Network-level filters stop working the moment a student device leaves campus. Our feed of 16,024+ AI domains integrates with Jamf, Intune, Mosyle, and Google Workspace to enforce restrictions on the device itself, on any network.
School firewalls and DNS filters only protect students while on campus. The moment a Chromebook connects to home Wi-Fi or a phone hotspot, those protections vanish.
Device-level blocking is the only way to maintain consistent AI restrictions across every network.
In 1:1 programs, students spend more hours on their device at home than at school. Without device-level restrictions, AI access is wide open off campus.
Students can tether a Chromebook to a personal phone and skip every network filter. IT directors report this as one of the most common bypass techniques.
Blocking ChatGPT and Claude is not enough. Students share links to obscure AI tools on Discord, TikTok, and Reddit.
Chromebooks dominate K-12 device programs. Google Workspace provides built-in URL blocking that follows the device regardless of network.
The URLBlocklist policy accepts domain patterns and enforces them locally on the Chromebook. It works on any network, including home Wi-Fi and hotspots.
Capacity & Coverage
URLBlocklist entriesOrganizational units let you apply different blocklists to different student groups. Segmentation mirrors the reality that AI risk varies by age.
Example OU Structure
Navigate to Devices → Chrome → Settings → Users & browsers, select the student OU, and add AI domains to the URL Blocklist.
The JSON below shows the equivalent configuration for the Chrome Policy API.
// Google Workspace — Chrome URLBlocklist via Policy API // Target OU: /Students or /Students/Middle-School { "requests": [{ "policyTargetKey": { "targetResource": "orgunits/STUDENT_OU_ID" }, "policyValue": { "policySchema": "chrome.users.UrlBlocking", "value": { "urlBlocklist": [ "chatgpt.com", "chat.openai.com", "claude.ai", "gemini.google.com", "copilot.microsoft.com", "perplexity.ai", "character.ai", "poe.com", "you.com", "quillbot.com", "writesonic.com", "jasper.ai", "phind.com", "huggingface.co/chat", "deepai.org" // ... up to ~1,000 entries // For 16,024+ domains, use GoGuardian/Lightspeed bulk import ] } }, "updateMask": "policyValue.value.urlBlocklist" }] }
Automated Daily Updates
Use a Google Apps Script or service-account script to fetch the top 1,000 domains from our API daily and push them via the Chrome Policy API. The remaining 16,024+ domains are handled by your content filter's bulk import, which has no entry limit.
MDM platforms provide the enforcement layer that follows every managed device. Our domain feed integrates with all of them through content filter payloads and configuration profiles.
Deploys Web Content Filter payloads enforced at the OS level. Safari, Chrome, and all WebKit apps are covered.
Web Content Filtering and Defender SmartScreen block AI domains across Edge, Chrome, and system-level requests.
Supports Apple, Android, and Windows devices from a single console. Deploy content filters and DNS-over-HTTPS configs across platforms.
Upload this profile to Jamf Pro and scope it to your student device group.
AutoFilterEnabled turns on Apple's built-in content filterBlacklistedURLs adds AI chatbot domains on top<!-- Jamf Pro — Web Content Filter Payload for Student iPads --> <!-- Profile → Restrictions → Content Filter → Limit Adult Content --> <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>PayloadContent</key> <array><dict> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>AutoFilterEnabled</key> <true/> <key>FilterType</key> <string>BuiltIn</string> <key>BlacklistedURLs</key> <array> <string>chatgpt.com</string> <string>chat.openai.com</string> <string>claude.ai</string> <string>gemini.google.com</string> <string>copilot.microsoft.com</string> <string>character.ai</string> <string>perplexity.ai</string> <string>poe.com</string> <string>quillbot.com</string> <string>you.com</string> <!-- Full feed: import via Jamf Pro API script --> </array> </dict></array> </dict> </plist>
Deploy via the Endpoint Security blade in Intune. This PowerShell script automates the process.
It creates custom indicators from our API feed and pushes them to Microsoft Defender for Endpoint.
# Intune / Defender for Endpoint — AI Chatbot Domain Indicators # Run via Azure Automation or a scheduled task on your management server $apiKey = "YOUR_API_KEY" $feedUrl = "https://feeds.aitoolsblocklist.com/v1/domains/chatbots.json" # Fetch the latest AI chatbot domains $headers = @{ "Authorization" = "Bearer $apiKey" } $response = Invoke-RestMethod -Uri $feedUrl -Headers $headers $domains = $response.domains Write-Host "Fetched $($domains.Count) AI chatbot domains" # Create custom indicators in Defender for Endpoint foreach ($domain in $domains) { $indicator = @{ indicatorValue = $domain.url indicatorType = "Url" action = "Block" title = "AI Chatbot: $($domain.name)" description = "Category: $($domain.category)" severity = "Medium" recommendedActions = "Blocked by district AI policy" } Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/indicators" ` -Method Post -Headers $defenderHeaders ` -Body ($indicator | ConvertTo-Json) ` -ContentType "application/json" } Write-Host "Updated $($domains.Count) Defender URL indicators"
One feed, multiple policies.
Apply different blocklist configurations to different student populations from the same 16,024+ domain feed, filtered by the 18-category taxonomy. High school AP CS students may need coding assistants, while elementary students need full blocking.
Block all 18 AI-tool categories with zero exceptions. No category tuning, no exception requests, no ambiguity.
Allow pre-approved "Education & Learning" tools under teacher supervision. General chatbots, AI writers, and image generators stay blocked.
Block text-generation and essay-writing tools while permitting AI coding tools for CS courses. Image and video generators remain blocked to prevent deepfakes.
Fetches category-filtered feeds from our API and deploys them to the correct device groups. Run daily via cron to keep each group current.
#!/bin/bash # /opt/scripts/device-group-sync.sh # Sync AI blocklists for each student tier API_KEY="YOUR_API_KEY" BASE_URL="https://feeds.aitoolsblocklist.com/v1/domains" OUTPUT_DIR="/var/lib/mdm-sync/blocklists" # Elementary: all categories (full block) curl -s -H "Authorization: Bearer $API_KEY" \ "$BASE_URL/all.txt" \ -o "$OUTPUT_DIR/elementary.txt" # Middle school: exclude education-learning category curl -s -H "Authorization: Bearer $API_KEY" \ "$BASE_URL/all.txt?exclude=education-learning" \ -o "$OUTPUT_DIR/middle-school.txt" # High school: exclude education, code-dev, data-research, security curl -s -H "Authorization: Bearer $API_KEY" \ "$BASE_URL/all.txt?exclude=education-learning,code-development,data-research,security-detection" \ -o "$OUTPUT_DIR/high-school.txt" # Log domain counts per tier for tier in elementary middle-school high-school; do count=$(wc -l < "$OUTPUT_DIR/$tier.txt") echo "[$(date)] $tier: $count domains" >> /var/log/ai-blocklist-sync.log done echo "[$(date)] Device group sync complete"
Testing Windows Demand Maximum Blocking
State assessments, AP exams, SATs, and district benchmarks require all AI-tool categories blocked. Even normally-permitted categories should be restricted during exams to ensure integrity.
Your automation script checks if today falls within a testing window
If yes, it pulls the full-block feed (all 18 categories, zero exceptions)
When testing ends, it reverts each group to its normal tier-based feed
Both feeds draw from the same 16,024+ domain database
No manual toggle-flipping at 7 AM on testing day
No separate "testing blocklist" to maintain
Full coverage during testing without disrupting normal policies
Same underlying database for both modes
Runs daily via cron. Reads testing-period date ranges from a config file and deploys the appropriate feed.
Update the config once per semester when the testing calendar is published -- no code changes needed.
#!/bin/bash # /opt/scripts/testing-period-switch.sh # Cron: 0 5 * * * /opt/scripts/testing-period-switch.sh API_KEY="YOUR_API_KEY" BASE_URL="https://feeds.aitoolsblocklist.com/v1/domains" CONFIG="/etc/ai-blocklist/testing-periods.conf" OUTPUT_DIR="/var/lib/mdm-sync/blocklists" TODAY=$(date +%Y-%m-%d) TESTING_MODE="false" # testing-periods.conf format: START_DATE END_DATE LABEL # 2025-03-10 2025-03-21 State_Assessment # 2025-05-05 2025-05-16 AP_Exams # 2025-06-02 2025-06-06 Final_Exams while IFS=' ' read -r start end label; do [[ "$start" == "#"* ]] && continue if [[ "$TODAY" >= "$start" && "$TODAY" <= "$end" ]]; then TESTING_MODE="true" echo "[$(date)] TESTING PERIOD ACTIVE: $label ($start to $end)" break fi done < "$CONFIG" if [ "$TESTING_MODE" = "true" ]; then echo "[$(date)] Deploying FULL BLOCK to all tiers" for tier in elementary middle-school high-school; do curl -s -H "Authorization: Bearer $API_KEY" \ "$BASE_URL/all.txt" \ -o "$OUTPUT_DIR/$tier.txt" done else echo "[$(date)] Deploying TIER-BASED blocking" # Each tier gets its normal category-filtered feed curl -s -H "Authorization: Bearer $API_KEY" \ "$BASE_URL/all.txt" -o "$OUTPUT_DIR/elementary.txt" curl -s -H "Authorization: Bearer $API_KEY" \ "$BASE_URL/all.txt?exclude=education-learning" \ -o "$OUTPUT_DIR/middle-school.txt" curl -s -H "Authorization: Bearer $API_KEY" \ "$BASE_URL/all.txt?exclude=education-learning,code-development,data-research,security-detection" \ -o "$OUTPUT_DIR/high-school.txt" fi # Trigger MDM profile refresh (example: Jamf Pro API) curl -s -X POST "https://your-jamf.jamfcloud.com/api/v1/mdm/renew-profile" \ -H "Authorization: Bearer $JAMF_TOKEN" echo "[$(date)] Feed deployment complete. Testing mode: $TESTING_MODE"
Blocking domains is half the equation. Visibility is the other half -- knowing who is attempting bypasses and which new AI tools generate the most traffic.
This intelligence feeds directly into policy refinement and helps identify students who need guidance on academic integrity.
Our feed classifies every domain into 18 functional categories. Your block logs show what kind of AI tool a student sought -- chatbot, essay writer, image generator, or code assistant.
A student hitting "Text & Language" domains during a writing assignment is a different signal than a CS student hitting "Code & Development" during a lab.
Phone Hotspot Tethering
Students tether to a personal phone to skip network filters. MDM policies prevent this because the blocklist enforces on the device, not the network.
Web Proxies & VPNs
On managed Chromebooks, disable unapproved extensions. On iPads, Supervised mode prevents VPN installation without MDM authorization.
Alternative AI Domains
When ChatGPT is blocked, students find alternatives via social media. Our feed covers 16,024+ domains including obscure tools, mirror sites, and new launches -- updated within 24 hours.
Threshold Alerts
Alert when a student exceeds 10 blocked AI requests within one hour. This pattern usually indicates active bypass attempts, not incidental clicks.
Testing-Period Escalation
During exams, lower the threshold to 3 attempts and add the testing coordinator to notifications. Any AI access during a proctored exam is a potential integrity violation.
Weekly Digest Reports
Generate summaries by building, grade level, and device group. Share with principals and curriculum directors to inform policy decisions and instructional planning.
Most IT teams start with 20-50 hand-curated AI domains. This covers roughly 15-20% of actual student AI usage.
The remaining 80% happens on tools no human curator has time to discover, evaluate, and add to a spreadsheet.
Our pipeline scans 102M+ domains using ML classifiers and behavioral analysis. It identifies AI tools from network patterns, DNS records, certificate metadata, and content analysis.
No reliance on human awareness -- systematic identification across the entire web, updated daily.
The Long Tail Is Where Cheating Lives
Students who find ChatGPT blocked will search "free AI chatbot no login" or find recommendations on TikTok. They discover essay rewriters, homework solvers, and photo-to-answer tools that most IT teams have never heard of.
The sample includes representative domains from every category -- enough to validate integration with your MDM and content filter before committing.
Catalog every managed device type and the MDM managing each. Confirm every device is enrolled with a current management profile.
Unenrolled devices are invisible to your deployment.
Decide which AI-tool categories to block for each student tier. Document exceptions, approvals, and implementation details.
Use the platform-specific configs above -- Jamf for iPads, Intune for Windows, Google Admin for Chromebooks. Start with a 50-100 device pilot.
Set up daily feed sync to pull the latest domains from our API. New AI tools launch every day -- without automation, your blocklist decays immediately.
Enter testing dates into testing-periods.conf. The automated switcher handles the rest -- update the config once per semester.
Configure block-log alerts and weekly digests. Use category breakdowns to refine your policy -- add exceptions without opening the floodgates.
Download the free sample to test integration with your MDM platform, or request a trial feed configured for your device fleet and testing calendar.
Tell us about your device fleet — MDM platform, device types, student count, and grade levels — and we will configure a trial feed matched to your deployment.