Back to Blog

How to Filter iPads Without Installing Apps or Browser Extensions

Learn how cloud-based proxy filtering through MDM configuration profiles provides comprehensive iPad web filtering without requiring any app installation, browser extension, or student interaction.

February 21, 2026By KyberGate TeamiPadMDMweb filteringdeployment

If you manage iPads in a school district, you've probably wrestled with the question: how do you filter web content on student devices without installing yet another app?

Browser extensions can be disabled. VPN-based filters drain battery. Supervised apps get removed. And anything that requires student interaction is a liability.

There's a better way — and it's been hiding in your MDM platform all along.

The Problem with App-Based Filtering

Most web filtering solutions for iPads fall into one of these categories:

1. Browser extensions — Only work in Safari or Chrome. Students open another browser, and the filter is gone.

2. VPN-based filters — Route all traffic through a VPN tunnel. This works but kills battery life, adds latency, and creates a single point of failure. When the VPN disconnects, the student is unfiltered.

3. On-device apps — Require installation and management of an additional app. Students in supervised mode can't remove them, but the app still needs updates, consumes resources, and can crash.

4. DNS filtering — Changes the device's DNS to a filtering provider. Easy to set up, but only blocks by domain — can't inspect HTTPS content, can't filter by URL path, and students can bypass it with DNS-over-HTTPS.

None of these are ideal. They're all bolt-on solutions that work around the device instead of working with it.

The MDM Proxy Approach

Here's what we do differently at KyberGate — and what companies like Deledao have proven works at scale:

We use your MDM to push a PAC (Proxy Auto-Configuration) file to the device.

That's it. No app. No extension. No VPN. Just a standard MDM configuration profile that tells the device: "Route your web traffic through this proxy server."

How It Works

  1. You deploy an MDM profile via Jamf, Mosyle, Kandji, or any MDM that supports iOS configuration profiles
  2. The profile sets a PAC URL that points to your KyberGate proxy
  3. All web traffic from every app on the device routes through the proxy
  4. The proxy inspects traffic in real-time — blocking, allowing, or logging based on your policies
  5. A root CA certificate (also deployed via MDM) enables HTTPS inspection

The student never sees an app. They never interact with the filter. It just works, silently, at the network level.

What the PAC File Does

The PAC file is a small JavaScript configuration that tells iOS how to route traffic:

  • School domains, Apple services, and local traffic → DIRECT (bypass the proxy)
  • Everything else → Route through the KyberGate proxy for inspection

This means Apple services (iCloud, App Store, Apple School Manager) work normally without latency, while web browsing is fully filtered.

Why This Is Better

It's Bypass-Resistant

Unlike browser extensions or DNS filters, a proxy set via MDM can't be removed by the student. The profile is locked to the device. Even if a student uses a different browser, a third-party app with a built-in browser, or any other HTTP client — all traffic goes through the proxy.

It Covers All Apps

Not just Safari. Not just Chrome. Every app that makes an HTTP/HTTPS request goes through the proxy. This catches in-app browsers, social media apps with built-in web views, and anything else that touches the internet.

No Battery Drain

Unlike VPN-based solutions, a PAC proxy doesn't create a persistent tunnel. It's just a routing configuration — the device connects to the proxy only when making web requests. Battery impact is negligible.

It Works Off-Campus

Since the proxy is cloud-based, it works everywhere the device has internet access. At school, at home, at the coffee shop — the filtering is consistent.

Zero Student Interaction

Students don't install anything. They don't sign into anything. They don't even know the filter is there (until they try to access something blocked, at which point they see a clean block page).

Deployment in 30 Minutes

Here's what the deployment looks like with KyberGate:

Step 1: Download the MDM profile from your KyberGate dashboard (or generate it via API)

Step 2: Upload the profile to your MDM (Jamf, Mosyle, Kandji, etc.)

Step 3: Deploy the root CA certificate (also provided, one-click in most MDMs)

Step 4: Assign to device groups — deploy to all student iPads

That's the entire setup. Your devices are now filtered.

Real-World Performance

Schools using proxy-based filtering report:

  • 99.9% uptime — cloud proxy with automatic failover
  • < 50ms added latency — barely noticeable for students
  • Zero support tickets about the filter itself — because students can't see or interact with it
  • Complete coverage — no more "they used a different browser" excuses

Getting Started

If you're running Jamf, Mosyle, Kandji, or any MDM that supports iOS Global HTTP Proxy (PAC mode), you can deploy KyberGate today.

Request a demo and we'll walk you through the setup for your specific MDM platform. Most schools are fully deployed within 30 minutes.

Questions about MDM proxy configuration? Email us at info@kybersystems.com or request a demo.

For funding planning, use this E-Rate funding guide.

For implementation details, see school web filtering pricing.

Ready to protect your students?

Deploy KyberGate in under 30 minutes. No hardware required.

Request a Demo

Chat with KyberGate

We typically respond within a few hours

👋 Hi! Have questions about KyberGate for your school? Drop us a message and we'll get back to you.