Filtering content for Apple devices
iOS, iPadOS, and macOS support multiple forms of content filtering, including restrictions, global HTTP proxy, and advanced content filtering.
Device support for website restrictions
Apple devices can restrict Safari and third-party apps to specific websites. Organizations with simple or limited content-filtering needs use this feature. Organizations with complex or legally mandated content-filtering requirements should use global HTTP proxy or advanced content-filtering options.
Website restrictions can be configured in ScreenTime. Your mobile device management (MDM) solution can also configure website restrictions. The setting can be configured to allow all websites, limit adult content or specific websites only, or save user names and passwords for specific websites:
All websites: Web content isn’t filtered.
Limit adult content: Limits access to many adult websites automatically.
Specific websites only: Limits access to predetermined websites, which can be customized.
Safari Password Autofill Domains: When this section of the Domains payload is configured, website URLs listed will have their username and passwords saved.
Device support for global HTTP proxy
Apple devices support global HTTP proxy configuration. Global HTTP proxy routes most device web traffic through a specified proxy server or setting, applied across all Wi-Fi and cellular networks. This feature is commonly used by K–12 institutions or businesses for Internet content filtering in an organization-owned one-to-one deployment, in which users take their devices home. It allows the devices to be filtered both in school or at the place of business and at home. Global HTTP proxy requires iOS, iPadOS, and tvOS devices to be supervised.
Some apps, such as FaceTime, don’t use HTTP connections and can’t be proxied by an HTTP proxy server, thereby bypassing the global HTTP proxy. You can manage apps that don’t use HTTP connections with advanced content filtering.
You may need to make network changes to support global HTTP proxy. When planning global HTTP proxy for your environment, consider the following options—and work with your filtering vendor for the configuration:
External accessibility: The organization’s proxy server must be externally accessible if devices are to access it when they’re outside the school’s network.
Proxy PAC: Global HTTP proxy supports either a manual proxy configuration by specifying the IP address or DNS name of the proxy server, or it supports an automatic configuration using a proxy PAC URL. A proxy PAC file configuration can instruct the client to automatically choose the appropriate proxy server for fetching a given URL, including bypassing the proxy when desired. Consider using a PAC file for greater flexibility.
Captive Wi-Fi compatibility: The global HTTP proxy configuration can allow the client to temporarily bypass the proxy setting in order to join a captive Wi-Fi network. These require that the user to agree to terms or offer payment through a website before Internet access is granted. Captive Wi-Fi networks are commonly found at public libraries, fast-food restaurants, coffee shops, and other public locations.
Using proxy with the caching service: Consider using a PAC file to configure clients to control when they use the caching service. Misconfigured filtering solutions may cause clients to either bypass the caching service on your organization’s network or unintentionally use the caching service for content while devices are at the user’s home.
Advanced content filtering plug-ins
iOS and iPadOS support plug-ins for advanced content filtering of web and socket traffic. The plug-ins run locally and can make filtering decisions locally using a network or cloud-based system, or a combination of both. An MDM solution can configure this functionality. Speak with your filtering vendor and your MDM vendor to see if they support advanced content filtering.