Per App Content Filter on iOS
I am testing Per App Content Filter(iOS 16 onwards) feature for iOS. Per App Content Filter entitlements can run on a managed device only. Hence these entitlements must be pushed through MDM
Apple documentation on
https://developer.apple.com/documentation/networkextension/content_filter_providers?language=objc
So far research on Intune concluded that Intune does not support it like it supports per app VPN.
Then I tried pushing content filter profile as custom profile and ContentFilterUUID as App configuration policy by targeting it to 3rd party app. Content filter gets pushed but it does not get mapped to 3rd party app.So it does not run until mapping is appropriate and remain in invalid state.
Can anyone help me how can I achieve it on Intune?
Side Note: JAMF provides this built in like per app vpn and I could see payload(from iOS sys logs) is like below
NESMFilterSession[Content Filter 16 May 2024:5F0ABFF4-5414-40D4-AD95-AE207D890720]: handling configuration changed: {
name = <26-char-str>
identifier = 5F0ABFF4-5414-40D4-AD95-AE207D890720
externalIdentifier = <36-char-str>
application = com.test.ent.app
grade = 1
contentFilter = {
enabled = YES
provider = {
pluginType = com.test.ent.app
organization = <7-char-str>
filterBrowsers = NO
filterPackets = NO
filterSockets = YES
disableDefaultDrop = NO
preserveExistingConnections = NO
}
filter-grade = 1
per-app = {
appRules = (
{
matchSigningIdentifier = org.mozilla.ios.Firefox
noDivertDNS = NO
},
)
excludedDomains = ()
}
}
payloadInfo = {
payloadUUID = FC494E29-90AE-4C56-B57A-2E501A17553A
payloadOrganization = <13-char-str>
profileUUID = C2074E3F-39F1-4A48-B979-FE13C0FBC779
profileIdentifier = <36-char-str>
isSetAside = NO
profileIngestionDate = 2024-08-16 21:30:23 +0000
systemVersion = Version 17.5.1 (Build 21F90)
profileSource = mdm
}
}
I am testing Per App Content Filter(iOS 16 onwards) feature for iOS. Per App Content Filter entitlements can run on a managed device only. Hence these entitlements must be pushed through MDMApple documentation on https://developer.apple.com/documentation/technotes/tn3134-network-extension-provider-deployment?language=objchttps://developer.apple.com/documentation/networkextension/content_filter_providers?language=objc So far research on Intune concluded that Intune does not support it like it supports per app VPN.Then I tried pushing content filter profile as custom profile and ContentFilterUUID as App configuration policy by targeting it to 3rd party app. Content filter gets pushed but it does not get mapped to 3rd party app.So it does not run until mapping is appropriate and remain in invalid state. Can anyone help me how can I achieve it on Intune? Side Note: JAMF provides this built in like per app vpn and I could see payload(from iOS sys logs) is like below NESMFilterSession[Content Filter 16 May 2024:5F0ABFF4-5414-40D4-AD95-AE207D890720]: handling configuration changed: {
name = <26-char-str>
identifier = 5F0ABFF4-5414-40D4-AD95-AE207D890720
externalIdentifier = <36-char-str>
application = com.test.ent.app
grade = 1
contentFilter = {
enabled = YES
provider = {
pluginType = com.test.ent.app
organization = <7-char-str>
filterBrowsers = NO
filterPackets = NO
filterSockets = YES
disableDefaultDrop = NO
preserveExistingConnections = NO
}
filter-grade = 1
per-app = {
appRules = (
{
matchSigningIdentifier = org.mozilla.ios.Firefox
noDivertDNS = NO
},
)
excludedDomains = ()
}
}
payloadInfo = {
payloadUUID = FC494E29-90AE-4C56-B57A-2E501A17553A
payloadOrganization = <13-char-str>
profileUUID = C2074E3F-39F1-4A48-B979-FE13C0FBC779
profileIdentifier = <36-char-str>
isSetAside = NO
profileIngestionDate = 2024-08-16 21:30:23 +0000
systemVersion = Version 17.5.1 (Build 21F90)
profileSource = mdm
}
} Read More
