1

I'm attempting the first iPad deployment for a school district and have run into a showstopper. First, web proxy settings are per wifi network, and there's no way I can see to deploy a blanket proxy setting to all iPads. So I thought perhaps a VPN would work, as I can set a proxy for that through the Configuration Manager. But the VPN setting itself is still controllable by a user, which largely defeats the purpose. Plus, it doesn't look like VPN connections are reestablished if the device is restarted.

Edit: Plus these iPads are 3G capable, which may be enabled at some point, so that needs to be proxied as well. There isn't even a setting for that normally. Only by going through the VPN can we do it right now, and like I said, that setting is pretty weak.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • 1
    Can't you just setup a transparent proxy on your network so that everything is forced to use it no matter what is set on the client? Have you considered setting up wpad and just telling people to make sure the proxy is set to Auto? – Zoredache Jul 20 '10 at 19:56
  • The iPads need to be filtered when the students take them home. If was just internally it wouldn't be an issue. –  Jul 20 '10 at 19:57
  • If their taking them home, there's no way you can guarantee what their being used for. Physical security always trumps software configurations. – Chris S Jul 20 '10 at 20:00
  • @Chris S: Apple "sort of" provides that functionality by way of their walled garden. The students could, theoretically, jailbreak the iPad devices. That's a management problem, to my mind, though and not a technical problem. Putting the devices into an isolated subnet and filter the heck out of their traffic is probably the best one can hope for. – Evan Anderson Jul 20 '10 at 20:02
  • Check out the [enterprise deployment guide](http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf). It does mention that VPNs can be setup to start on demand... – Zoredache Jul 20 '10 at 20:10

1 Answers1

2

I've got a school district Customer who has a wholly dissimilar requirement. I should have read your question and the discussion surrounding it more closely.

We're opting to go the route of a dedicated SSID back-ending in to a VLAN w/ firewall rules to direct HTTP traffic to a transparent proxy. That limits our need to do any configuration in the iPod and iPad devices themselves since they have such a limited "enterprise" configuration feature-set. This also lets us control the traffic coming from the devices to prevent use of "rogue" proxies or VPN connections.

re: Physical security - We're treating the devices as completely untrusted, and isolating them to communication with the Internet and DMZ services (HTTPS to the WebDAV server, etc). A student certainly could "jailbreak" the device, so we're just assuming they're untrusted.

Edit:

My Customer's requirements related only to filtering content when used on the District's Internet connection. We couldn't care less (rightly or wrongly the District's lawyer says this is fine) what content the devices access when used on a non-District-controlled Internet connection.

Clearly, I'm wasn't reading this right (and am an idiot... >smile<).

You're saying that, irrespective of the type of Internet connection in use, you want all traffic to be sent to a proxy server. You could try to force an on-demand VPN connection, but I would suspect that you can't specify no domain name (page 35 of the enterprise deployment guide that Zoredache linked to) to match (effectively matching "*"). I don't have any of the enterprise deployment tools handy right now so I can't check that. I'd love to hear if you give it a shot and it works.

Assuming that you do force a VPN connection, though, it would be fairly trivial for a user to cause the VPN connection to fail (settings in their home router at layer 3, or in their DNS if you're connecting to a VPN server by name) and the device would, presumably, function without a VPN connection. You'd need to test that.

I think you're looking for a garden with higher walls than the one that Steve and company built.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • +1, This is a excellent idea; if they weren't taking the iPads home. There's just no way to guarantee what the kids are using the iPads for with no physical security of the device. – Chris S Jul 20 '10 at 20:02
  • Backend solutions would work if the kids weren't going to take them home. We already have a proxy in place for the campus. –  Jul 20 '10 at 20:06
  • 2
    @JShier: I'm confused, then. You're saying that you need a proxy configured when the kids are at home, too? I'm totally not getting what you're asking for, then. You're saying that you're planning on filtering the content accessed when used on a non-District Internet connection? Zounds... – Evan Anderson Jul 20 '10 at 21:01
  • 1
    @jshier, perhaps a silly question, but how are you going to prevent random people on the Internet from using your proxy? If you open up your proxy so that you can support devices using the proxy from any network then it seems like you will be opening your proxy to everyone on the Internet. – Zoredache Jul 20 '10 at 21:15
  • @Zoredache: Great point re: anonymous proxy access. Putting it behind a VPN server would mitigate that vulnerability, but I'm not sure that the mandatory VPN connection "solution" will work. – Evan Anderson Jul 20 '10 at 21:16
  • @Zoredache: It's a cloud proxy so it is open to the public. Just doesn't do anything unless you authenticate. @Evan Anderson: Filtering is required on all school machines students could use, wherever they are. They're district owned iPads. –  Jul 20 '10 at 22:26
  • @jshier: I'd try and force the VPN connection for all URLs. That's probably your best option based on what appears to be available in the current OS version per that enterprise deployment guide. – Evan Anderson Jul 20 '10 at 23:46
  • 1
    @Evan Anderson: Except I can't find a way to 'force' the VPN to stay active. Everything I've tried still leaves the VPN setting accessible to users, so they could just turn it off and have unfettered access to the net. –  Jul 21 '10 at 13:28