CODEWITHSUNDEEP
iosmdmintune
Desert Rose
Desert Rose

Reputation: 3424

iOS : Per App Content Filter deployment through Intune

I am testing Per App Content Filter(iOS 16 onwards) feature for iOS. Per App Content Filter entitlements can run on a managed device only. Hence these entitlements must be pushed through MDM.

Apple documentation on

https://developer.apple.com/documentation/technotes/tn3134-network-extension-provider-deployment?lan... https://developer.apple.com/documentation/networkextension/content_filter_providers?language=objc

So far research on Intune concluded that Intune does not support it like it supports per app VPN. Then I tried pushing content filter profile as custom profile and ContentFilterUUID as App configuration policy by targeting it to 3rd party app. Content filter gets pushed to the device but it does not get mapped to 3rd party app.So it does not run until mapping is appropriate and remain in invalid state.

Can anyone help me how can I achieve it on Intune? I posted on Intune community Forum too but no answers there.

Side Note: JAMF provides this built in like per app vpn and I could see payload(from iOS sys logs) is like below

NESMFilterSession[Content Filter 16 May 2024:5F0ABFF4-5414-40D4-AD95-AE207D890720]: handling configuration changed: {
    name = <26-char-str>
    identifier = 5F0ABFF4-5414-40D4-AD95-AE207D890720
    externalIdentifier = <36-char-str>
    application = com.test.ent.app
    grade = 1
    contentFilter = {
        enabled = YES
        provider = {
            pluginType = com.test.ent.app
            organization = <7-char-str>
            filterBrowsers = NO
            filterPackets = NO
            filterSockets = YES
            disableDefaultDrop = NO
            preserveExistingConnections = NO
        }
        filter-grade = 1
        per-app = {
            appRules = (
                {
                    matchSigningIdentifier = org.mozilla.ios.Firefox
                    noDivertDNS = NO
                },
            )
            excludedDomains = ()
        }
    }
    payloadInfo = {
        payloadUUID = FC494E29-90AE-4C56-B57A-2E501A17553A
        payloadOrganization = <13-char-str>
        profileUUID = C2074E3F-39F1-4A48-B979-FE13C0FBC779
        profileIdentifier = <36-char-str>
        isSetAside = NO
        profileIngestionDate = 2024-08-16 21:30:23 +0000
        systemVersion = Version 17.5.1 (Build 21F90)
        profileSource = mdm
    }
}

Upvotes: 0

Views: 122

Answers (1)

Michael Rieder
Michael Rieder

Reputation: 1

I think in Intune you have to use a complete .mobileconfig if you want to use the vendor settings.

Profile type -> Templates -> Custom

You can also download the .mobileconfig from Jamf and test this here. If you want to remove the signature you can run this:

openssl smime -inform DER -verify -in Settings.mobileconfig -noverify -out ~/Unsigned.mobileconfig

Upvotes: 0

Related Questions