Web Content Filter MDM payload settings for Apple devices
Learn how to deny access to websites, or allow access to only specific websites, for users of an iPhone, iPad, or Mac enrolled in a mobile device management (MDM) solution. Use the Web Content Filter payload to choose which websites the device can view. You can automatically filter out adult content, and then permit or deny access to specific sites. You can also set up a device so that it can view only specific websites and create bookmarks for those websites. In macOS 10.15 or later you can also:
Filter data
Filter packets
Set the filter grade type: firewall or inspector
iOS and iPadOS support a total of eight content filters. Only one filter is available for system-wide use.
macOS supports a total of four firewall grade content filters and a total of four inspector grade filters. All filters are available for system-wide use.
The Web Content Filter payload supports the following. For more information, see Payload information.
Supported payload identifier: com.apple.webcontent-filter
Supported operating systems and channels: iOS, iPadOS, Shared iPad device, macOS device, visionOS 1.1.
Supported enrollment methods: Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—each payload must have a unique content filter UUID.
You can use the settings in the table below with the Web Content Filter payload.
Setting | Description | Required | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Allowed URLs | Add URLs to this list to permit access to certain websites, even if they’re considered adult by the automatic filter. If you leave this list empty, access is permitted to all nonadult websites except for those listed in Denied URLs. Note: Websites owned by Apple that end in .apple.com and .icloud.com are always accessible, even if they aren’t listed in the permitted URL list. | No | |||||||||
Denied URLs | Add URLs to this list to deny access to certain websites. Users can’t visit these sites even if they’re considered nonadult by the automatic filter. Note: If a restriction contains denied URLs, then any URLs in the Allow URLs field that contradict the denied list are removed. | No | |||||||||
Content filter UUID iOS 16 or later iPadOS 16.1 or later | A globally unique identifier for this content filter configuration. Managed Apps with the same content filter UUID in their app attributes have their network traffic processed by the content filter. | No | |||||||||
Specific Web Sites Only | Add the websites that you want to give access to. Enter the URL of the website in the URL column. Enter the name for the bookmark in the Name column. | No | |||||||||
Plug-in | Create customized settings to connect and authenticate to third-party content filters. | No | |||||||||
Filter type | Built-in or plug-in (plug-in must be used for macOS) | No | |||||||||
Filter name | Display name of the filter in the app and on the device | Yes | |||||||||
Identifier | The identifier for the plug-in filter. | Yes | |||||||||
Service address | The IP address, fully qualified domain name (FQDN), or URL of the service. | No | |||||||||
Organization | The organization name for the service. | No | |||||||||
User name | The user name for authenticating to the service. | No | |||||||||
User password | The password for the user name. | No | |||||||||
Certificate | The Certificates payload used to authorize connections to the service. | No |
URL structure and examples
When you enter URLs, start the URL with https:// or http://. If necessary, add separate entries for https:// and http:// versions of the same URL. These settings can’t be edited on iPhone and iPad devices when an installed configuration profile contains content restrictions. If an allowed or denied URL redirects to another URL, the redirected URL must be added as well.
The system matches URLs using string-based matching. A URL matches an allow list, deny list, or permitted list pattern if the exact characters of the pattern appear as a substring of the URL requested in the web browser. For example, if the system doesn’t allow betterbag.com/a, it blocks betterbag.com/a, betterbag.com/apple, and betterbag.com/a/b. List entries that terminate with a slash (/) character are matched explicitly; for example, if the system blocks or allows betterbag.com/a/, it blocks or allows betterbag.com/a and betterbag.com/a/b. Matching discards a “www” subdomain prefix if present, so betterbag.com and www.betterbag.com are treated the same.
Allow list example
Description | Examples |
---|---|
To allow the entire domain, including all subdomains and subpaths, add the top-level domain URL. | https://betterbag.com/ or https://www.betterbag.com |
To specify by subpath, add the subpaths individually. Note: Specifying subpaths still allows access to the top-level domain. This format acts as a wildcard to allow all subpaths beginning with the specified character. | https://betterbag.com/a allows https://betterbag.com/apple, https://betterbag.com/about, https://betterbag.com/a/b, and so on. |
Ending a URL with a slash (/) matches the URL explicitly. | https://betterbag.com/a/ allows https://betterbag.com/a/b, and so on. |
Specifying subdomains don’t allow access to the top-level domain. Both must be included. | https://about.betterbag.com has no effect on allowing https://betterbag.com, https://blog.betterbag.com, and so on. |
Deny list example
Description | Examples |
---|---|
To block the entire domain, including all subdomains and subpaths, add the top level domain URL. | https://betterbag.com/ or https://www.betterbag.com |
To specify by subpath, add the subpaths individually. Note: Specifying subpaths block access to only that subpath but still allow access to the top level domain. This format acts as a wildcard to block all subpaths beginning with the specified character. | https://betterbag.com/a blocks https://betterbag.com/apple, https://betterbag.com/about, https://betterbag.com/a/b, and so on. |
Ending a URL with a slash (/) matches the URL explicitly. | https://betterbag.com/a/ blocks https://betterbag.com/a/b, and so on. |
Specifying subdomains doesn’t block access to the top level domain. Both must be included. | https://about.betterbag.com has no effect on blocking https://betterbag.com, https://blog.betterbag.com, and so on. |
Note: Each MDM vendor implements these settings differently. To learn how Web Content Filter MDM payload settings are applied to your devices, consult your MDM vendor’s documentation.