Installing HomeProtect on iPads
Prerequisites
Apple School Manager (ASM) or VPP to ‘purchase’ the app
MDM (e.g. Meraki, Jamf, etc.) Remember, LGfL schools can get free licenses for Meraki MDM.
iPads should be in supervised mode (to enforce the settings required to prevent bypassing the filter)
HomeProtect welcome email from LGfL. If you do not have this, please register at homeprotect.lgfl.net.
Deployment Scenarios
There are different ways to connect your devices to your school filtering policy. Please read through the options and decide which will work best before continuing.
Google/Microsoft Sign In
This is the default option whereby no configuration is necessary as long as your Google/Microsoft domain name was given on the sign up form. When the device is first used outside of the school network, the user will be prompted to sign in with a Google or Microsoft account.
This should only need to be done once and the login name is remembered from that point onwards.
Managed Config via MDM
If your students do not all have Google or Microsoft accounts then you can push out your filtering policy using the AppConfig functionality in MDM. Follow the steps listed in the Managed App Config (Optional) section to set this up.
Installation
This will guide you through the installation process using Apple School Manager and Meraki Systems Manager. If you use the legacy version of Apple VPP or a different MDM, please refer to the vendor documentation.
The installation is as simple as installing HomeProtect from the app store and if you are familiar with this process then feel free to skip to the Prevent Bypass section.
‘Purchase’ the app through Apple School Manager
Log in to Apple School Manager and open Apps and Books
Search for LGfL HomeProtect and pick it from the list
Select your location from the drop-down list
Enter the quantity of devices you wish to protect and click Get.
Within about 5 minutes, the licenses will be assigned, and you should receive an email from iTunes to confirm.
Deploy the app via Meraki/other MDM
Your MDM should already be set up with an Apple Push Certificate, the devices enrolled, and a linked VPP account. If you are able to install iOS apps then this is all working.
Log in to Meraki Systems Manager
Browse to Systems Manager > Apps
Open Import > Licensed iOS Apps
Select your VPP account and the HomeProtect app should appear (if it does not, you may need to go back to the apps page and click Accounts > Sync VPP Accounts before retrying)
Tick LGfL HomeProtect, leave the other options as default and click Import
Click on the app from the list (it should be highlighted) and select which devices you want to deploy it to using tags or All devices
Click Save
The app will now be pushed out to the devices and will be ready to use if students have Microsoft or Google logins. If your students don’t have logins, please follow the Managed App Config steps below. Make sure you also complete the Prevent Bypass steps to ensure students can’t get around the filter.
Prevent Bypass
The LGfL HomeProtect is a managed browser that has the web filtering solution baked in. This means you will need to block access to any other web browser.
In Meraki Systems Manager:
Browse to Systems Manager > Settings
Press Add Profile (or open an existing device profile)
Select Device Profile and click Continue
Enter a name for the profile and choose which devices it will be deployed to. Ensure all devices with HomeProtect are covered by this profile
Click Add Settings and select Restrictions
-
Untick the following options:
Allow Installing Apps
Allow use of Safari
Review other restrictions
Ensure you have not deployed any other web browsers. In Meraki you can see all installed apps in Systems Manager > Settings. This includes apps that users may have installed themselves. Check there are no browsers listed and remove ones found.
In other MDMs, ensure the following restrictions are set to disabled: Allow Installing Apps and Allow use of Safari.
Managed App Config (Optional)
If your students don’t have Microsoft or Google accounts, you can assign the iPads to your school filtering policy by pushing an AppConfig profile.
In your welcome email, you will have been given a group name which will start cfdefault@. You will need this in step 5.
In Meraki Systems Manager:
In Systems Manager > Settings, open the profile you created in the previous step
Click Add Settings and select Managed App Config
Select iOS under Platform and find the LGfL HomeProtect app in the list
Under Key enter configedit, leave Type as Text
Under Value enter this exactly (without quotes): “-p policy.safehomeschool.net:80 -s -f 133120 -g <group name>” (replace <group name> with the name given in your welcome email including the cfdefault@). e.g. -g cfdefault@example.com
e.g: -p policy.safehomeschool.net:80 -s -f 133120 -g cfdefault@example.com
Save the profile.
When your users log in they should not see a login page but get your policy automatically.
For other MDMs, consult the vendor documentation for how to create App Config profiles and create a profile with the following settings:
Target app: com.netsweeper.clientfilter.lgfl-homeprotect
Key: configedit
Value (without quotes): “-p policy.safehomeschool.net:80 -s -f 133120 -g <group name>” (replace <group name> with the name given in your welcome email including the cfdefault@).
e.g: -p policy.safehomeschool.net:80 -s -f 133120 -g cfdefault@example.com
User Experience
Your students will need to browse the internet using the HomeProtect app: 
This is a customised version of Firefox with the filter extension embedded. When the device is first used outside of the school network, the user will be prompted to sign in with a Google or Microsoft account unless you have pushed the managed app configuration. Once signed in, the student will be taken to the HomeProtect landing page which includes information about staying safe online and getting help:
The user only needs to log in once as the login name is remembered from that point onwards. If the user can’t get past the sign in screen, please follow the troubleshooting steps below.
To sign out, open the app menu ☰ > Settings > Data Management > Clear Private Data (ensure Cookies is checked) and then restart the browser. This will ensure all accounts are logged out.
Control permitted sites and categories
Please read HomeProtect School Administration to learn how to access the management portal and make changes to your school filtering policy.
Websites and Content Considerations
Search Engines
Search engines are limited to those that we can enforce safe search on. This includes:
Vimeo
Vimeo.com is blocked as a lot of videos are very inappropriate for pupils and there is no way to enforce safe search. The embedded version of Vimeo (player.vimeo.com) is unblocked as there are many educational resources using Vimeo to host videos. This allows embedded videos to play on sites that are unblocked. This is a compromise – it allows sites to function and stops students searching on Vimeo; at the same time though, an enterprising student could find a video code on another device and combine that with the allowed player url to access an inappropriate video. You can use the management console to either block player.vimeo.com to prevent all access to Vimeo content, allow vimeo.com (strongly not recommended) to allow the whole of Vimeo to be accessible to your students including the unsuitable material or add individual video URLs to the allow list to allow direct browsing to specific, approved videos.
Troubleshooting
Issues Logging In
If HomeProtect does not recognise the domain name that the user has signed in with, they will be taken back to the sign in page. Under the ‘Technical Details’ button it will show ‘no login name or password’.
The first thing to check is the domain name of the user account matches the domain name supplied during sign-up. If the registered domain is incorrect, please contact support who will correct it. Please note, it is the domain name of the user, not the primary domain for the Google or Microsoft tenancy.
If you have confirmed the domain name is correct the other potential cause of login issues is where the Microsoft or Google domain is ‘federated’ with a 3rd party identity provider or internal ADFS server and the service is being blocked by HomeProtect. This will generally mean that the user does not get the opportunity to even enter their password and are taken back to the sign in page instead.
Most common federated identity providers have been whitelisted in HomeProtect, but if yours does not work, please contact support who will work out and whitelist the required addresses.
Websites not loading despite being added to the Allow List
Many websites have multiple dependent addresses that all need to be allowed for the website to properly work. The easiest way to work out which addresses need to be added to the Allow list is to use the developer tools in Chrome to see which domains a site calls. Open the Network tab and reload the page. Make sure you have the Domain column visible (right click the column headings to add it). You will see all the domains the site requires:
Contacting Support
If you face any issues or just need some help or guidance, please email homeprotect@lgfl.net. To help us to resolve your issue as quickly as possible, please include the following information:
School and authority/MAT details.
Name of person who completed the sign up form if it is not yourself.
Platform (Chrome, Windows, iOS).
A screenshot of the block page. Please click Technical Details and ensure the text is included.
Full Google/Microsoft username of the pupil/test account (including domain name).
Steps to reproduce the problem.