Preventing Bypass on Mac

After you’ve connected an Mac device to your content policy, the next step is to enforce that connection.

Tech Lockdown Team

Updated June 19, 2024

If you have a Mac device, then you have several options to consider if you're trying to prevent the Content Policy from being bypassed.

App Preferences

If you connected to your Content Policy using the app, you can configure a few preferences in your Tech Lockdown dashboard to prevent enforce some of the settings in the app. For example, you can lock the filter switch or prevent logout.

App Preferences

Set App Preferences on the Tech Lockdown Dashboard

Set App Preferences on the Tech Lockdown Dashboard to ensure your Content Policy is always enabled.

Add backup filtering to your Mac machine

In addition to installing the WARP client, we strongly recommend adding backup filtering to your mac device. This ensure that is the WARP client gets disabled, you will still have a backup, filtered connection.

There are a few ways you can do this:

Set up DNS on Mac Settings.
Block websites with the Hosts file.

In order to block websites with the Hosts file, you will need to access and modify it on your Mac device. We also have a link a publicly maintained list of adult sites that you can copy/paste into your Hosts file directly.

Note

If you have an older device, adding too many (as in thousands of) entries to your Hosts file might cause a noticeable drop in performance.

You can also change the DNS settings on your Mac device to enable filtering even if the WARP client gets disabled.

Configure DNS settings to Point to Your Cloudflare Filter

Another option you can consider is installing a DNS Configuration Profile on your Mac device. Doing so allows you to install a backup filtering option in case the WARP client is disabled for a prolonged period of time.

First, use Tech Lockdown's Config Generator to generate a config profile that points to your DNS Content Policy.

Next, download this profile to your Mac device.

Double-click the profile. You should be directed to Settings.

Install the profile.

You can use the WARP client and DNS Configuration profile at the same time to achieve the best results.

Note

If the WARP client is disabled on your device, the DNS Configuration profile won't be able to differentiate your device as a Mac. This means that rules you've set to apply to a specific email address will no longer apply.

Prevent Application Uninstall

The last step is to prevent the WARP client itself from being uninstalled from your Mac device. There are a few ways that you can do this:

Install a blocking application to prevent access to sensitive programs (like Settings or Terminal).
Use the Terminal to mark the Cloudflare client as hidden and disable the uninstall script.

Mark the WARP client as a Hidden Application

Marking the WARP client a hidden application will prevent it from showing up in Finder or the Launchpad on your Mac device.

To do this, open Terminal on your Mac

Enter the following command:

sudo chflags hidden /Applications/Cloudflare\ WARP.app

Mark the Cloudflare One Agent App as a hidden application

Note

This section is only intended for those who could not install the WARP client on their Mac device. There is a glitch affecting some Mac devices that require you to instead install the Cloudflare One Agent.

If you've installed the Cloudflare One Agent (instead of the WARP client) onto your Mac device, you can mark it as a hidden application.

Open Terminal

Enter the following command:

sudo chflags hidden /Applications/Cloudflare\ One\ Agent.app

Disable the Uninstall Script

Cloudflare has very clear documentation about how to uninstall the client. To prevent simply running the uninstall script that's included with the WARP client, we recommend making the file read-only. In order to run the command, you will have to reset the file to be executable.

First, open Terminal:

Next, copy/paste the following command to change your current directory:

cd /Applications/Cloudflare\ WARP.app/Contents/Resources

From here, copy/paste this command to mark the uninstall script as read-only:

sudo chmod 444 uninstall.sh

Why not delete the uninstall script?

This can make the WARP client very difficult to uninstall if you have a legitimate need to remove it later on.

Install a Blocking Application to Restrict Access to Sensitive Programs

It's possible for you to use a blocking application to restrict your access to programs that can enable bypassing, such as Terminal.

There are two main options that we recommend, each with their own strengths and weaknesses:

Cold Turkey: This is the application we've recommended to our customers for the past several years. It's robust, simple to install and configure, and provides extra functionality for blocking programs with specific names in their titles.
Plucky: This program doesn't have a pretty interface for you to interact with, which can actually be a good thing. In order to change your restriction settings, you will need to interact with a command-line, which means that bypassing your own restrictions is made a lot harder than Cold Turkey.

There may be other options, but these are the ones that we've had the opportunity to test.

Managed Mac Restrictions

If you have enabled managed mode on your mac device, here are some restrictions that you can apply that will remove the ability of a user to uninstall or bypass your restrictions:

Enforce and Restrict a Browser

You can disable a bunch of settings related to a specific browser. For example, with Google Chrome, you can:

Set it as the default browser.
Disable/block images.
Disable all forms of Proxy.
Disable Incognito mode .
Enforce YouTube restricted mode and Google SafeSearch .
Prevent Deleting search history .
Prevent a Browser Extension from being disabled.
And more.

Most of these settings are possible to do manually with the help of the Terminal, we've provided link to these guides for those interested.