For school IT
Deploy the client and permissions with MDM, name machines, add tags, bind policies, and retain command audit logs.
For teachers
Teachers log in to the Tooo App Lab tab, see only Web-authorized Macs, filter by risk/tag/online status, and take action when needed.
For students
Students do not need SafeID. They swipe a USB HID card; the server creates a session from the card UID hash.
Full Lab flow from deployment to alert
These flows require school MDM, AUP notice, and Web authorization. Tooo does not use hidden monitoring or bypass school authorization.
1. Managed deployment
School IT uses MDM to push Tooo.app, configuration profiles, PPPC permissions, Safari/Chromium extensions, and optional network filtering profiles. Students cannot remove managed profiles.
2. Device binding
Daily add-device flow uses a 6-digit code shown on the student Mac. Web admin accepts it. MDM bulk/unattended installs use enrollment tokens. After binding, device requests are signed by the Keychain device key.
3. Card-based student session
Students swipe USB HID cards only. The backend stores a peppered card UID hash, creates a student_session, and attaches later events, screenshots, recordings, and alerts to it.
4. Classroom telemetry
Tooo.app captures heartbeat, OS/App/MDM/permission status, runtime logs, screenshots, and recordings. Browser extensions capture URL, title, search, downloads, DOM summary, and form field names.
5. Filtering and AI
Blacklist hits can block and create high-risk alerts. AI findings outside the blacklist only notify teachers/admins for confirmation and do not automatically block student work.
6. Teacher response
The teacher app shows only Web-authorized machines. Teachers can view timeline, recent screenshots, and alerts, then message, capture, record, lock, restart, or collect logs.
What Tooo Lab can record, archive, and alert on
| Category | Captured content | Source | Privacy boundary |
|---|---|---|---|
| Device status | Online/offline, last seen, OS/App version, MDM status, permission status, policy version | Tooo.app heartbeat | School-authorized devices only |
| Screenshots / recordings | Scheduled screenshots, instant screenshots, start/stop recording, archive metadata | Tooo.app + MDM permissions | Disclosed by AUP; default 30-day retention |
| Runtime logs | Tooo.app logs, command results, errors, client status | Tooo.app collect_logs | Default 180-day retention; parent portal previews snippets |
| Running apps | Foreground/active app, app switching, suspicious app usage events | Managed client / policy-controlled collection | App metadata only; does not read private files |
| Web access | URL, page title, search query, downloads, tab lifecycle, DOM text summary, form field names | Safari + Chromium extensions | No passwords or form values; DOM summary is truncated and policy-controlled |
| Network fallback | Non-browser traffic, blacklist URLs, TLS metadata, QUIC fallback status | Network/System Extension + MDM profile | Banking, health, government, personal email allowlist is not decrypted |
| AI alerts | Blacklist high-risk, AI suspicion, teacher handling status, false-positive/resolved/escalated | Backend worker / rule engine | AI uses minimum necessary content; non-blacklist hits alert only |
8 steps from empty classroom to managed Lab
Prepare MDM / supervised Macs
Enroll lab Macs into MDM and prepare PPPC, login item, and filtering profiles.
Create school; use tokens only for MDM
Admin logs in to Web Admin and creates the school. Daily add-device flow uses each student Mac's 6-digit code; enrollment tokens are only for MDM, bulk, or unattended first binding.
Install Tooo Lab Client with MDM
Client enrolls with token, device ID, public key, and machine metadata, then uses signed requests.
Name machines and add tags
Name machines like A-01/A-02 and tag them by room, class, or mode.
Configure policies
Set screenshot interval, recording permission, log level, blacklist version, AI analysis, allowed commands, and cache limits.
Import roster and bind cards
Import student roster and bind card UID hashes; raw card UIDs are not displayed or logged.
Authorize teacher SafeIDs
Authorize teachers by school, tag, or machine, with separate view, classroom-command, and archive permissions.
Teach with the Tooo App
Teachers see authorized machines only and can open details for student, screenshots, timeline, alerts, and commands.
What happens during a class
After a card swipe, activity on that Mac is attached to the current student session. Policy controls screenshots, allowed commands, and AI analysis. Blacklist hits become high-risk alerts; AI-only matches ask teachers to confirm.
| Moment | System action | Teacher sees |
|---|---|---|
| Card swipe | Create student_session | Current student on machine |
| App / web usage | Upload events and logs | Activity timeline |
| Scheduled capture | Write archive metadata | Recent screenshots |
| Blacklist hit | Block and create high-risk alert | Red high-risk alert |
| AI suspicion | Alert only, no auto-block | Pending review alert |
Teacher actions
Safety and compliance boundary
Tooo Lab is a managed system for school-owned devices. It does not use hidden persistence or bypass school authorization. Screenshots, recordings, logs, and audit trails have retention windows that schools can configure within policy.
AUP Notice Template Highlights
Scope of use
By default, the AUP assumes Lab computers stay on school premises for class, testing, lab, and managed learning activities. If the school allows take-home use or home Wi-Fi, the AUP must clearly say which monitoring and archive controls remain active.
Opt-out and alternatives
Schools should provide an understandable opt-out or consent-withdrawal process, explain available learning alternatives after withdrawal, and state that existing records remain subject to school retention obligations.
Parent and student notice
Notice should cover screenshots, recordings, running apps, web access records, remote commands, archive retention, AI alerts, and who may view these records.
COPPA / FERPA posture
For students under 13, the school should confirm its school-authorization posture; data sharing and vendor use must stay limited to authorized educational purposes and remain traceable through audit and retention controls.
Tooo Lab supported feature set
These capabilities are available across Web Admin, the macOS teacher app, the managed student client, backend archive, and alert flows.
Web school management
Create and switch schools; manage machines, tags, policies, teacher SafeID authorization, roster, student cards, parent SafeIDs, commands, archives, and alerts.
Device enrollment and lock mode
Supports 6-digit student-Mac enrollment, MDM enrollment tokens for bulk installs, device-key signatures, heartbeat, policy pulls, and app lock mode with card/session/refresh controls after a Mac joins a school.
Teacher app monitoring
After login, teachers automatically see Web-authorized machines, separated from P2P, with online state, risk, current student, screenshots, timeline, and available commands.
Card-based student sessions
Students use USB HID cards only; the backend stores peppered card UID hashes and attaches screenshots, recordings, browser events, running apps, commands, and alerts to the current session.
Screenshot, recording, and log archive
Scheduled screenshots, instant screenshots, recordings, client logs, browser events, and command results can enter server-side archive storage; authorized admins can view archive indexes, integrity state, and retention state.
Browser and network monitoring
Safari/Chromium extensions report URL, title, search, downloads, DOM summaries, and form field names; managed filtering records metadata, blocks blacklists, and keeps HTTPS allowlist boundaries.
Remote commands and messages
Supports refresh, message, screenshot, start/stop recording, lock, restart, and collect logs; commands use device WebSocket with ACK, signature verification, policy filtering, and audit.
AI and blacklist alerts
Blacklist hits are blocked and produce high-risk alerts; AI suspicion notifies teachers/admins for review and can be marked acknowledged, false positive, resolved, or escalated.
Deployment, security, and retention
Supports MDM profiles, Safari extension DDM, school/device CAs, CA rotation and revocation, permission-state visibility, retention cleanup, and audit for key actions.