The school-issued laptops are all Macbooks. To be clear I'm not in the IT department so I don't know exactly what the setup is, but I see my students using their computers.

A VPN is involved, which is what made me assume they are doing TLS shenanigans—I guess I could theoretically be wrong, but it's definitely more granular than domain-level blocking, so I don't know how else it could work. The computers connect to this VPN automatically on startup. In the moments before the VPN connects, the internet does not work.

> Machines especially for schools should be able to have software policies set directly on them to limit such sites.

It's a good point—if you just did this client-side instead of on the network level, you wouldn't have to deal with TLS or anything. It seems clear to me that they aren't doing that (given the VPN) and it's not immediately obvious to me why.