Per App Content Filter on iOS

Copper Contributor

I am testing Per App Content Filter(iOS 16 onwards) feature for iOS. Per App Content Filter entitlements can run on a managed device only.  Hence these entitlements must be pushed through MDM

Apple documentation  on

https://developer.apple.com/documentation/technotes/tn3134-network-extension-provider-deployment?lan...

https://developer.apple.com/documentation/networkextension/content_filter_providers?language=objc

 

desertR450_0-1726697213019.jpeg

 


So far research on Intune concluded that Intune does not support it like it supports per app VPN.

Then I tried pushing content filter profile as custom profile and ContentFilterUUID as App configuration policy by targeting it to 3rd party app. Content filter gets pushed but it does not get mapped to 3rd party app.So it does not run until mapping is appropriate and remain in invalid state.

 

Can anyone help me how can I achieve it on Intune? 

Side Note: JAMF provides  this built in like per app vpn and I could see payload(from iOS sys logs) is like below

 

 

NESMFilterSession[Content Filter 16 May 2024:5F0ABFF4-5414-40D4-AD95-AE207D890720]: handling configuration changed: {
    name = <26-char-str>
    identifier = 5F0ABFF4-5414-40D4-AD95-AE207D890720
    externalIdentifier = <36-char-str>
    application = com.test.ent.app
    grade = 1
    contentFilter = {
        enabled = YES
        provider = {
            pluginType = com.test.ent.app
            organization = <7-char-str>
            filterBrowsers = NO
            filterPackets = NO
            filterSockets = YES
            disableDefaultDrop = NO
            preserveExistingConnections = NO
        }
        filter-grade = 1
        per-app = {
            appRules = (
                {
                    matchSigningIdentifier = org.mozilla.ios.Firefox
                    noDivertDNS = NO
                },
            )
            excludedDomains = ()
        }
    }
    payloadInfo = {
        payloadUUID = FC494E29-90AE-4C56-B57A-2E501A17553A
        payloadOrganization = <13-char-str>
        profileUUID = C2074E3F-39F1-4A48-B979-FE13C0FBC779
        profileIdentifier = <36-char-str>
        isSetAside = NO
        profileIngestionDate = 2024-08-16 21:30:23 +0000
        systemVersion = Version 17.5.1 (Build 21F90)
        profileSource = mdm
    }
}

 

 



0 Replies