Enforcing Restrictions on iOS: An Overview of Supervised and Managed iPhone Capabilities
One of the most important things to consider if you are trying to set up content filtering on a personal iOS device is: "how can I prevent these restrictions from being bypassed?". Answering this question was the primary motivation for starting Tech Lockdown. For devices that are used to access the internet, you will usually need some way to enforce or block apps and control network and VPN settings.
Unfortunately, with a standard iPhone, the ways you can do this are limited, but it is possible. In this post, we'll examine the features available to an iPhone that can be used to prevent bypass of content blockers.
An iOS device can be configured in 3 different ways:
- Standard (most common): this is a typical iPhone purchased from a retail location. Most iPhones are standard.
- Supervised (not common): an iPhone with "supervised" mode enabled and configured with a second supervising device. The iPhone is controlled by a second device, such as a Macbook.
- Managed (not common): an iPhone configured by a Mobile Device Manager where it is remotely configured and controlled. Businesses uses MDMs to manage corporate devices. The iPhone is controlled remotely via the MDM tool (usually in a web browser).
Each configuration method has access to different ways to control the iOS device.
Are there any iOS apps that can enforce restrictions on a standard iPhone?
If you've used an Android smartphone before, you might have seen content blocking apps that display a block page in reaction to common bypass attempts.
For example, we've been working on a device management app for standard android devices that blocks attempts to uninstall an enforced app, revoking app permissions, or viewing a disallowed settings page:
The nice thing about this approach is that it adds significant friction that makes it much harder to bypass content blockers. Also, it will work on a standard Android device that you purchase from the store for personal use. You don't necessarily need to configure a managed Android device to prevent bypass (more on this later).
But what about iOS - can you use a similar device management app on a standard iPhone?
The short answer is no, at least not in the same way that you would on an Android device.
On an iPhone, it is difficult to take full control of the device using an app that you can download from the AppStore. Apple imposes this limitation to protect their users from malicious apps and to encourage people to configure a supervised or managed device instead.
Making an app that can fully lock down an iPhone's settings and prevent bypass is not possible. However, you can convert an iPhone into either a supervised device or managed device to access additional bypass prevention features.
Both Device Supervision and Management allow you to enforce settings (called profiles
) on your device in such a way that these settings cannot be easily removed on that device. Some settings, such as DNS settings, or App enforcement, now become possible. This is perfect if you are trying to set up device to enforce content restrictions for either yourself, an accountability partner, or for a family.
If you are using a DNS filtering service to block content on your home network , then configuring a supervised or managed device may not be required. However, if you want to use DNS filtering locally on a device, then some platforms require either a supervised or managed device in order to properly enforce the settings required to effectively block content.
Ban Porn from your technology
Regain Control with Effective Content Blocking and Bypass Prevention
What do Standard iOS device setups look like?
Most people have a standard configured iPhone. If you bought an iPhone from a retail location and use it personally, it's configured the standard way.
In general, standard devices represent the lowest level of difficulty in setting up. With many situations, a standard device might be enough to get started, but iPhones especially might not be able to properly enforce settings and prevent bypass.
With a standard device, you can make changes to your settings, and you can use the built-in parental control features to lock those settings. iPhone's Screen Time feature can be a good starting place, and when enabled, allows you to block adult sites automatically and set certain websites as blocked. You can manually allow websites that are incorrectly blocked or make normally allowed websites blocked.
You can then use a PIN to lock those settings, so you can't change them compulsively.
There are some important drawbacks to consider if you are trying to use Screen Time:
If you are wanting to make sure that your children are protected on their own iPhone device, this approach might be enough. However, if you are trying to promote self-control habits online, simply memorizing the unlock PIN, or going through the PIN recovery process are two very easy ways to bypass this method.
In general, we recommend configuring at least a supervised device if you want to lock down your own devices online.
Go Beyond Beyond Basic Blocking
Elevate your content blocking and bypass prevention.
What is Supervised iOS device?
Device Supervision is a step above a standard device configuration. Device Supervision usually requires the use of second device to enforce something called a profile
.
A profile
contains settings that can be enforced on a device in such a way that that these settings on that device cannot be changed without modifying the profile using a second device, such as a Macbook computer. This is much better than a standard device, since you can now ensure that your settings will remain enforced.
Here are some notable use cases for device supervision:
Preventing Installing New Apps or Uninstalling Existing Apps
Similar to Screen Time, supervised devices can prevent installing new apps or uninstalling existing apps. The main advantage with device supervision is that it's harder to bypass using a screen time pin.
Block specific Apps
Standard devices have an all or nothing approach to app management: you have to prevent installing new apps to block apps.
Supervised devices, in contrast, can specify restricted apps in addition to preventing installation of new apps:
Prevent Changes to VPN or Network Settings
Some VPNs might allow you to bypass a home network filter setup , so another thing to make sure that you properly set up on your devices is to prevent them from being able to change their VPN or other Network settings.
This is not possible if you are just using a Standard device and requires at least a supervised device in order to properly set up.
More Effectively Enforce Built-in Parental Controls
You can enable the same filtering that Screen Time takes advantage of in such a way that it cannot be disabled from the device.
However, there are many other settings that can be enabled with a Supervised device, such as:
- Enforcing SafeSearch for a Browser
- Enforce a content blocking application
Pros and Cons
While Device Supervision is very powerful, but it comes with a few limitations:
- Requires the use of a computer to enable device supervision on the specific iOS device
- Requires a device reset and you can't do a full restore from a Cloud backup. However, you can sync from iCloud, which is more than enough for most people.
- Requires physical access to the supervised device in order to make changes to enforced settings
- Built-in content restrictions cannot block or manage categories of online content . You need to use a third-party app for this.
Device Supervision is not necessarily straightforward, however, our premium members get access to our guides for supervising your own device, as well as an included DNS Filtering service that allows you to control categories of online content. Check out our main site to learn more !
What is Mobile Device Management for iOS?
Mobile Device Management (MDM) is a step above device Supervision. Mobile Device Management allows you to enforce the same settings as a supervised device, but with additional features and remote control over the device. We found that Device Management is the most effective solution if you want to get serious about blocking content online. It's the approach we recommend to our customers.
Remote Management
Remote Management allows you to go a step above Supervision, because you can now make changes to your devices profile
without the need to be physically plugged into your device. You can make changes to your app allow and blocklists, add new Wi-Fi profiles, or make other changes to your device remotely.
This is ideal for when you add new iOS devices that you want to enforce restrictions on and you can get a high-level view of all of the personal devices you manage.
Remote Management of applications
Once an iOS device is managed, you can use the Mobile Device Manager to silently install apps, view installed apps on a device, or remove an installed app.
For example, we could use the MDM to remotely install a DNS Filtering application on all managed iOS devices efficiently.
Furthermore, you can block specific apps and easily manage a list of approved apps so that the user can only install from a limited list of approved apps:
Block Specific Apps
You can maintain your own list of blocklisted apps instead of disallowing installation of all new apps or allowing a user to install from an approved app list. Updating these changes will automatically sync with any managed iOS devices and remove blocked apps if they are installed already.
Disable Safari Browser
You can disable Safari entirely.
Kiosk Mode
One of the biggest limitations that you might encounter when managing your device is that you cannot remove default apps from your device. However, one of the features that comes with Device Management is Kiosk mode, which can more severely restrict what apps are even displayed on your home screen. Kiosk mode allows you to create your own dumb iPhone .
An example of a device with Kiosk mode enabled can look something like this:
This device is limited to only a few system features and everything else, such as the web browser, is restricted.
Allow-only Content Filtering
With the Filter type:Allowlist
mode, you can restrict access to all websites except the ones you specify. This is a restrictive approach that is very limiting, but also one of the most thorough ways to narrow down only a few approved websites.
You could also use a blocklist approach and enable the built-in content filter:
Other Considerations
Device Management allows you to take advantage of some of the features that businesses might use to manage their own devices and is very powerful at blocking content online. Essentially, the device will not be able to do anything you don't allow, and you have almost complete control over it.
Even so, there are a couple of caveats to consider:
- Requires a full device reset
- Requires the use of a second iOS or Mac device to initially add the iPhone to the Mobile Device Manager.
- Getting access to device management is not a trivial process since Apple has a few additional requirements compared to device supervision.
At Tech Lockdown, we've seen a lot of success with our customers managing their own devices. Mobile devices are especially difficult to properly enforce settings on without them being managed (or at least supervised). Since Managing your own device can be a confusing process, we provide guides to our premium members that walk them through the process of getting set up.
Closing Thoughts
The best approach for ensuring that your devices are protected online is to manage them. Device Management is the most comprehensive solution for ensuring that you are effectively blocking content online and preventing bypass on your devices.