Preventing Bypass on Mac
After you’ve connected an Mac device to your content policy, the next step is to enforce that connection.
If you have a Mac device, then you have several options to consider if you're trying to prevent the Content Policy from being bypassed.
App Preferences
If you connected to your Content Policy using the app, you can configure a few preferences in your Tech Lockdown dashboard to prevent enforce some of the settings in the app. For example, you can lock the filter switch or prevent logout.
App Preferences
Set App Preferences on the Tech Lockdown Dashboard
Set App Preferences on the Tech Lockdown Dashboard to ensure your Content Policy is always enabled.
Add backup filtering to your Mac machine
In addition to installing the WARP client, we strongly recommend adding backup filtering to your mac device. This ensure that is the WARP client gets disabled, you will still have a backup, filtered connection.
There are a few ways you can do this:
- Set up DNS on Mac Settings.
- Block websites with the Hosts file.
In order to block websites with the Hosts file, you will need to access and modify it on your Mac device. We also have a link a publicly maintained list of adult sites that you can copy/paste into your Hosts file directly.
Note
You can also change the DNS settings on your Mac device to enable filtering even if the WARP client gets disabled.
Configure DNS settings to Point to Your Cloudflare Filter
Another option you can consider is installing a DNS Configuration Profile on your Mac device. Doing so allows you to install a backup filtering option in case the WARP client is disabled for a prolonged period of time.
You can use the WARP client and DNS Configuration profile at the same time to achieve the best results.
Note
Prevent Application Uninstall
The last step is to prevent the WARP client itself from being uninstalled from your Mac device. There are a few ways that you can do this:
- Install a blocking application to prevent access to sensitive programs (like Settings or Terminal).
- Use the Terminal to mark the Cloudflare client as hidden and disable the uninstall script.
Mark the WARP client as a Hidden Application
Marking the WARP client a hidden application will prevent it from showing up in Finder or the Launchpad on your Mac device.
To do this, open Terminal on your Mac
Enter the following command:
sudo chflags hidden /Applications/Cloudflare\ WARP.app
Mark the Cloudflare One Agent App as a hidden application
Note
If you've installed the Cloudflare One Agent (instead of the WARP client) onto your Mac device, you can mark it as a hidden application.
Open Terminal
sudo chflags hidden /Applications/Cloudflare\ One\ Agent.app
Disable the Uninstall Script
Cloudflare has very clear documentation about how to uninstall the client. To prevent simply running the uninstall script that's included with the WARP client, we recommend making the file read-only. In order to run the command, you will have to reset the file to be executable.
First, open Terminal:
Next, copy/paste the following command to change your current directory:
cd /Applications/Cloudflare\ WARP.app/Contents/Resources
From here, copy/paste this command to mark the uninstall script as read-only:
sudo chmod 444 uninstall.sh
Why not delete the uninstall script?
Install a Blocking Application to Restrict Access to Sensitive Programs
It's possible for you to use a blocking application to restrict your access to programs that can enable bypassing, such as Terminal.
There are two main options that we recommend, each with their own strengths and weaknesses:
- Cold Turkey: This is the application we've recommended to our customers for the past several years. It's robust, simple to install and configure, and provides extra functionality for blocking programs with specific names in their titles.
- Plucky: This program doesn't have a pretty interface for you to interact with, which can actually be a good thing. In order to change your restriction settings, you will need to interact with a command-line, which means that bypassing your own restrictions is made a lot harder than Cold Turkey.
There may be other options, but these are the ones that we've had the opportunity to test.
Managed Mac Restrictions
If you have enabled managed mode on your mac device, here are some restrictions that you can apply that will remove the ability of a user to uninstall or bypass your restrictions:
Enforce and Restrict a Browser
You can disable a bunch of settings related to a specific browser. For example, with Google Chrome, you can:
- Set it as the default browser.
- Disable/block images.
- Disable all forms of Proxy.
- Disable Incognito mode .
- Enforce YouTube restricted mode and Google SafeSearch .
- Prevent Deleting search history .
- Prevent a Browser Extension from being disabled.
- And more.
Most of these settings are possible to do manually with the help of the Terminal, we've provided link to these guides for those interested.