SSL inspection requires user devices to have SchoolZone's SSL inspection certificate installed and trusted. In this article we will go through deployment options available for both managed (school owned) and unmanaged (BYOD) devices to make this task easier.

You can download the certificate files from SchoolZone by going to

http://<SchoolZone's address>/sonar/cert/generic.html

School Managed Devices

Active Directory

If you have an Active Directory infrastructure, you can use Group Policy to push SchoolZone's SSL inspection certificate to all domain joined Windows clients.

Windows Server 2008

Windows Server 2012

OSX and iOS Devices

Supervised iPads can have profiles pushed out to them with the inspection certificate.

Both Meraki and Casper MDM solutions are capable of this.

Casper can also push out SSL certificates to OSX clients (link)


You can push the SSL Inspection certificate to Chromebooks managed by the school using Google Admin Console.

For best results configure proxy settings to point to SchoolZone on port 8080 to avoid certificate errors on any domains.


BYOD Onboarding

SchoolZone provides an onboarding feature that detects when a device does not have the SSL inspection certificate installed and provides the end user with simple instructions on how to install it. The system currently supports Windows, OSX, iOS, Android and Linux clients.

To enable onboarding log into the SchoolZone Admin Interface and goto Group -> Settings.

From here enable onboarding on each group you would like onboarding checks to be active.

You can choose how often this check should be performed.

Cert install options:

First Logon: The check will only be done once and never again.
Every Login: The check will be done every time a device is logged on (recommended).

Auto Skip onboarding after ( x minutes ):

Because the onboarding check relies on a browser capable of javascript you may want to automatically skip the onboarding check after a set amount of time so that mobile device apps can continue to function without needing to open a browser each morning.

The idea is that the first time a user joins the wireless they will open the browser and onboard within the first few minutes of connecting.

You can also set this value to 0 for no time limit.

Certificate Management on Firefox

It is important to note that Firefox does not conform to regular system settings. Firefox has it's own Certificate Store, much like how it has it's own Proxy settings, that means if the Certificate is pushed out via Group Policy, that will not include Firefox. For users using Firefox as a browser the Certificate will have to be installed separately.