On-device content filtering: powerful and privacy-friendly

You can have more and better security at your organization without having to compromise your employees’ or students’ privacy with Jamf’s new on-device content filtering solution.

The on-device content filter for iOS and iPad OS is a web protection technology Jamf brings to both Jamf Security Cloud and Jamf Safe Internet.

In this session “On-device Content Filtering: Powerful and Privacy-friendly," presenter Hernán Romero, Product Manager at Jamf, shows what’s so exciting about this new solution.

What does on-device content filtering mean?

Simply put, this feature enables the evaluation of policies on the device rather than the gateway.

Romero says that thanks to more powerful iPhone and iPads and new network APIs from Apple, we’ve been able to move the evaluation of web-protection policies from the cloud to the device.

The on-device content filter uses an Apple network extension to analyze traffic directly on a device. And because of the semi-sandbox architecture of this network extension, we’re able to not only provide more and better security but to do so in a privacy-friendly way.

How is it more powerful?

Because the on-device content filter is deeply integrated with Apple’s architecture in an unrestricted way, we can go beyond the usual domain-based rules.

Expanded areas of filtering include:

• URLs – evaluation of full paths and query parameters, even with TLS encryption
• IP addresses – block not only single IP addresses but also ranges and subnet
• Bundle IDs –full traffic filtering of all incoming and outgoing traffic in iOS/iPadOS apps
• Keywords – broad or specific blocking of words and phrases in a URL and HTML body

Romero walked through the traffic flow of on-device content filtering. He explained that once Jamf Trust has fetched a policy from the cloud if the on-device content filter needs to ask threat intelligence for classification, the response is cached on the device. Similarly, if there’s an explicit rule, it’s applied immediately.

The result: fewer round trips versus cloud-based vectoring, which means lower latency and faster end-user experience. Additionally, users with personal VPNs are not able to bypass on-device filtering as opposed to cloud-based vectoring.

How is it more privacy-preserving?

Thanks to Apple’s semi-sandboxed architecture of the network extension, on-device content filtering offers privacy by design.

All evaluation of end-user activity is done in the encrypted site of the network extension where all sensitive data is stored. Once the evaluation is complete, sensitive data is stripped as it passes through the unencrypted part of the network extension before it’s available for reporting.

The result: on-device content filtering gives more and better security in a privacy-friendly way.

Who is on-device content filtering for?

While the Jamf team was building this solution they specifically focused on:

• Students and parents – give peace of mind from privacy safeguards built-in by design
• Teachers – apply policies as broad or specific as you need them to be
• High-compliance environments – make sure sensitive private data stays private
• Admins – gain effective and comprehensive tools aligned with Apple principals

As Romero notes, we’re thinking about end users, admins and organizations – it’s an upgrade for everyone.

Check out the full session for a step-by-step demonstration of setup, deployment and usage as well as an audience Q and A.