Preventing Bypass on iPhone
After you’ve connected an iPhone device to your content policy, the next step is to enforce that connection.
After you've installed the App or DNS Configuration profile on your iPhone, the next step is to prevent bypassing the restrictions on your iPhone.
We've already taken a look at several settings that can be enabled on the dashboard to prevent bypass. However, there are unique considerations for iPhone devices that can further enforce your DNS Content Policy.
- Standard iPhones can have restrictions enforced with an AppLocker, iOS Shortcuts, or Screen Time. These can be used to achieve good results but are not the best solution.
- You can take enforcement to another level by enabling supervised mode on your iPhone device. Supervised mode allows you to lock your Screen Time settings much more effectively than with a 4-digit pin.
- Managed iPhones are the ultimate solution to prevent bypass. Managed iPhone allow you to enforce meticulous control over your iPhone, limiting access to built-in or default apps (like Settings or the App Store). Unfortunately, managed iPhones are not easy to set up and can require some time to gain approval.
Choosing the Best Option to Prevent Bypass on your iPhone
Which option works best for you will depend on how comfortable you are with setting up these options. If you would rather keep things relatively simple, and don't believe you will try to bypass your restrictions, than a standard iPhone device can work just fine.
However, if you are willing to spend a little more time, the difference between a supervised and standard iPhone is drastic. Supervision offers more restrictions and is not nearly as difficult as enabling managed mode. Supervision works great if the iPhone you want to filter is not for you (for example, you're a parent), or you want to remove the temptation to easily reset your device's filtering settings.
Manage mode offers much more control over your device. You will be able to remotely uninstall or install apps, deny access to the App Store or other built-in apps, and much more. If you want the ultimate lockdown solution for your iPhone, we do provide guides that will walk Tech Lockdown premium members through this process. If you're confident, device management is the best option we provide on the platform.
We'll go ahead and provide the methods that are available for each tier of device. These techniques let you enforce the most amount of restrictions possible and will have differences depending on which type of iPhone device you have.
Use a Backup Method to Connect Your iPhone to Your Content Policy
First, you will need to connect your iPhone device to your DNS Content Policy. One way to do this is with the Cloudflare One Agent app and this is the most straightforward option. Another option is to install a DNS configuration profile onto your iPhone, which is harder to disable:
- Install the Cloudflare One Agent app and sign in with your email address. This allows a device to be associated with your email address, which is necessary if you want to create rules that apply to members separately.
- Use our mobile config generator to install a DNS configuration profile on your iPhone device. This ensures that you always have a backup in case the Cloudflare One App disconnects or is disabled.
Both options can be used separately or simultaneously. We strongly recommend enabling both, since they don't interfere with each other.
Installing the Cloudflare One App creates a VPN profile on your iPhone. The app will automatically attempt to reconnect your iPhone if this VPN profile is disabled. However, having the DNS profile also installed on your iPhone will ensure filtering is still enabled on your device. This will be true even if the app is uninstalled or if the VPN enforced by the app is disabled for a prolonged period of time.
Note
We strongly recommend installing both the App and DNS profile on your device to achieve the best results.
Prevent App Uninstall
The next step is to prevent both the Cloudflare One Agent and DNS Configuration Profile from being uninstalled.
There are a few ways to do this (you can only choose one):
- Disable Removing Apps with Screen Time.
- Disable Removing Apps with Supervised mode.
- Control which apps are installed remotely using Managed mode.
Use Managed Mode to Remotely Install or Uninstall Apps
Of the three options, it is much more effective to use managed mode. Managed mode unlocks the ability to remotely install or uninstall apps, while also removing this ability on the iPhone device itself. Unfortunately, enabling managed mode on your iPhone isn't very straightforward.
Use Supervised Mode to Disable Apps from Being Removed from the iPhone Device
Supervised mode is easier to set up than managed mode and offers the ability to prevent apps from being uninstalled. It uses the same mechanism that the DNS configuration profile uses and even allows you to set up a simple app blocklist or allowlist.
Apple
Apple's Better Screen Time Alternative
Apple provides a better alternative to Screen Time that solves for the most common weaknesses of their parental control solution. This more restrictive setup gives you better control over an iPhone.
Use Screen Time to Limit the App Store
Screen Time is still a viable option; however, it can only be locked with a 4-digit pin. It is possible to use a secondary Apple ID to prevent the pin from being changed as easily. Both supervised and managed modes can install profiles that are not possible to remove without the help of another device. That being said, Screen Time is the easiest of the three options to set up.
We go over a full range of restrictions that are possible in our dumb phone articles. A Dumb Phone is a smartphone with all of its distracting elements removed.
Dumb Phone
How to Convert an iPhone into a Dumb iPhone
Keep your GPS and camera. Make your iPhone dumber by restricting the more intrusive features like web browsing and the App Store.
Prevent your DNS Policy from Being Disabled on Your iPhone
The Cloudflare One Agent usually attempts to reconnect its VPN if that VPN profile gets disabled on your iPhone. However, this isn't the only way you can enforce the VPN:
- Enable bypass prevention Settings on the Tech Lockdown Dashboard.
- Use iPhone automations to automatically switch to the correct VPN profiles when the Settings app gets closed. This isn't as effective as disabling changes to WARP settings, but it is a strong backup option. It can also work faster than the app can react.
- Prevent changes to VPN settings with a profile while using supervised mode.
- Enable the kiosk feature with managed mode.
Enable Settings on the Tech Lockdown Dashboard
By default, your dashboard will prevent changes to WARP settings from your devices.
We've also included on option for you to disable the logout option from the Cloudflare App.
Disable the Ability to Change VPN Settings with Supervised Mode
If your iPhone is supervised, then you can install a profile that limits the ability to change VPN settings at all.
Enable the Kiosk feature on a managed iPhone device
On managed mode, you can enable the kiosk feature to restrict the Settings app entirely. This removes the app from the iPhone's home screen, and is much more effective.
Limit your iPhone's Settings with the Shortcuts App
This technique only applies to standard iPhone devices. It's not necessary on supervised or managed devices, since there are far better options that are available on those devices.
Most modern iPhone devices include the Shortcuts app. Shortcuts allow you to create Automations, which allow you to change Settings once another action is performed on your iPhone device. An example of this might be to enable the Cloudflare VPN when a browser is opened.
iPhone
How to Enforce a VPN on an iPhone
Prevent bypass of VPNs that filter content on an iPhone by enforcing VPN profiles and preventing a user from overriding them.
