Admin implementation checkout

Configure the stack in the order it actually has to work.

Start with Google Admin and Chrome policy, then Mosyle Mac enforcement, then GoGuardian filtering, then district-level hardening evidence. Checkboxes save in this browser.

Implementation apps

Jump to the platform you are configuring.

Google Admin

Workspace for Education, Chrome browser, extensions, Drive, Gmail, age-based access, OAuth, and admin security.

Mosyle Mac

Apple School Manager enrollment, FileVault, macOS updates, standard users, restrictions, app patching, and compliance.

GoGuardian

Extension deployment, filtering policy, teacher override, grade-band policy, YouTube controls, off-campus filtering, and reporting.

Role matrix

Set the default posture by audience.

Use this as the top-level policy intent before configuring individual Admin console settings. Student restrictions should be explicit; staff and admin settings should be separate so adults are not accidentally treated as under-18 users.

All Users

Use managed accounts only for school services.
Keep Chrome managed and visible in chrome://policy.
Require Safe Browsing.
Review third-party app access instead of leaving OAuth open-ended.
Use least-privilege groups and clean OUs.

Students

Designate under 18 unless clearly 18+.
Disable guest, incognito, unmanaged extensions, and personal Chrome profiles.
Block unconfigured third-party apps by default.
Limit Drive external sharing and public link exposure.
Apply GoGuardian filtering and non-overridable safety policy.

Staff

Designate staff OUs as 18+ when appropriate.
Require MFA and managed Chrome sign-in.
Allow only approved extensions and apps.
Permit external sharing only where school work requires it.
Allow proxy app requests for teachers only if the approval process is staffed.

Admins

Use separate admin accounts, not daily-use mail accounts.
Require phishing-resistant MFA/security keys for super admins.
Keep two monitored break-glass accounts.
Use delegated roles and avoid broad super admin assignment.
Review Security Center, audit logs, and alert rules on a schedule.

Step 1

Google Admin and Chrome settings

Set identity, Chrome browser behavior, extensions, and account protections before relying on GoGuardian visibility.

0/0

Google Admin - All Users

Clean OUs and configuration groups before policy.
Managed Chrome browser policy visible in chrome://policy.
Safe Browsing, Gmail safety, OAuth app control, Drive sharing rules.
Core services only unless Additional Services are approved.

Google Admin - Students

Designate under 18 unless confirmed otherwise.
Disable guest, incognito, personal profiles, and unmanaged extensions.
Block unconfigured third-party apps; review requests and consent.
Restrict Drive external/public sharing and Groups access.

Google Admin - Staff

Mark staff/faculty OUs as 18+ when appropriate.
Require MFA and managed Chrome sign-in.
Use approved extension allowlist, not open extension install.
Allow external sharing and proxy app requests only with workflow ownership.

Google Admin - Admins

Separate admin accounts from daily mail accounts.
Security keys/phishing-resistant MFA for super admins.
Delegate roles instead of broad super admin access.
Review Security Center, audit logs, app access, and alerts weekly.

P0 Create clean Google OUs and groups before applying policy Path: Admin console > Directory > Organizational units / Groups Set: Students by grade band, Teachers, Staff/Admin, IT Test, Loaner/Shared Verify: Test student and teacher accounts land in expected OU/group Source: Chrome policies by OU/group

P0 Protect super admin and delegated admin accounts Path: Admin console > Security > Authentication > 2-Step Verification Set: Require 2SV; use security keys for super admins; keep two break-glass accounts Verify: Admin accounts show enforced 2SV and backup codes are stored offline Source: Google admin account best practices

P0 Separate admin accounts and delegate admin roles Applies: Admins Set: Separate admin identity; minimum required roles; no routine work from super admin Verify: Super admin list is short and every admin role has a named owner Source: Google admin roles

P0 Set Google Workspace for Education age-based access Path: Account settings > Age-based access settings Students: Under 18 unless verified 18+; Staff/Admin: 18+ OUs/groups Verify: Teachers and admins are not accidentally restricted as under-18 users Source: Age-based access

P0 Lock down third-party app access and OAuth scopes Path: Security > Access and data control > API controls > App access control Students: Block unconfigured apps; Staff: allow request workflow; Admins: review regularly Verify: Unknown app sign-in is blocked or requestable, not silently allowed Source: App access control

P0 Review under-18 app requests and parental consent workflow Path: App access control > Apps pending review Students: Block unconfigured apps unless approved; document consent obligations Verify: Requested student apps are approved, limited, or blocked with an owner Source: Under-18 app access

P1 Review Additional Google Services for students annually Path: Apps > Additional Google services Students: Enable only approved instructional services; Staff: broader access if needed Verify: Consent status is confirmed for under-18 access where required Source: Additional services under 18

P0 Turn on Chrome management for student and staff OUs Path: Admin console > Devices > Chrome > Settings > Users & browsers Set: Manage Chrome for school users; use enrolled browser policy for school-owned Macs Verify: On a Mac, open chrome://policy and confirm cloud/device policy source Source: View Chrome policies

P0 Keep Chrome current and report browser versions Applies: All users and enrolled school Macs Set: Chrome auto-update on; monitor Chrome version and policy status in Chrome browser management Verify: Test Mac runs current stable Chrome and appears in Google Admin reporting Source: Chrome policy reporting

P0 Require student Chrome sign-in with school account Path: Devices > Chrome > Settings > Users & browsers > Sign-in settings Set: Restrict sign-in to school domain; prevent personal profile use for students Verify: Personal Gmail cannot become the managed Chrome profile on a student Mac Policy: BrowserSignin, RestrictSigninToPattern

P0 Disable student guest mode and incognito mode Path: Devices > Chrome > Settings > Users & browsers Set: Guest mode disabled; incognito disabled for student OUs Verify: Chrome menu does not offer guest/incognito for a student account Policy: BrowserGuestModeEnabled, IncognitoModeAvailability

P0 Force-install GoGuardian and required school extensions Path: Devices > Chrome > Apps & extensions > Users & browsers Set: Force install required GoGuardian extensions and curriculum essentials by OU Verify: chrome://extensions shows installed and not removable Source: Force-install extensions

P1 Block student extension installs except approved allowlist Path: Devices > Chrome > Apps & extensions > Settings Set: Block all by default; allow specific school-approved extensions Verify: Student cannot install random Chrome Web Store extension Source: Extension policy overview

P1 Require Safe Browsing and restrict risky browser features Path: Devices > Chrome > Settings > Users & browsers > Security Set: Safe Browsing on; disable student password manager and payment autofill Verify: chrome://policy shows expected security and autofill policies Source: Google security checklist

P1 Restrict Google Drive external sharing by audience Path: Apps > Google Workspace > Drive and Docs > Sharing settings Students: No public/external sharing or trusted domains only; Staff: warn/allow where needed Verify: Student cannot create public links or share externally unless explicitly allowed Source: Drive external sharing

P1 Control shared drive creation and external membership Path: Apps > Google Workspace > Drive and Docs > Shared drives Students: Usually no shared drive creation; Staff: approved owners only Verify: External members and content movement rules match district data policy Source: Manage shared drives

P1 Enable Gmail advanced phishing and malware protections Path: Apps > Google Workspace > Gmail > Safety All: Spoofing, attachment, link, external image, and domain impersonation protections Verify: Safety settings apply to staff and students; alerts route to IT/security owners Source: Gmail safety settings

P1 Restrict Google Groups creation and external group access Path: Apps > Google Workspace > Groups for Business > Sharing settings Students: No public groups; no student-created groups; Staff: controlled group ownership Verify: Students cannot create groups or join public external groups Source: Groups sharing settings

P1 Define password, session, and recovery policy Path: Security > Authentication > Password management / session settings All: Enforce strong passwords where passwords are used; review recovery methods and admin session length Verify: Password policy and Google Cloud/Admin session length are documented Source: Password requirements

P1 Review Security Center, audit logs, and alert routing Path: Security > Security center / Reporting / Rules Admins: Weekly review of security health, investigation tool, alerts, OAuth, suspicious logins Verify: Alerts go to a monitored mailbox/ticket queue and have a response owner Source: Security center

Step 2

Mosyle settings for Mac

Use Mosyle for device ownership, macOS controls, FileVault, app deployment, and local account enforcement.

0/0

Mosyle - All Users

All school Macs assigned through Apple School Manager and ADE.
MDM profile required and non-removable on school-owned devices.
FileVault enabled with personal recovery key escrow.
Chrome, productivity apps, PPPC profiles, printers, and certificates deployed by Mosyle.

Mosyle - Students

Standard user only; no permanent local admin.
Block unapproved browsers and app installation paths.
Disable guest login and unnecessary sharing services.
Apply stricter screen lock, AirDrop, iCloud, and external media rules by grade.

Mosyle - Staff

Standard user by default with temporary elevation workflow.
Mosyle Auth/SSO where licensed; sync local account with identity provider.
Patch apps and macOS automatically with clear deferral windows.
Broader app catalog scoped by staff group, not unmanaged installs.

Mosyle - Admins

Separate IT admin accounts and audit local admin inventory.
Weekly reports for FileVault, OS version, MDM check-in, and app compliance.
Use Mosyle hardening/compliance or NIST mSCP as benchmark reference.
Clear Activation Lock and rotate recovery keys during reassignment.

P0 Assign school-owned Macs from Apple School Manager to Mosyle Path: Apple School Manager > Devices; Mosyle > Enrollment / ADE Set: Automated Device Enrollment profile for student, teacher, staff, and shared Macs Verify: Freshly erased Mac shows Remote Management and enrolls into correct Mosyle group Source: Apple K-12 deployment

P0 Prevent MDM profile removal on school-owned Macs Path: Mosyle > Enrollment profile / Restrictions Set: MDM enrollment required and non-removable for ADE devices Verify: Student cannot remove management profile in System Settings Source: Apple deploy and manage

P0 Enforce FileVault and escrow the personal recovery key Path: Mosyle > Management > Security / FileVault profile Set: FileVault required; PRK escrowed; rotate on reassignment or repair Verify: fdesetup status returns FileVault is On and Mosyle shows escrow Source: Apple FileVault queries

P0 Make students standard users with no local admin rights Path: Mosyle > Auth / Account creation / Restrictions Set: Students standard; IT admin account only; staff use temporary elevation if needed Verify: Student cannot install apps or unlock protected settings with their password Source: Mosyle Mac security

P1 Enforce macOS updates with short security deadlines Path: Mosyle > OS Updates / Restrictions Set: Critical/background security updates 0-3 days; minor macOS updates 7 days after validation Verify: Test Mac receives deferral prompts and enforces restart at deadline Source: Apple MDM updates

P1 Deploy and patch approved apps through Mosyle Path: Mosyle > Apps / Mac App Catalog / PKG deployment Set: Chrome, Drive, Zoom/Teams if needed, printers, certificates, PPPC profiles, GoGuardian components Verify: Student cannot install unapproved apps; approved apps update without admin prompts Source: Mosyle platform overview

P1 Track hardening and compliance against current macOS version Path: Mosyle > Security / Hardening & Compliance if licensed; NIST mSCP for benchmark Set: Monitor FileVault, firewall, Gatekeeper, update status, local admin, profiles, certificates, and app compliance Verify: Compliance report separates current macOS devices from older-version exceptions Source: Mosyle hardening/compliance

P1 Restrict risky student Mac features Path: Mosyle > Restrictions / Profiles Set: Disable guest login, unmanaged sharing services, unapproved browsers, App Store installs, and profile removal Verify: Student cannot use another browser to bypass Chrome/GoGuardian expectations Source: Apple malware protections

P2 Control Activation Lock and device reassignment workflow Path: Mosyle > Device details / Security queries / Lost mode process Set: Store bypass code where available; clear lock before repair, sale, or reassignment Verify: Reassigned Mac does not prompt for prior user Apple Account Source: Apple Activation Lock query

Step 3

GoGuardian settings

Use GoGuardian for student web safety, classroom focus, reporting, and filtering policy. Keep it aligned with Google OUs and Mosyle browser controls.

0/0

GoGuardian - All Users

Deploy required GoGuardian components through Google Admin and Mosyle.
Sync users, OUs, classes, and roles from the authoritative source.
Document when monitoring/filtering applies on campus and off campus.
Keep reports and audit access role-restricted.

GoGuardian - Students

Root non-overridable safety policy for CIPA categories.
Grade-band policies for elementary, middle, and high school.
Block proxies, VPNs, anonymizers, malware, phishing, explicit content, and bypass tools.
Use current YouTube controls and category updates to reduce workarounds.

GoGuardian - Staff

Teacher access limited to assigned classes and OUs.
Teacher Override only for approved class-level policies.
Use Scenes Policy Checker and URL checking before lessons where available.
Train teachers on privacy, override boundaries, and support workflow.

GoGuardian - Admins

Review policy templates before applying elementary/middle/high baselines.
Review Smart Alerts, reports, unblock requests, and bypass attempts weekly.
Keep GoGuardian App current where used; track 2026 release notes.
Audit Super User and "log in as" privileges.

P0 Sync users, OUs, and roles from Google/Clever/ClassLink Path: GoGuardian Org Management > Integrations / Provisioning Set: Student groups, teacher access, delegated admin roles, school/campus mappings Verify: Pilot student appears in correct group and teacher can see only assigned classes Source: GoGuardian provisioning

P0 Complete GoGuardian extension deployment through Google Admin Path: GoGuardian Org Management > Installations; Google Admin > Chrome extensions Set: Follow GoGuardian-provided extension IDs and deployment instructions for your products Verify: GoGuardian dashboard shows student device active and extension installed Source: GoGuardian install guide

P0 Create non-overridable root safety policy Path: GoGuardian Admin > Filtering / Policies Set: Block explicit content, malware, phishing, proxies, VPNs, anonymizers, gambling, illegal drugs Verify: Block page appears for test sites and teacher override is not available for root safety blocks Source: GoGuardian Admin

P1 Create grade-band and classroom policies Path: GoGuardian Admin > Policies / Groups Set: Elementary, middle, high, staff, testing, and temporary exception groups Verify: A site allowed for high school remains blocked for elementary Source: School filtering guide

P1 Limit teacher override to class-level policies only Path: GoGuardian Admin / Teacher settings Set: Teacher override allowed only for specific OU-level instructional policies Verify: Teacher can unblock approved class site but cannot override CIPA/safety blocks Source: Teacher override guidance

P1 Decide and test off-campus filtering coverage Path: GoGuardian Admin > Out-of-school / DNS protection if licensed Set: Define school-hour and after-hour filtering for take-home Macs Verify: Student Mac is filtered on a non-school network if that is the policy Source: GoGuardian filtering coverage

P1 Review current GoGuardian smarter filtering and YouTube controls Path: GoGuardian Admin > Filtering / YouTube / categories Set: Use current categories and YouTube controls to reduce downloader/bypass workarounds Verify: Student test account cannot use known YouTube downloader or bypass patterns Source: 2025 filtering controls

P2 Track GoGuardian App versions where the app is deployed Path: GoGuardian release notes / Mosyle app deployment inventory Set: Keep GoGuardian App current on macOS if your deployment uses it Verify: App version matches current GoGuardian macOS release notes before broad rollout Source: 2026 product updates

Step 4

School hardening and evidence

Use CISA and CoSN for K-12 program priorities, and NIST mSCP for Mac-specific security baseline generation and validation.

0/0

P0 Map district priorities to CISA K-12 recommendations Path: District cybersecurity plan / board policy / IT roadmap Set: MFA, patching, backups, incident reporting, vendor risk, training, and recovery priorities Verify: Written roadmap has owners, due dates, and review cadence Source: CISA K-12 cybersecurity

P0 Use CISA Cybersecurity Performance Goals as the minimum control set Path: IT security standards / annual audit checklist Set: MFA, known exploited vulnerability response, asset inventory, backups, logging, incident reporting Verify: Each goal has evidence or a documented gap/exception Source: CISA CPGs

P1 Use CoSN resources for K-12 policy and planning language Path: District IT governance / cybersecurity planning Set: Risk assessment, vendor review, incident response, student data privacy, leadership reporting Verify: Checklist aligns with school operations, not only enterprise language Source: CoSN cybersecurity planning

P1 Compare Mosyle Mac baseline to NIST mSCP Path: NIST macOS Security Compliance Project / Mosyle profiles Set: Tailored macOS baseline; do not blindly apply STIG-style controls to classrooms Verify: Pilot profile does not break testing, accessibility, printing, video, or curriculum apps Source: NIST mSCP

Source library

Official guidance links.

These are the references used by the checklist. Keep vendor-specific implementation details current from these pages.

Apple Deployment Guide for K-12 EducationApple School Manager, MDM, and education deployment. Apple MDM Software UpdatesManaged update deadlines and OS update service. Mosyle Security and ManagementMac security, FileVault, patching, Chrome management. Google Chrome Policy ManagementUser and enrolled browser policy behavior. Google Force-Install ExtensionsChrome app and extension deployment. Google Workspace Security ChecklistsAdmin security best practices. Google Age-Based AccessEducation settings for under-18 and 18+ users. Google App Access ControlTrusted, limited, specific-data, and blocked OAuth app access. Google Drive External SharingExternal sharing, trusted domains, visitor sharing, and warnings. Gmail Safety SettingsAdvanced phishing, malware, spoofing, attachment, and link protections. GoGuardian AdminFiltering policies, reporting, audit logs. GoGuardian Teacher OverrideOverride guidance for class-level policies. GoGuardian Smarter FilteringRecent filtering, category, YouTube, and workaround controls. GoGuardian Product Updates2026 release stream for GoGuardian App and product changes. CISA K-12 CybersecurityFederal K-12 cybersecurity toolkit. CISA Cybersecurity Performance GoalsMinimum cybersecurity outcomes. CoSN Cybersecurity PlanningK-12 planning and governance resources. NIST macOS Security Compliance ProjectCurrent macOS hardening baselines.