Decryption is the ultimate solution, but there are other things you can do. For Windows domain-joined, use the Google schema add-on, you can whitelist approved extensions in Chrome and IE which will knock down a good chunk of offenders. The rest will go to Firefox, or chromium, or Brave, or WebDiscovery Browser, or..., in which case you'll need a group policy and/or a way to block those executables. I see Firefox with Zenmate used mostly. Students will rdp to their home networks, or even a hosted server, so see if you are allowing rdp externally. For other devices, it depends if you manage them with a central tool designed for client management. If you do, there should be similar ways to do the above. For BYOD you can run a report on the firewall for vpn/anonymous proxy hits and using a script mass-block the devices in your wifi controller. This can get the word out that IT means business. I'd also suggust adding to your 'anonymous' tips form (like schoolmessenger) the subject, 'network use violation' or similar. That, along with some face time in front of students to address their responsibility as digital citizens of your network can cut down on vpn activity. The fact is, kids don't think they're doing anything bad (wrong, yes), once they're confronted with the seriousness of violating this policy most will get it. I could go on...
... View more