DNS Filtering Transition FAQ

What's Coming?

We're introducing new ITP categories and ITP support on Chromebooks.

Supporting ITP on Chromebooks will allow CSE to expand support for operating systems used primarily in the SLED space, particularly in K-12. 

NOTE: ITP support on Chromebooks is not currently self-service. Contact support for a guided implementation. We are planning for an official launch in the coming months.  

What implications does this have?

• More threat categories will be available for admins to include in their ITP policies.
• Existing ITP policy configurations have been mapped to a new list of equivalent categories.
• The 'Virtual Reality' and 'Generative AI tools' categories will be deprecated.
• All Threats will now be blocked automatically, without customers having to add them explicitly in the ITP policy. See section “Threat Category Updates” for more detail.
• New domains or uncategorized domains undergo dynamic analysis to evaluate if they are threats: If they are malicious, they will be blocked automatically; If they fall within a category that is not blocked via an ITP policy, the page will load.
• During the maintenance window, changes to ITP policies will take up to 24 hours to be effective on the device.

Is customer action required?

Customers do not need to take any action. Migration will take place silently and without any impact to customers’ existing ITP policy functionality.

Threat Category Updates

Legacy Threat Categories:

• Botnet
• Crypto mining
• Malware
• New Domains
• Phishing & Deception
• Proxy & Filter Avoidance
• Translation Sites
• Very New Domains

New Threat Categories (Automatically blocked):

• Bots / Cryptomining
• Dangerous Configuration/History
• Dangerous 3rd Party Infrastructure
• Dangerous Name Server
• Malicious SSL Cert
• Malware / Ransomware
• Malware C2
• Phishing
• Risky DNS Transactions
• Spam / Ad Fraud / Spyware
• Other Known Bad (Community Intelligence)

General Q&A

When will this migration occur?

The migration took place during the week of January 13th, 2025.

Will customers with an existing ITP policy need to take action to ensure service continuity? 

No, we have mapped existing categories with the new categories so admins will not have to change anything in their existing policies. New categories will be automatically updated in policies.

Will the CSE Command Center UI change with these updates?

Yes, there are a few changes coming.

• New categories will be available in the ITP policy.
• Existing ITP policies will have old categories automatically converted to new categories.
• Threat events generated by Chromebook users with ITP will have user context, rather than being listed simply as Chromebook.
• Threat categories will be presented for reference and by default enabled; admins cannot disable these.

Is there any action required of end users that have an ITP policy for their device?

End users do not need to perform any actions. If the device is disconnected for more than 24 hours, it will receive the new configuration immediately. If a device was disconnected for less than 24 hours, it will reach out to the backend 24 hours from when it was last connected and receive the updated configuration.

Why can't I use ITP on my Chromebook without guided assistance?

The implementation is complex and without proper guidance, users could be left unprotected. Therefore, we are limiting this implementation to technical staff who can ensure a secure setup for customers.