Deploy the Content Filter to student devices

How the Content Filter works (30 seconds)

The filter is enforced by the TSNC browser extension using Chrome's built-in network blocking (declarativeNetRequest). When a student opens a blocked site, the extension redirects them to a “Site blocked” page. Blocking happens locally on the device — no browsing is sent to TSNC. It keeps working even when the browser's background process is asleep.

For it to apply to a student, three things have to be true: the extension is installed, it's allowed in incognito (or incognito is disabled), and the student is signed in with their school account so TSNC knows they're a student. This guide sets up all three.

Get the extension ID

(Verify on our Chrome Web Store listing.)

Add & force-install it

1. Sign in to admin.google.com as a super admin.
2. Go to Devices → Chrome → Apps & extensions → Users & browsers.
3. Select your student OU (so this targets students, not staff).
4. Click + → Add Chrome app or extension by ID and paste the ID above.
5. Set the installation policy to Force install (or Force install + pin to browser toolbar — see Step 2).
6. Click Save.

Within ~6 hours every managed student Chrome browser in that OU has the extension.

Yes — pinning is supported. On the extension entry, set the pinning option to Force pinned (in newer Admin Console layouts this is the Installation policy choice “Force install + pin to browser toolbar”; in older ones it's a separate Allow user to pin → Force pinned setting).

Important: pinning is not required for the filter to work — blocking happens at the network layer whether or not the icon is visible. Pinning mainly helps admins: it keeps the TSNC icon and its right-click “Allow / Block this site for the org” menu within reach while browsing. Many schools force-pin for staff and leave it unpinned for students.

• Allow the extension in Incognito — in the same extension policy, set Allow in incognito = Enabled.
• Or (cleanest) disable Incognito for students entirely — Devices → Chrome → Settings → Users & browsers → Incognito mode → Disallow incognito mode.

Either one closes the gap. Disabling Incognito for student OUs is the simplest and most robust.

• Use enrolled / managed Chromebooks so students sign in with the school account.
• Set Restrict sign-in to pattern to your domain so personal Google accounts can't be used to dodge the policy.
• Make sure your student email domains are registered for the org in TSNC — that's how “student” is recognized.

• Personal device / personal account → not managed, not signed in as a school user, so the filter doesn't apply. Content filtering is for managed devices.
• VPNs / proxies → enable the Proxies & VPNs category to block common circumvention tools, and add specific ones to your deny list as you find them.
• Other browsers (Firefox/Edge/Safari) → the extension is Chrome/Chromium only. On managed Chromebooks, restrict students to Chrome.
• DNS-level escape → the extension blocks at the browser; pair with your school's DNS filtering for defense in depth.

• Student → a TSNC “Site blocked” page. No way to proceed.
• Staff (if you set staff mode to Warn) → a notice they may Proceed anyway; the visit is recorded.
• Admins → an “Allow this site for the org” button on the block page, plus a right-click Allow / Block this site menu — no copy-pasting URLs into a form.