How-to: On-Device Content Filtering with Jamf Safe Internet

Step into the cybersecurity of the future.

Jamf Safe Internet has recently added On-Device Content Filtering (ODCF).

Apple provides this technology as part of iOS and iPadOS. ODCF enables network filtering directly on the device, which makes it a much more comprehensive filter.

Newest Jamf Safe Internet release

With this release, ODCF has added the ability to filter IP addresses on top of domain names— which Jamf Safe Internet has always done. However, the scope for ODCF technology is much broader than this.

It’s now possible to filter full URLs, ports and identify traffic that originates from specific apps. ODCF is also lower in the network stack than VPN, which means even if students install a VPN, their device will still filter content before going through the tunnel.

This technology is also very privacy-preserving. A huge amount of sensitive data is stripped from requests, and since ODCF evaluates the traffic data on-device, it doesn't need to go to Jamf’s security cloud for evaluation.

This release didn’t just add the ODCF capabilities to Jamf Safe Internet. It also changed the default vectoring method to Apple’s “DNSSetting” payload, moving from a VPN-vectoring method. It's this “DNS over HTTPS” (DoH) that enables Jamf Safe Internet to continue to provide web-based threat prevention.

It’s now done by making the most of Apple’s native frameworks.

New To Jamf Safe Internet?

This release has been optimized for devices running iOS and iPadOS 16+.

Jamf Pro

• If you are a new Jamf Safe Internet customer and have devices running iOS or iPadOS earlier than version 16, you will need to ensure that you deploy the legacy profile to these devices.
• If you are using Jamf Pro to deploy Jamf Safe Internet and have devices running iOS or iPadOS earlier than 16, you will need to need to follow the Getting Started with Jamf Safe Internet in Jamf Pro section of our Jamf Safe Internet documentation.

Where the guide says: “Download the relevant configuration files and complete the Jamf Pro instructions,” you will need to select the configuration profiles from the Jamf Safe Internet console under “iOS and iPadOS unsupervised (or supervised earlier than 16).”

Follow the rest of the guide, but be sure to scope this configuration profile only to devices with iOS or iPadOS earlier than iOS 16. You can do this using Smart Groups. For environments using both iOS and iPadOS 16+ as well as earlier, repeat the process but choose the configuration profile under “iOS and iPadOS supervised (16 or later).”

Jamf School

If you are using Jamf School to deploy Jamf Safe Internet and have devices running iOS or iPadOS earlier than 16, you will not be able to use Jamf School’s built-in single-click connection. Instead:

1. Log into the Jamf Safe Internet console and select the default activation profile.
2. Under “Select your UEM,” choose “Jamf School.”
3. Under “Select your OS,” choose “iOS and iPadOS unsupervised (or supervised earlier than 16).”

Then, download the configuration profile from the console.

Once you have this profile, upload it to School Jamf as a custom profile and scope it, along with the Jamf Trust app, only to devices with iOS or iPadOS earlier than iOS 16. You can do this with Smart Groups.

For environments using both iOS and iPadOS 16+ as well as earlier versions, use the built-in single-click connection for devices 16+, and use the above method for devices with an iOS or iPadOS earlier than 16.

Already have Jamf Safe Internet?

If you already have Jamf Safe Internet deployed to your devices prior to the release of ODCF, all of your devices will be using the legacy profile.

• If you have devices that are running an iOS or iPadOS version earlier than iOS 16, you will not need to take any action. Jamf Safe Internet will continue to run in its legacy form (using a VPN vectoring method and without ODCF capabilities.).
• If you have devices running iOS or iPadOS 16+ and would like to make use of the new DoH and ODCF capabilities, you will need to migrate your devices from the legacy deployment.

The migration has a number of steps and is a simple process. However, it’s extremely important that you follow all the steps as outlined here. Otherwise, there is the risk that your devices may not filter content in the expected way.

Step 1: Create an activation profile that has the new DoH and ODCF configuration populated.

1. Log into your Jamf Safe Internet console and navigate to Devices → Activation Profiles → and select “Create Profile.”
2. Name the profile according to your environment’s needs. I would suggest something that includes DoH and/or ODCF so that you know that this is the new profile and it’s using the new method over the older legacy profile you used before.
3. Select “Save and Create.”
4. In the next window, do not change any settings and select “Save.”

Step 2: Create a Jamf Safe Internet profile in Jamf School.

1. Log into your Jamf School console and navigate to Profiles → and select “Create Profile.”
2. Create the profile by selecting “iOS” → “Device Enrollment.”
3. Name the profile according to your environment’s needs. I would suggest something that includes DoH and/or ODCF so that you define the new profile when deploying.
4. Select “Finish.”
5. Scroll down to the “Safe Internet” payload and select “Configure.”
6. From the dropdown menu, select the activation profile that you created.
7. Select “Save.”

Step 3: Remove the legacy deployment from your devices.

Before deploying Jamf Safe Internet with the new DoH and ODCF capabilities, first:

• Remove the legacy vectoring method from devices.
• Remove the device record from Jamf Safe Internet. This is very important.

Here's how to do it:

1. In Jamf School, un-scope the current Jamf Safe Internet profile from the devices. This will be unique to each environment depending on how you configure groups and settings, but be sure to only un-scope the Jamf Safe Internet profile.
2. Un-scope the Jamf Trust app from devices. This will be unique to each environment depending on how you configure groups and settings, but be sure to only un-scope Jamf Trust. At this point, please be aware that the devices are no longer filtered by Jamf Safe Internet.
3. Move over to the Jamf Safe Internet console and navigate to Devices → Device groups.
4. Select the devices or group of devices that you are migrating (ensuring that you've already removed the profile and Jamf Trust from them within Jamf School) by selecting the checkbox next to the devices.
5. Click “More actions” and select “Delete devices.”
6. In the next window, read the information and select “Delete.”

Step 4: Deploy Jamf Safe Internet using the new profile created in step two.

Now that your devices have fully been removed from the legacy deployment, you can re-deploy Jamf Safe Internet to the devices using ODCF.

1. In Jamf School, scope the profile with the DoH and ODCF configuration created in step two to devices. Remember that DoH and ODCF are suitable for iOS and iPadOS 16+.
2. Scope Jamf Trust to the devices (it doesn’t require a managed app config).

At this point, devices are once again protected by Jamf Safe Internet and you will see devices start to appear in the Jamf Safe Internet console.

How to check that devices are using DoH and ODCF

Regardless of if your deployment is new or you have migrated from the legacy method, you can check on the device to ensure that it has a DoH and On-Device Content Filter payload.

1. On a device, navigate to Settings → General.
2. Find and select VPN, DNS and Device Management. This option will only say VPN and Device Management if a device does not have a DoH and ODCF payload.
3. Under “Restrictions and Proxies,” you will see entries for “DNS” and “Content Filter.”

As a side note, unless you have also deployed a VPN, selecting “VPN” should show no configuration.

What will my users see when ODCF or DoH blocks them?

Jamf Safe Internet keeps students and teachers safe in three ways:

• It prevents students from accessing inappropriate content by blocking certain categories.
• It can also enforce Google Safe Search so that only suitable search results and images appear.
• It keeps students and teachers safe by protecting against web-based threats, such as phishing links or spam websites.

What the end user sees on the device will depend on what content is blocked. If blocked by a category, the user will see the OS block message that is standard for the ODCF protocol.

However, if the blocked content is a web-based threat prevention, such as a phishing site, the user will be presented with a Jamf-branded block page.

How do I block IP addresses?

First, you must add them to your policy as a custom rule.

1. In the Jamf Safe Internet console, navigate to Policies → Content policies and ensure you are editing the policy at the correct level (OU) for your needs (Root, Lead or Group).
2. Select “Custom Rules.”
3. Enter the IP address(es) you wish to block into the “Add custom rules” box.
4. Choose “Block.”
5. Select “Add Custom Rules.”
6. You will then see your custom rules in the list.
7. Make sure to select “save and apply” so that these changes are delivered to devices.

Remember, IP address filtering is possible thanks to ODCF and is only available for devices with iOS and iPadOS 16+.

What does On-Device Content Filtering do for my school?

This release of Jamf Safe Internet is super exciting as it brings more features in line with Apple's native technologies; it is also more comprehensive and robust. While IP address blocking is great for those who need it, being lower in the network stack allows you to filter even with a VPN on the device. This is a much-needed addition; ODCF is bringing us the feature set of the future.

Yes, there’s a bit of work to migrate to make sure your devices are using DoH and ODCF. However, if clever students have bypassed filtering using IP addresses or VPNs, the benefits outweigh the work.

If you’ve never had this happen in your school, now would be a great time to move to DoH and ODCF before it does. This is the future of Jamf Safe Internet, so why wait?