In many organisations, security is one of the main concerns and reasons for Mobile Device Management deployments. The possibility to enforce passcode and restrictions to the managed devices together with remote lock and wipe provide a good set of security features. These ensure that devices are company compliant before resources can be accessed. But if you think about threats against your company devices or the possibility of sensitive data leak, it’s easy to point the finger of blame at the dangers of Internet and web browsing. Why? Because it provides the ideal platform for malicious software and threats to spread and compromise the security.
Worry no more. Our latest release included the possibility to configure web content filters to your supervised iOS devices, meaning that you can whitelist and blacklist specific web URLs in order to restrict user’s web access. Just deploy the configuration profile to your devices or put the filters as a part of a business policy, allowing business policy enforcement to deploy them automatically and do the job.
The easiest way to start is to deploy a predefined auto filter to your company devices. This denies the user’s access from most of the explicit and dangerous content that is not accepted when using corporate devices, for example, adult websites and some of the social media content. When auto filter is deployed it also denies the possibility of Googling malicious content and adult websites on Safari browser, not just block the access to the web pages. You can modify the behaviour of Apple’s automatic filter by adding your custom allowed URLs to the mix. Each entry contains a URL that is accessible whether the automatic filter allows access or not.
If auto filter is not enough in your organisation, consider adding some blacklist rules to your web content filters. This denies the configured list of URLs from the user. The rules are matched by using a string-based root matching and work on the domain level. For example, if https://domain.com/example is denied, then https://domain.com and https://domain.com/another are also blocked. The rules don’t apply to subdomain prefixes, for example, https://www.google.com and https://www.google.fi. These must be blocked by separate rules.
The third level of control, whitelist filters, provide the strongest level of security over your company devices. When whitelist filters are deployed to a device, the end-user is not allowed to visit any sites outside the configuration.
You can also define a title and folder for the whitelisted URL. In this case, a bookmark is created using the given title, stored on the configured folder, and added to the browser bookmarks. In this way, the user can quickly see what websites he/she is allowed to visit.
You can define multiple web content filters that are all active simultaneously. Only URLs and sites that pass all rules are permitted. When multiple web content filters are present:
- The blacklist is a union of all blacklist filters – Any URL that appears in any of the blacklist filters is denied from the user.
- The whitelist is an intersection of all whitelist filters – Only URLs that appear in every whitelist filter can be accessed by the user.
- If auto filter is used, the allowed URLs list is an intersection of all allowed URLs – Only URLs that appear in every allowed URLs list can be accessed by the user when they would otherwise be blocked by the automatic filter.
You can always check the current web content filters from the device side by navigating to Settings → General → Device management → Mobile Device Management → Restrictions → Web content filters.
A couple of things I noticed when developing and testing this feature were that the web content filters also applied to the 3rd party browsers, for example, Google Chrome and Firefox, which are using iOS WebKit.
In addition, when web content filters are deployed, the Safari browser denies the possibility to Google search some adult websites and malicious content, not just block the access to the web pages.
Also, one thing to note is that the possibility to clear history and website data in Safari settings is always disabled when a web content filter is deployed to a supervised iOS device. My guess is that this has something to do with audit log and parental control because obviously, you’d want to check on the actual websites that have been visited.
Similar to application black and whitelist or kiosk mode configuration profiles, web content filters modify the device behaviour drastically, and therefore, supervision is needed and justified. The main use-case scenario would be company-owned devices, excluding BYOD unless company policy requires that any device must be compliant before sensitive data, Wi-Fi and other resources can be accessed. So go ahead and supervise and enrol your devices using Apple Device Enrollment Program (DEP) or Apple Configurator to enjoy an added level of security.