Filter content for Apple devices
iOS, iPadOS, macOS, and visionOS 1.1 support multiple forms of content filtering, including restrictions, global HTTP proxy, filtered DNS, DNS proxy, and advanced content filtering.
Configuring built-in content filters
Apple devices can restrict Safari and third-party apps to specific websites. Organizations with simple or limited content-filtering needs can use this feature. Organizations with complex or legally mandated content-filtering requirements should use global HTTP proxy or advanced content-filtering options provided by a third-party content filtering app.
A mobile device management (MDM) solution can configure the built-in filter with the following options:
All websites: Web content isn’t filtered.
Limit adult content: Limits access to many adult websites automatically.
Blocked sites: Allows access to all websites unless they are on a customizable block list.
Specific websites only: Limits access to predetermined websites, which can be customized.
The built-in filter is configured using the WebContentFilter
payload in iOS, iPadOS, and visionOS 1.1 and the ParentalControlsContentFilter
payload in macOS. Managing the built-in filter by MDM also restricts access in Safari to clearing the browsing history and website data.
Global HTTP proxy with TLS/SSL inspection
Apple devices support global HTTP proxy configuration. Global HTTP proxy routes most device web traffic through a specified proxy server or with a setting that’s applied across all Wi-Fi, cellular, and Ethernet networks. This feature is commonly used by K–12 or businesses for internet content filtering in an organization-owned one-to-one deployment, in which users take their devices home. It allows the devices to be filtered both at school or business and at home. Global HTTP proxy requires that iPhone, iPad, and Apple TV devices be supervised. For more information, see About Apple device supervision and Global HTTP Proxy MDM payload settings.
You may need to make network changes to support global HTTP proxy. When planning global HTTP proxy for your environment, consider the following options—and work with your filtering vendor for the configuration:
External accessibility: The organization’s proxy server must be externally accessible if devices are to access it when they’re outside the organization’s network.
Proxy PAC: Global HTTP proxy supports either a manual proxy configuration by specifying the IP address or DNS name of the proxy server, or it supports an automatic configuration using a proxy PAC URL. A proxy PAC file configuration can instruct the client to automatically choose the appropriate proxy server for fetching a given URL, including bypassing the proxy when desired. Consider using a PAC file for greater flexibility.
Captive Wi-Fi compatibility: The global HTTP proxy configuration can allow the client to temporarily bypass the proxy setting in order to join a captive Wi-Fi network. These require that the user to agree to terms or offer payment through a website before internet access is granted. Captive Wi-Fi networks are commonly found at public libraries, fast-food restaurants, coffee shops, and other public locations.
Using proxy with the caching service: Consider using a PAC file to configure clients to control when they use the caching service. Misconfigured filtering solutions may cause clients to either bypass the caching service on your organization’s network or unintentionally use the caching service for content while devices are at the user’s home.
Apple products and proxy services: Apple services disable any connection that uses HTTPS Interception (SSL/TLS Inspection). If the HTTPS traffic traverses a web proxy, you must disable HTTPS Interception for the hosts listed in the Apple Support article Use Apple products on enterprise networks.
Note: Some apps, such as FaceTime, don’t use HTTP connections and can’t be proxied by an HTTP proxy server, thereby bypassing the global HTTP proxy. You can manage apps that don’t use HTTP connections with advanced content filtering.
Feature | Support |
---|---|
Requires supervision on iPhone and iPad | |
Requires supervision on Mac | |
Provides organizational visibility | |
Can filter hosts | |
Can filter paths in URLs | |
Can filter query strings in URLs | |
Can filter packets | |
Can filter protocols other than http | |
Network architecture considerations | Traffic is routed through a proxy, which may impact network latency and throughput. |
Network proxy configuration
A proxy server acts as an intermediary between a single computer user and the internet so that the network can ensure security, administrative control, and caching service. Use the Proxy MDM payload to configure proxy settings for Mac computers enrolled in an MDM solution. This payload supports configuring proxies for the following protocols:
HTTP
HTTPS
FTP
RTSP
SOCKS
Gopher
For more information, see Network Proxy Configuration MDM settings.
Feature | Support |
---|---|
Requires supervision on iPhone and iPad | |
Requires supervision on Mac | |
Provides organizational visibility | |
Can filter hosts | |
Can filter paths in URLs | |
Can filter query strings in URLs | |
Can filter packets | |
Can filter protocols other than http | Some protocols. |
Network architecture considerations | Traffic is routed through a proxy, which may impact network latency and throughput. |
DNS Proxy MDM payload
You can configure settings for the DNS Proxy payload for users of iPhone, iPad, Mac, and Apple Vision Pro devices enrolled in an MDM solution. Use the DNS Proxy payload to specify apps that must use DNS proxy network extensions and vendor-specific values. Use of this payload requires an accompanying app that’s specified using the app’s bundle identifier (also known as the bundle ID).
For more information, see DNS Proxy MDM payload settings.
Feature | Support |
---|---|
Support for Apple Vision Pro | |
Requires supervision on iPhone and iPad | Prior to iOS 15 and iPadOS 15, supervision is required. For devices with iOS 15 and iPadOS 15, or later, this payload isn’t supervised and must be installed using an MDM solution. |
Requires supervision on Mac | |
Provides organizational visibility | |
Can filter hosts | |
Can filter paths in URLs | |
Can filter query strings in URLs | |
Can filter packets | |
Can filter protocols other than http | For DNS lookups only. |
Network architecture considerations | Minimal impact on network performance. |
DNS Settings MDM payload
You can configure settings for the DNS Settings payload for users of iPhone, iPad (including Shared iPad), Mac, and Apple Vision Pro devices enrolled in an MDM solution. Specifically, this payload is used to configure DNS over HTTP (also known as DoH) or DNS over TLS (also known as DoT). Doing so enhances user privacy by encrypting DNS traffic and can also be utilized to leverage filtered DNS services. The payload can either identify specific DNS queries that use the specified DNS servers, or it can apply to all DNS queries. The payload can also specify Wi-Fi SSIDs whose specified DNS servers are used for queries.
Note: When installed using MDM, the setting only applies to managed Wi-Fi networks.
For more information, see DNS Settings MDM payload settings and DNSSettings on the Apple Developer website.
Feature | Support |
---|---|
Support for Apple Vision Pro | |
Requires supervision on iPhone and iPad | Configuration can be locked on supervised devices. Configuration can be overridden by a VPN app if allowed by MDM (supervised devices). |
Requires supervision on Mac | Configuration can be locked on supervised devices. Configuration can be overridden by a VPN app if allowed by MDM (supervised devices). |
Provides organizational visibility | |
Can filter hosts | |
Can filter paths in URLs | |
Can filter query strings in URLs | |
Can filter packets | |
Can filter protocols other than http | For DNS lookups only. |
Network architecture considerations | Minimal impact on network performance. |
Content filter providers
iOS, iPadOS, and macOS support plug-ins for advanced content filtering of web and socket traffic. An on-device network content filter examines user network content as it passes through the network stack. The content filter then determines whether it should block that content or allow it to pass on to its final destination. Content filter providers are delivered through an app installed using MDM. The user’s privacy is protected because the filter data provider runs in a restrictive sandbox. Filtering rules can be dynamically updated by the filter control provider implemented in the app.
For more information, see Content Filter Providers on the Apple Developer website.
Feature | Support |
---|---|
Requires supervision on iPhone and iPad | App must be installed on user’s iOS and iPadOS device and deletion can be prevented if the device is supervised. |
Requires supervision on Mac | |
Provides organizational visibility | |
Can filter hosts | |
Can filter paths in URLs | |
Can filter query strings in URLs | |
Can filter packets | |
Can filter protocols other than http | |
Network architecture considerations | Traffic is filtered on device so there is no network impact. |
VPN/Packet tunnel
When devices send network traffic through a VPN or packet tunnel network activity can be monitored and filtered. This configuration is similar devices that are directly connected to a network where traffic between the private network and the internet is monitored and filtered.
Feature | Support |
---|---|
Requires supervision on iPhone and iPad | except Always On VPN, which does require supervision |
Requires supervision on Mac | |
Provides organizational visibility | |
Can filter hosts | Traffic filtered through private network connections only. |
Can filter paths in URLs | Traffic filtered through private network connections only. |
Can filter query strings in URLs | Traffic filtered through private network connections only. |
Can filter packets | |
Can filter protocols other than http | |
Network architecture considerations | Traffic is routed through a private network, which may impact network latency and throughput. |