Print

Print


Latest twist:

I'm using Securly's DNS servers on my own Mac today, just to see how it
goes. In the last 15 minutes or so, I've gotten this repeatedly when doing
Google searches on innocent subjects:

---------
select timeZone from user where email =
"[log in to unmask]";Aiyee,
server messed up. Details have been mailed to us. Please try again or check
back shortly. Thanks.Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (2)
---------

lol. "Aiyee" indeed. Opened a support ticket. Maybe this is what's
*actually* happening to my users intermittently, and it has nothing to do
with certificates.

-- MB

On Thu, Oct 22, 2015 at 12:01 PM, Marion Bates <[log in to unmask]>
wrote:

> OK...wait...so.
>
> The Mac keychain install I've done on school Macs -- does that only "help"
> Safari? Do we have to install the cert to our Macs' Chrome and Firefox
> browsers individually *also*? I have pushed it down to Chromebooks, but
> that's at the device level. From Securly's KB article I got the impression
> that Chrome on the Mac "inherits" certs and trust settings from the Mac's
> system Keychain. Is that not the case?
>
> I didn't realize that Firefox needed its own installation/configuration. I
> thought it too looked at the Mac Keychain. What a PITA.
>
> iPads: We've deployed the .pac file, the global proxy profile, and the
> Securly certificate via our MDM, months ago. Yesterday, with the DNS filter
> enabled, the Google Search "app" worked, while Google searches in Safari
> did not. Today, I have disabled the DNS-based filter altogether, and I'm
> now hearing that kids' iPads are able to search in Safari, but NOT the
> Google Search app. Stuff that works for the kids when they're home, breaks
> when they're on our network.
>
> This is maddening.
>
> Thanks again for your help.
>
> -- MB
>
>
> On Thu, Oct 22, 2015 at 11:48 AM, Mike Kanfer <[log in to unmask]> wrote:
>
>> Are you using Firefox?  It requires its own certificate.
>>
>> On Thu, Oct 22, 2015 at 11:24 AM, Marion Bates <[log in to unmask]>
>> wrote:
>>
>>> Okay, THANK YOU Mike!
>>>
>>> The mystery remains, though. When I did this back in July, I deployed a
>>> pkg that ran this command:
>>>
>>> /usr/bin/security add-trusted-cert -d -r trustRoot -k
>>> /Library/Keychains/System.keychain $1/Contents/Resources/
>>> securly_self_signed_cert_exp_20200130.der
>>>
>>> This has the effect of adding the cert to the system keychain and always
>>> trusting it:
>>>
>>> [image: Inline image 1]
>>>
>>> That's been done on all of our school Macs; yet, this week, we've had
>>> users encounter trust warnings left and right, for basic stuff like
>>> drive.google.com. And, that "securly_self_signed_cert_exp_20200130.der"
>>> is identical to the "securly_SHA-256.crt" file that I just downloaded
>>> from their KB article.
>>>
>>> Guess I'll keep digging...
>>>
>>> Thanks again,
>>>
>>> -- MB
>>>
>>> On Thu, Oct 22, 2015 at 9:48 AM, Mike Kanfer <[log in to unmask]> wrote:
>>>
>>>> Check out http://support.securly.com- click on the In School DNS
>>>> choice and the See All 13 Articles under the Deployment section.  It has
>>>> answers for everything there.
>>>>
>>>> On Thu, Oct 22, 2015 at 9:38 AM, Marion Bates <[log in to unmask]>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> If you use Securly DNS-based filtering on your network, could you
>>>>> point me to KB article(s) or any other resource you might have, regarding
>>>>> step-by-step instructions for doing whatever voodoo is necessary for client
>>>>> certificate setup on desktop OS's (in our case, Macs), iOS, and
>>>>> Chromebooks? I thought I had done the needful this summer, but it keeps
>>>>> breaking, and the turnaround time with support is pretty atrocious lately.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -- MB
>>>>>
>>>>> --
>>>>> Marion Bates, District Technology Supervisor
>>>>> School Administrative Unit 70
>>>>> Hanover, NH | Norwich, VT
>>>>> Office: (603) 643-3431 x2714
>>>>> http://www.sau70.org/
>>>>>
>>>>> -----------------------------------------------------------------------
>>>>>
>>>>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>>>>> Archive
>>>>>
>>>>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>>>>> Subscription to SCHOOL-IT
>>>>>
>>>>
>>>> -----------------------------------------------------------------------
>>>>
>>>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>>>> Archive
>>>>
>>>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>>>> Subscription to SCHOOL-IT
>>>>
>>>
>>>
>>>
>>> --
>>> Marion Bates, District Technology Supervisor
>>> School Administrative Unit 70
>>> Hanover, NH | Norwich, VT
>>> Office: (603) 643-3431 x2714
>>> http://www.sau70.org/
>>>
>>> -----------------------------------------------------------------------
>>>
>>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>>> Archive
>>>
>>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>>> Subscription to SCHOOL-IT
>>>
>>
>> -----------------------------------------------------------------------
>>
>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>> Archive
>>
>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>> Subscription to SCHOOL-IT
>>
>
>
>
> --
> Marion Bates, District Technology Supervisor
> School Administrative Unit 70
> Hanover, NH | Norwich, VT
> Office: (603) 643-3431 x2714
> http://www.sau70.org/
>



-- 
Marion Bates, District Technology Supervisor
School Administrative Unit 70
Hanover, NH | Norwich, VT
Office: (603) 643-3431 x2714
http://www.sau70.org/