer Keys

Click the+Developer Keybutton to add a new key

Enter any key name and owner email address. For Redirect URIs enter:

https://ct.techpilotlabs.com/en/app/canvas/callback

Click Enfroce Scopes to enable it

Expand theaccountssection and select the following three items:

url:GET|api/v1/accounts

url:GET|api/v1/accounts/:account_id/courses

url:GET|api/v1/accounts/:account_id/sub_accounts

In a similar manner, expand thecoursessection and select the following two sections:

url:GET|api/v1/courses/:course_id/users

url:GET|/api/v1/courses/:course_id/sections

Next expand thesections section and select:

url:GET|/api/v1/sections/:section_id/enrollments

When complete, you should have six items selected:

url:GET|/api/v1/accountsurl:GET|/api/v1/accounts/:account_id/sub_accountsurl:GET|/api/v1/accounts/:account_id/coursesurl:GET|/api/v1/courses/:course_id/usersurl:GET|/api/v1/courses/:course_id/sectionsurl:GET|/api/v1/sections/:section_id/enrollments

ClickSave Key

The new entry will be displayed.

Change the state to "ON"

Copy the number above the Show Key button and paste it into Control Tower into theConsumer Keyfield.

Click the Show Key button, copy the value shown and paste it into Control Tower into theConsumer Secretfield.

For the URL, enter the base URL of your Canvas site. This would be the URL in the address bar after you are logged into Canvas up to the point of the first slash. For example, if you login to Canvas and then see the URL:

http://ec2-33-222-208-11.compute-1.amazonaws.com/login/canvas in the address bar, you should use the base URL of http://ec2-33-222-208-11.compute-1.amazonaws.com.

After entering the values, click theLinkbutton, then authorize the link with Canvas.

After the sync completes, the Canvas classes should now be visible on a newCanvas Classestab in Classes. They will be available for selection in Teacher Tools in the Selection box.

The Securly admin console lets you allow or deny additional websites/domains or keywords in addition to those in the Securly database. You can either add these domains and keywords at the global level or at individual policy level.

Global level settings

Any domains or keywords added to the Global Allow or Deny list here will be applicable to the entire user base.

Login to your Securly admin console

Navigate to Policy Editor > Global Settings > Allow/Deny and add the domains or keywords there.

submit domains to be added to the Securly database

Use the following formats when adding to the list

Domain - abc.com

Subdomain - *.abc.com

Keyword - *keyword* (Note that this will allow you to block/allow specific keywords without compromising the overall filtering policy for that category of words.)

Note that any domains you add to the Global Deny List which are not present in our database would be sent to PageScan for further analysis.

Policy level settings

Any domains or keywords added to the Allow or Deny list here will be applicable only to users who have been assigned that particular policy.

Login to your Securly admin console

Navigate to Policy Editor and select the policy for which you want to add to the Allow/Deny list.

Use the following formats when adding to the list

Domain - abc.com

Domain - abc.com/xyz (Note that this will allow you to block/allow the specific URL without blocking/allowing the base domain.)

Keyword - *keyword*

Note the Default Policy does not have an allow list by design. The Default Policy should be your most strict policy. If you would like to allow some for the default policy, instead add it to the Global allow.

You can also write to us and .

The Guest Mode for Chromebooks allows users to bypass the school districts filtering policy and expose them to inappropriate content. It is therefore recommended that you disable the Guest Mode for all your devices. The Guest Mode is similar to the Incognito Mode in Chrome browsers which we also recommend disabling.

To disable Guest Mode:

Log in to your G Suite account at admin.google.com

Navigate to Device Management > Chrome Management > Device Settings

Scroll down to Sign-in Settings

Select the Do not allow guest mode option from the dropdown for the Guest Mode field.

ChromeTools runs as a Chrome extension when students log in with their school-issued email address. You can configure this extension and push it out to all students from your Google Admin console.

The App ID and URL for the Chrome extension can be found in Device Console on the Google tab under Settings. You will need to copy and paste these values into the Google Admin console in steps 5 and 6.Note: Be sure to use the values for the Chrometools extension and NOT the ones for the Lost Mode Kiosk.

Navigate to Device management > Chrome management in your G Suite admin console from the main menu.

Select "Apps & extensions"

Click the + button in the lower right corner and then select the button to add a Chrome app or extension by ID.

Copy the value for Extension ID from Device Console.

Next, choose the option "From a custom URL" and copy the URL from Device Console in that field. Click Save.

The extension should now appear in the list set for "Allow install."

Select the OU, you want to install the extension for, from the left-hand column. Usually, this will be the highest level OU that contains your student accounts. All sub-OUs belonging to the selected OU will also receive the extension by inheritance. Remember that if you install the extension at the root of your domain, it will be pushed out to all users, not just students.

Now that you've selected the student OU, find the extension from the list and change the setting from "Allow install" to "Force install."

The OU is now configured to force install the ChromeTools extension for all users when they log in.

This article will always contain the latest certificates for Securly.

Later this Fall, Securly's current SSL Certificate will expire. We have provisioned a brand new SSL Certificate (securly_ca_2034.crt) available below which expires in 2034. While to get up and running today you only need to have the original SSL Certificate (2020) Installed, we recommend that you install both SSL Certificates at the same time to ensure when the original expires, you are at no loss of service.

Raw Certificate Formats

Expires 2020 Cert

Expires 2034 Cert

G Suite Admin / Chromebooks

securly_ca_2020.pem

securly_ca_2034.pem

Windows, Mac OS X, iPad, Android, and Other

securly_ca_2020.crt

securly_ca_2034.crt

Some Mobile Device Management (MDM) Software

securly_ca_2020.der

securly_ca_2034.der

Base-64 encoded X.509 CER

securly_ca_2020.cer

securly_ca_2034.cer

Installers

Contains 2020 and 2034 Cert

Windows Executable

Windows Certificate Installer

Mac OS Package

MacOS Certificate Installer

Ubuntu Shell Script

Securly Certificate Installer Ubuntu.sh

As schools roll out 1:1 devices and allow students to take school-owned devices off-site, the ability to track the device location becomes an important aspect of device security for schools. This device tracking facility can be enabled at the discretion of the school admin.

To enable geolocation tracking

Log in to your Securly account

Navigate to Policy Editor > Global Settings

Check the Require geolocation tracking checkbox

Once you enable this feature, students would be required to allow location tracking on their individual browsers. If the student does not allow this, he will encounter a blocked page whenever he attempts to access any website.

Whenever a student logs in to his device, the device will be displayed on the map on the admins dashboard.

If location is turned off you will see this in your dashboard.

If you are a Chromebook user you can also force geolocation tracking for all your Chromebooks via G Suite. This would eliminate the need for students to accept location tracking as mentioned earlier in this article.

To force geolocation via G Suite:

1. Login to your G Suite account2. Navigate toDevice Management > Chrome Management > User Settings > Security > Geolocation3. Select 'Allow sites to detect users' geolocation' from the drop-down

Chromebook users with the Securly Chrome Extension (v02.97.00 and above) installed on their devices are not displayed the geolocation tracking request as the extension gets it permission from the admin during installation and tracks the device location automatically.

You can also force geolocation tracking for all your Chromebooks via G Suite. This eliminates the need for students to accept location tracking.

To force geolocation via G Suite:

1. Login to your G Suite account2. Navigate toDevice Management > Chrome Management > User Settings > Security > Geolocation3. Select 'Allow sites to detect users' geolocation' from the drop-down

The Securly Chrome extension is one of the easiest and fastest ways to get started with Chromebook filtering (and it is free !).

If you already use Securly for web filtering at your schooland want to install the Chrome extension on your Chromebooks, you can do so within 5 minutes by logging into your Google admin console.

Note: Before starting the installation process, ensure that your school domain/subdomains are registered with Securly.

Login to admin.google.com

Navigate to Device Management > Chrome Management > User Settings

here

Select an OU for which you want to install the extension and scroll to Apps and Extensions.

Select Manage force-installed apps in front of the Force-installed Apps and Extensions field.

A pop-up will be launched. Select Specify a Custom App

Input the ID and URL with the details below and click Add. The Securly Chrome extension will be displayed in the right-hand column. Click Save. (Note: the extension ID was updated 14 Aug 2019)

ID: iheobagjkfklnlikgihanlhcddjoihkg

URL: https://clients2.google.com/service/update2/crx

Scroll down to the Block Extensions by Permission field and select If the extension uses one of the selected permissions, block users from installing or using it option from the dropdown.Make sure that the checkboxes for Escape Geolocation, Web Requests, and Set Proxy are unchecked. This will allow the Securly Chrome Extension to load seamlessly.

Click Save again to complete the process.

This process will push the Securly Chrome extension on all the Chromebooks belonging to the OU selected.

You can check out the installation video . It is also accessible by clicking Help in your Securly admin account and check out our Best Practices for Chromebook document attached to this article.

You would want to install the Securly SSL certificate in your Chrome browser to ensure the best browsing experience. The certificate does not control the level of filtering or what sites are allowed. The certificate will prevent errors on sites that Securly decrypts. Without the certificate, sites like Google.com and Facebook.com will show privacy errors, users will perceive this as the internet being broken.

To install the Securly SSL certificate manually in Chrome, open chrome://settings in your Chrome browser (version 59.0.3071 and above)

Installing on Chromebook (ChromeOS)

Download the Securly certificate.

Later this Fall, Securly's current SSL Certificate will expire. We have provisioned a brand new SSL Certificate available below which expires in 2034. While to get up and running today you only need to have the original SSL Certificate Installed, we recommend that you install both SSL Certificates at the same time to ensure when the original expires, you are at no loss of service.

Expires 2020 Cert

Expires 2034 Cert

Chrome

securly_ca_2020.pem

securly_ca_2034.pem

On the chrome://settings page scroll down to Advanced.

3. Under Privacy and Security click Manage Certificates.

4. On the following screen for 'Manage certificates', select the 'Authorities' tab and click 'Import'

5. A certificate import wizard is launched. Select the file downloaded in step 1 and click 'Open' to proceed.

6. For the Trust Settings, please select 'Trust this certificate for identifying websites' and click 'OK' to complete the wizard.

You will need to install the Securly SSL certificate on your Windows machine to ensure that Securly is able to filter all HTTPS sites browsed there effectively.

An executable file and installation video that shortens the process is also available here.

If you want to install the Securly SSL certificate manually, follow the process below:

Download the certificate attached at the end of this article.

Right-click Start and select Run.

Type in mmc and click OK.

On the User Account Control screen click Yes.

Once Microsoft Management Console opens click File and select Add/Remove Snap-in.

In the left menu select Certificates and click Add.

On the next screen click the radio button next to Computer account and click Next.

Click Finish.

Once you are returned to the Add or Remove Snap-ins screen click OK.

In the Microsoft Management Console window click on Certificates (Local Computer).

Right-click on Trusted Root Certificate Authorities in the left pane and select All Tasks and then Import.

Click Next in the Certificate Import Wizard.

Browse to where you saved the Securly certificate and select it. Then click Open.

On the Certificate Store window ensure that it says Trusted Root Certificate Authorities and click Next.

Click Finish and then 'OK'.

You should see the Securly certificate showing in the certificates folder at this point.

Later this Fall, Securly's current SSL Certificate will expire. We have provisioned a brand new SSL Certificate available below which expires in 2034. While to get up and running today you only need to have the original SSL Certificate Installed, we recommend that you install both SSL Certificates at the same time to ensure when the original expires, you are at no loss of service.

The 24 onboarding process requires that you upload CSVs mapping students and OUs, and students and parents so that the 24 analysts can reach out to the right person in case of an emergency. The onboarding process includes a sample CSV for your reference.

Per OU CSV

When uploading this CSV please ensure that you have filled out all the fields in the CSV accurately. These are the expected entries for each of the columns:

School Name: This is your school FID

Contact Name: This is the name of the person assigned for the specific OU as the point of contact for the 24 analysts.

Contact Order: You can assign multiple people to one OU. The number in this column indicates the order in which the 24 analysts can contact the individuals listed in the CSV. For example, if Mr. Smith is assigned number 1 in the Contact Order field, and Ms. Robertson as number 2, then the 24 analysts will first attempt to contact Mr. Smith and in case of failure to contact, they will contact Ms. Robertson.

Contact Title: This should include the designation of the contact person.

Contact Office Phone: This should include the office/school number for the contact person.

Contact Cell Phone: This should include the cell number that can be used to contact the person in case the Office Phone number is not reachable at the time of the emergency.

Contact Email: This should include the email address of the contact person.

Contact Notes: You can add any additional notes that you would want the 24 analysts to follow when contacting this person. This could include information such as Do not contact on weekends. or Use Cell Phone number only on weekends. etc.

Contact OU Groups: This should include the OU name the contact is assigned to.

Per parent CSV

When uploading this CSV please ensure that you have filled out all the fields in the CSV accurately. While not all fields are mandatory it is recommended that you provide complete information to allow the 24 analysts to reach out to parents if required. Note that our analysts reach out to parents only if all other attempts of communication with the school and emergency services fail.

Here are the expected entries for each of the columns.

Student First Name: This should include the students first name as listed with the school.

Student Last Name: This should include the students last name as listed with the school.

Student Email: This should include the students email address belonging to the school domain.

Parent First Name: Include the parents first name if available.

Parent Last Name: Include the parents last name if available.

Parent Contact Number: This should include one contact number (cell phone, home, work, etc.) that the 24 analysts can use to contact the parent as per protocol in case of an emergency.

Relationship to the Student: Please specify how the contact is related to the student.

Contact Order: You can list multiple parents for one student. In that case please specify the order of preference in which the 24 analysts can contact the parents in case of an emergency.

Accurate and updated information is critical to ensuring that the 24 analysts can respond to a flagged incident on time. We recommend that your reupload your CSVs whenever there are any changes to the contacts assigned to OUs or parent information on file with your school.

Online activity of users belonging to a particular OU is governed by the policy assigned to their OU(organizational unit).

Whenever you encounter a blocked page, the reason why it has been blocked can be found by clicking Details.

It will list the current policy assigned to you by the admin. If this policy is not correct, please contact your network administrator.