You just got a shipment of 200 Chromebooks for your school's 1:1 program. The principal wants them in students' hands by Monday. The superintendent wants CIPA compliance documented by Friday.

You have 30 minutes.

Here's exactly how to deploy web filtering on school Chromebooks — from zero to filtered — with step-by-step instructions that work whether you're using Google Admin's built-in tools, a Chrome extension, or a cloud proxy like KyberGate.

Before You Start: What You Need

Google Workspace for Education admin access
Chrome Enterprise or Chrome Education Upgrade license (for managed Chromebooks)
Your web filter choice — we'll cover three approaches below
An Organizational Unit (OU) structure in Google Admin

If you don't have your OU structure set up yet, create at minimum:

`/Students/Elementary`
`/Students/Middle`
`/Students/High`
`/Staff`
`/Testing` (for lockdown mode during assessments)

This lets you apply different policies to different groups — elementary students get tighter restrictions than high schoolers, and staff get the loosest policies.

Option 1: Google Admin Built-In Filtering (Free, Basic)

Google Admin Console includes basic URL filtering capabilities. It's free but limited.

Step 1: Open Google Admin Console

Navigate to `admin.google.com` → Devices → Chrome → Settings → Users & browsers

Step 2: Select Your OU

Click the student OU you want to configure (e.g., `/Students/Elementary`).

Step 3: Configure URL Blocking

Scroll to URL Blocking and add domains to your blocklist: ``` pornhub.com xvideos.com reddit.com tiktok.com instagram.com snapchat.com ```

Step 4: Enforce SafeSearch

In the same settings panel, find SafeSearch and set it to Always use SafeSearch.

Step 5: Force YouTube Restricted Mode

Under YouTube settings, select At least Moderate Restricted YouTube access.

Limitations of This Approach

No HTTPS content inspection — blocks domains but can't see page content
No game detection — can only block known gaming domains one by one
No real-time content analysis — a new proxy site won't be caught
No reporting beyond basic Chrome audit logs
No student safety monitoring — doesn't scan Docs/Gmail for concerning content
Manual maintenance — you're updating blocklists by hand

Verdict: Fine for an emergency stopgap. Not sufficient for CIPA compliance or real student safety.

Option 2: Chrome Extension Filter (Moderate, 15 Minutes)

Chrome extension-based filters (like KyberGate's Chrome extension, GoGuardian, or Securly) install directly into the Chrome browser and filter from within.

Step 1: Force-Install the Extension via Google Admin

Navigate to Devices → Chrome → Apps & extensions → Users & browsers

Select your student OU, then click the + icon → Add Chrome app or extension by ID.

For KyberGate: Enter extension ID `aodjgiobchlnlmicciieahkfnmkoojef`

Set the installation policy to Force install — this prevents students from removing it.

Step 2: Configure Extension Policy

Most enterprise Chrome extensions accept managed policy via Google Admin. Under the extension's settings, paste your configuration JSON:

```json { "orgId": { "Value": "your-org-id" }, "apiEndpoint": { "Value": "https://proxy.kybergate.com" } } ```

Step 3: Verify Deployment

On a test Chromebook, sign in as a student. Open `chrome://extensions` and verify the filter extension is installed and cannot be disabled (it should show "Installed by your administrator").

Step 4: Test Filtering

Try visiting a known blocked site. Try searching "unblocked games." Try opening an incognito window (extensions should be forced in incognito via your Google Admin policy).

Advantages of Extension Filtering

Quick deployment via Google Admin (no device touching)
Works on managed Chromebooks seamlessly
Can inspect page content within the browser
Centralized management through web dashboard

Limitations

Only works in Chrome browser — if a student uses an Android app on a Chromebook, the extension can't filter it
Students may find workarounds in guest mode or other browsers
Doesn't filter other devices — iPads, Windows need separate solutions
Browser-bound — if Chrome crashes, filtering stops

Option 3: Cloud Proxy Filter (Best, 20 Minutes)

Cloud proxy filtering routes all device traffic through a filtering proxy server. This is the most comprehensive approach and works across all apps — not just Chrome.

Step 1: Get Your PAC File URL

When you sign up for KyberGate, you receive a PAC (Proxy Auto-Configuration) file URL: ``` https://proxy.kybergate.com/api/pac/YOUR_ORG_ID ```

Step 2: Configure PAC in Google Admin

Navigate to Devices → Chrome → Settings → Users & browsers

Select your student OU. Scroll to Proxy settings and set:

Proxy mode: Use a .pac proxy auto-config URL
Proxy .pac file URL: Your KyberGate PAC URL

Step 3: Install the CA Certificate

For HTTPS inspection to work, the KyberGate CA certificate must be trusted on each device.

In Google Admin: Devices → Networks → Certificates → Upload the KyberGate CA cert and set it as trusted for web traffic.

Step 4: Block Proxy Bypass

In Devices → Chrome → Settings → Users & browsers, configure:

Proxy settings: Cannot be changed by user
VPN: Block VPN apps (prevents tunnel bypass)
Developer tools: Disable for student OUs (prevents proxy header inspection)

Step 5: Force Extensions in Incognito

Under Incognito mode: Set to Allow (so students can use it) but ensure Force install extensions in incognito is enabled so your filter extension still runs.

Step 6: Verify Everything Works

On a test Chromebook:

Visit `whatismyipaddress.com` — traffic should show the proxy server's IP
Visit a known blocked site — should see the KyberGate block page
Search "unblocked games" on Google — SafeSearch should be enforced
Try `chrome://dino` — should be blocked
Open an Android app (if available) — traffic should still be filtered through the proxy

Why Proxy Is Best for Chromebooks

Filters all traffic — not just Chrome, but Android apps too
Full HTTPS inspection — sees inside encrypted connections
Can't be bypassed by switching browsers or using incognito
Same solution works on iPads and Windows — one platform for all devices
Real-time policy updates — change a policy and it takes effect in seconds

Post-Setup: Essential Configuration

Regardless of which approach you chose, complete these steps:

1. Create Grade-Level Policy Templates

Elementary, middle, and high school students need different policies. KyberGate includes 6 pre-built templates:

Elementary: Most restrictive. Allow-list only (specific educational sites).
Middle: Category-based blocking. Social media blocked during school hours.
High School: Lighter touch. Social media allowed during lunch/after school.
BYOD: Minimal filtering. Block explicit content only.
Staff: Lightest filtering. Block malware and explicit content.
Testing: Lockdown mode. Only assessment platform URLs allowed.

2. Set Up School Hours Scheduling

Configure time-based policies so social media is blocked during class (8 AM - 3 PM) but allowed during lunch and after school. Students resent filters less when they're reasonable.

3. Enable SafeSearch Everywhere

Enforce SafeSearch on Google, Bing, YouTube, DuckDuckGo, and Yahoo. This is a CIPA requirement and one of the most commonly missed configurations.

4. Configure Game Blocking

Enable KyberGate's game detection engine or add gaming categories to your blocklist. This is the #1 thing teachers will judge your filter on.

5. Set Up Admin Alerts

Configure email notifications for:

Student attempts to access explicit content
VPN or proxy bypass attempts
New device enrollments
Policy changes (audit trail)

6. Generate Your CIPA Compliance Report

Run your first compliance report and save it. You'll need this for E-Rate documentation and board presentations.

Troubleshooting Common Issues

"The filter isn't blocking anything"

Verify the PAC file URL is correct and accessible
Check that the OU has the policy applied (not inherited from a parent with different settings)
Ensure the CA certificate is installed and trusted
Wait 5-10 minutes — Google Admin policies can take time to propagate

"Students say the internet is slow"

Check your proxy server's response time (`/health` endpoint on KyberGate)
Verify bypass domains are configured for high-bandwidth sites (Apple updates, Google Drive)
Check if SSL inspection is trying to inspect pinned certificates (some apps will fail)

"An educational site is being blocked"

Add it to your allow list immediately
Report false positives to your filter vendor so they can update global categorization
Consider setting up a teacher request workflow for site unblocking

"Students are still playing games"

Enable content-level game detection (not just domain blocking)
Block `sites.google.com` subpaths that host games
Block `chrome://dino` via Chrome policy
Consider blocking GitHub Pages (`*.github.io`) during school hours
Read our complete guide to blocking unblocked games

What's Next

Once your Chromebooks are filtered:

Deploy the same solution to iPads — read our 1:1 iPad filtering guide
Enable student safety monitoring — KyberPulse scans Google Workspace for concerning content
Train your teachers — roll out classroom management without the pushback
Set up weekly reports — automated email digests keep administrators informed
Document your CIPA compliance — use our checklist

You've gone from zero to filtered in 30 minutes. Now the real work begins — tuning policies, training staff, and building a culture of digital citizenship.

Start your free KyberGate pilot →

How to Set Up Web Filtering on School Chromebooks in 30 Minutes