On-device content filtering for the enterprise

As bad actors have turned their attention toward Apple, many organizations are seeking ways to boost their security. Enter on-device content filtering from Apple. It filters content comprehensively, adding another layer of protection to a company’s security measures.

July 26 2023 by

Haddayr Copley-Woods

A URL blocked with barbed wire illustrates on-device content filtering with Jamf and Apple that blocks unsafe websites.

What is on-device content filtering?

On-device content filtering is a network filtering framework provided by Apple that allows us to protect organizations by enforcing web protection directly on the device. This allows organizations to enforce a more comprehensive policy and ensure greater privacy for the end user.

Network filtering can bolster your organization’s security.

Why do companies need on-device content filtering?

Identity and access management, endpoint protection and threat protection and remediation are excellent security measures for companies to take. The additional measure of content-filtering software adds another layer of protection against the top threat to company data today: social engineering. Specifically, phishing.

It’s vital for organizations to invest in security awareness training programs, but backing up that training with phishing protection protects sensitive company data even more thoroughly.

Content filtering can protect companies and users against:

  • Unintentional sharing of credentials at a site designed to imitate company websites
  • Intentional or unintentional web filter bypass when bypassing internet filtering by visiting a site via its IP addresses
  • Accidental visits to sites that prompt users to download malware

How does Jamf’s on-device content filtering work?

On-device content filtering is a part of Jamf Protect, and it’s configured in Jamf Security Cloud. There are a number of means to filter content on an individual device. Here are a few that Jamf uses, often leveraging already-existing Apple technology and services.

Sandboxes

Before anything can even get close to your organization’s cloud data, Jamf inspects traffic on an individual iPhone in a restrictive sandbox. Before traffic leaves the sandbox, Jamf strips sensitive data, such as URL query parameters. Because the inspection happens on the device, unsafe data traffic never even gets close to your organization’s network.

Apple’s NEFilterProvider

NEFilterProvider is a semi-sandboxed architecture that works like this: two network extensions (one heavily sandboxed, and one less so) work in close cooperation to allow advanced filtering of content while preserving privacy.

Encrypted DoH

Apple supports encrypted DNS (DoH and DoT) in iOS 14 and macOS 11 and above for web threat prevention and domain filtering. Jamf’s on-device content filtering filters web content and IP address data, as well as per-site byte counting and data capping.

What are the benefits of on-device content filtering?

On-device content filtering inspects traffic at the socket level. It’s a more comprehensive filter than a cloud proxy with a secure DNS.

With this type of content filtering, organizations can:

  • Evaluate domain names, full URLs, IP addresses, ports, protocols and more
  • Identify the app that is the source of the unsafe traffic and act upon it
  • Impact network performance only minimally; a lack of reliance on proxy servers or DNS resolvers means that latency is kept at a minimum

On-device content filtering provides:

  • Increased phishing protection
  • Web threat prevention
  • Web content filtering and data capping

What do I need to use Jamf’s on-device content filtering?

Jamf’s on-device content filtering is a part of Jamf Protect and is configured in Jamf Security Cloud. It’s currently available on supervised iOS and iPadOS 16+ devices with the Jamf Trust app installed. IT can create Smart Groups based on OS version and management state to take advantage of on-device content filtering on managed devices if your organization supports a mix of supervised and unsupervised devices.

Jamf is planning macOS support for on-device content filtering later this year.

Request a free trial of Jamf Protect and Jamf Trust today.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.