SchoolProtect - HTTPS Decryption Installing Certificates as an Admin

These instructions will need to be performed by the network administrator to update the certificate. This can be done at any time, we recommend it is complete before your school is moved to the new SchoolProtect platform so that decryption can be tested and enabled quickly.

Every device and application will need to be tested to ensure compatibility with decryption and exceptions should be added where needed.

First, download the certificate from: support.lgfl.org.uk/public/sslfiltx.crt. You will need this in the following steps.

Please note: if you already have decryption enabled, do not remove the existing certificate until instructed by LGfL staff as this will need to remain in place for the duration of the migration process.

Installing Certificates at an Administrator Level

If your school uses Microsoft Active Directory

Download the certificate from the link above.
Create a (or update an existing) Group Policy Object targeting all the computers in your domain. You can do this using Group Policy Management Console on your Domain Controller.
Edit the Group Policy Object and navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies\.
Right-click Trusted Root Certification Authorities and press Import... Follow the wizard, browsing to the downloaded certificate file when prompted.

This will now deploy the certificate to all the Windows PCs on your network. Please give plenty of time for the devices to pick up the certificate before enabling decryption on your policies.

More information about deploying certificates through Group Policy can be found here: Distribute Certificates to Client Computers by Using Group Policy.

This would resolve certificate issues for Microsoft Edge and Chrome. Please note if you use Firefox will still require a separate certificate installation.

Installing Certificates via Intune

If you are planning to deploy certificates via Intune:

Download the certificate from the link above.
Log into Intune and go to Devices > Windows > Configuration Profiles.
Create a new profile, select Windows 10 or later and choose the Template profile type.
Select the Trusted Certificate template (you can search for this) and click Create.
Enter a name and description, for example, “LGfL Decryption Certificate” then click Next.
Use the blue folder icon to browse for the downloaded certificate. Ensure the Destination Store is set to Computer certificate store – Root and click Next.
Click Add all devices then Next.
On the Applicability Rules page, leave everything blank and click Next.
Click Create on the last page.

The certificate will now be deployed to all enrolled devices.

More information about deploying certificate through Intune can be found here: Trusted root certificate profiles for Microsoft Intune

Installing Certificates for MDM (Meraki)

These instructions are based on Meraki (claim your free licenses at meraki.lgfl.net). The process will be similar for other MDMs, please consult the vendor documentation for how to install Root CA Certificates.

Download the certificate from the link above.
Log into Meraki and ensure you are in the correct network for your school.
Hover over Systems Manager and click Settings.
Create a new profile using the + Add Profile button.
Choose Device Profile (default) and click Continue.
Give the profile a name, for example, “LGfL Decryption Certificate” and set the scope to All Devices.
Click + Add Settings on the left-hand side and choose Certificate.
Give the certificate a name (you can use the same name as in the earlier step), select System for CertStore and leave the Password box empty.
Click Choose File to select and upload the downloaded certificate. Once uploaded, you should see the following details:
- Filename: sslfiltx.crt
- Issuer: LGfL SchoolProtect HTTPS Decryption
- Subject/CN: LGfL SchoolProtect HTTPS Decryption
- Expiration: May 13, 2032
Save the profile.

This will now deploy the certificate to all enrolled devices.

More information about deploying certificates through Meraki System Manager can be found here: Certificates Payload (Pushing Certificates).

Please note: most Android apps do not support HTTPS decryption and exclusions will need to be added in the SchoolProtect interface.