Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Ipadonly1

macrumors member
Original poster
Jun 8, 2023
47
32
Hi everyone,

Not completely sure if this is the best place to discuss this, but I have for a while used supervised iOS/iPadOS devices (I don’t have a Mac). The reason for this is so that I can enforce the settings on my ControlD DNS account. For instance, my ControlD set-up is that for 90% of the day, social media is blocked. If my device wasn’t in supervised mode, when I inevitably get bored with work, I could just disable the DNS settings and jump over to YouTube, procrastinating work. Supervised mode prevents this.

I wonder if anyone else makes use of a similar solution?

I wonder too if anyone, from a business/school IT perspective had any experience of a quirk of this. iOS treats VPNs as superior to DNS, so that if a device has an enforced DNS and then a VPN is installed on the device, the enforced DNS will be ignored in favour of the VPN. This is just the hierarchy on iOS - other platforms have different arrangements. This is not really the issue, as iOS (in theory) allows device managers to block VPNs. Therefore, in theory, a VPN cannot be used to override enforced DNS settings and there is absolutely no other way to get around the DNS settings either.

The quirk, however, is that one cannot block VPNs on iOS. The restriction exists, it has existed for years, well since iOS 11 (See ‘Add VPN Configurations‘ here: https://support.apple.com/en-gb/guide/deployment/dep0f7dd3d8/web) - yet enabling the restriction does not prevent the installation of VPNs by apps, only by the user. With the restriction enabled, the user cannot create a VPN themselves in the Settings app, but they can install any VPN app and have a VPN installed that way, completely bypassing the enforced DNS settings on the device.

I’ve sent multiple feedback reports to Apple about this, but never seen any change or reply.

Does anyone else recognise this as an issue in their device management environments? Any business/school IT managers have a workaround or do in fact experience the restriction working as described in the Apple Support page linked?

Many thanks
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.