Can Content Filter(NEFilterDataProvider & NEFilterControlProvider) run on NON SUPERVISED device?

I cover this in TN3134 Network Extension provider deployment. In short, starting with iOS 16 you can deploy a content filter to a managed device, but only in per-app mode.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks Quinn.

I dont see "starting with iOS 16 you can deploy a content filter to a managed device, but only in per-app mode." option in Apple Configurator. Can you please point me to there?

Also Is there any way I can replicate through Xcode directly?

You can’t configure per-app Network Extension support in Apple Configurator because the NE configuration has to be tied to the app via a managed app atttribute, and that’s only configurable using MDM. Specifically, look at the ContentFilterUUID payload property and the matching InstallApplicationCommand attribute.

Is there any way I can replicate through Xcode directly?

With per-app VPN you can configure this mapping using the NETestAppMapping key in your Info.plist. For the details, see here. I don’t know if that same mechanism works for per-app content filters.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

With per-app VPN you can configure this mapping using the NETestAppMapping key in your Info.plist.

I tried through info.plist but it flags error that device needs to be managed to execute it. Exploring if I can have my test app as managed app.

While deploying through MDM(Intune), I found MDMs dont have a pre defined way of configuring it. I setup custom profile and it got pushed but it is showing Invalid. Please see below screenshot. Any clues why its showing Invalid?

Below is the profile I pushed

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>FilterBrowsers</key>
			<true/>
			<key>FilterSockets</key>
			<true/>
			<key>FilterType</key>
			<string>Plugin</string>
			<key>PayloadDescription</key>
			<string>Configures content filtering settings</string>
			<key>PayloadDisplayName</key>
			<string>Per App Content Filter</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.webcontent-filter.FD133648-8A43-4880-B37D-1F13D57AF3BB</string>
			<key>PayloadType</key>
			<string>com.apple.webcontent-filter</string>
			<key>PayloadUUID</key>
			<string>FD133648-8A43-4880-B37D-1F13D57AF3BB</string>
			<key>ContentFilterUUID</key>
			<string>FD133648-8A43-4780-B37D-1F13D57AF3BB</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>PluginBundleID</key>
			<string>com.test.test.filtercontrol</string>
			<key>UserDefinedName</key>
			<string>Per App Content Filter</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Untitled</string>
	<key>PayloadIdentifier</key>
	<string>Test-MacBook-Pro.510D9EF0-8A77-415E-B3FB-0A7C28E316EB</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>A17602B6-4B71-4FAF-84BB-F856092DD5CD</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Hi Quinn

Can you please take a look on data I provided?

Any clues why its showing Invalid?

It looks like you’ve set PluginBundleID to the bundle ID of the provider. It’s means to be the bundle ID of the container app.

Note The docs don’t make this clear but Apple Configurator has the right info (as shown in the screen shot you posted earlier). I’d appreciate you filing a bug against the docs about this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It’s means to be the bundle ID of the container app.

Thanks Quinn for the response.

Unfortunately that did not help. Profile is still showing invalid. I am suspecting PayloadIdentifier is different for per app content filter but no documentation for this. For example, For packet tunnel, per app vpn has different PayloadIdentifier com.apple.vpn.managed.applayer than device level vpn tunnel PayloadIdentifier com.apple.vpn.managed.

<key>PayloadIdentifier</key>
<string>com.apple.webcontent-filter.FD133648-8A43-4880-B37D-1F13D57AF3BB</string>

I tried by pushing PayloadIdentifier com.apple.webcontent-filter.applayer but then profile didnt get pushed at all.

Or any other aspect you think I am missing?

PayloadIdentifier is just a unique ID. See here. Are you perhaps thinking of PayloadType? AFAIK there isn’t a separate payload type for this, but I’m basically working off the same docs as you are here.

My next suggestion is to try configuring your filter globally, rather than using per-app mode. That will require a supervised device, but that’s fine because this is only a test. There’s two possible results here:

• It works, in which case you know that your provider is working in general and this is a configuration problem specific to per-app mode.

• If fails, in which case there’s something else going on with your provider.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It works, in which case you know that your provider is working in general and this is a configuration problem specific to per-app mode.

Yes, it works on supervised device. Its not working for per-app mode

FYI I am using Apple Sample App "SimpleTunnel" for testing

Are you perhaps thinking of PayloadType?

Yes, I am talking about PayloadType

AFAIK there isn’t a separate payload type for this, but I’m basically working off the same docs as you are here.

Thanks for confirming this.

For those following along at home, I’ll be helping dssdgvsdgsd in a different context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello @DTS Engineer ,

We are developing and try to deploy app based content filter aswell. Facing same issues as mentioned in this thread.

I am using Intune to push a custom provision profile with

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>FilterBrowsers</key>
			<true/>
			<key>FilterSockets</key>
			<true/>
			<key>FilterType</key>
			<string>Plugin</string>
			<key>PayloadDescription</key>
			<string>Configures content filtering settings</string>
			<key>PayloadDisplayName</key>
			<string>Test content filter</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.webcontent-filter.DAC44B5F-3824-4F6C-B39B-1C5FCDD8C993</string>
			<key>PayloadType</key>
			<string>com.apple.webcontent-filter</string>
			<key>PayloadUUID</key>
			<string>DAC44B5F-3824-4F6C-B39B-1C5FCDD8C993</string>
			<key>ContentFilterUUID</key>
			<string>DAC44B5F-3824-4F6C-B39B-1C5FCDD8C993</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>PluginBundleID</key>
			<string>Replaced the original name here</string>
			<key>UserDefinedName</key>
			<string>Test content filter</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>per app content filter example</string>
	<key>PayloadIdentifier</key>
	<string>Replaced.EB0E51A5-84B0-49AA-B45B-9EA8C46C69FE</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>AEDDCA4D-392B-49E5-801B-D9D4E34BAA30</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

and in my content filter trying to use NETestAppMapping in info.plist

	<key>NETestAppMapping</key>
	<dict>
		<key>DAC44B5F-3824-4F6C-B39B-1C5FCDD8C993</key>
		<string>com.apple.mobilesafari</string>
	</dict>

The profile is pushed to the device

It shows the network filter as invalid

Tried creating a DTS ticket aswell. It asked me to first check in developer forums