Whitelisting DNS Network IPs for iOS and macOS Filtering
Blocksi’s DNS filtering cannot resolve the DNS IPs of devices in private network and relies on the public DNS services.
Because of that, Blocksi implemented a way for clients to add network configurations for specific namehosts and IPs in their private network, which will be whitelisted when using any of the Blocksi DNS filtering solutions: filtering by Public IP, macOS filtering, and iPad filtering.
Here are instructions on how to add these entries to the Blocksi system.
Sign in to the Blocksi Admin Dashboard as an administrator (bm.blocksi.net).
Click the profile icon and select Settings from the drop-down menu.
Scroll down to the Local DNS Mapping section.
Add your local Domain Controllers by their IP address, then assign domains to those Domain Controllers. One or more domains can be assigned to one Domain controller. For example, Domain Controller: 10.11.11.123 and Domains: hp-printer.example.com, k12-ad.example.com, local.example.com.
For iPad filtering based on serial number, there are a few steps that need to be completed for it to work properly.
Users and Organizational units synced either through Google Workspace or LDAP.
iPad serial number mappings added to the Blocksi system through the Blocksi Admin dashboard.
Filtering policy assigned to Google Workspace OU or LDAP OU.
Blocksi for iPad application configured through MDM with specific app configurations.
If you are using Google Workspace as your user directory for Chromebook and Windows filtering, the users are synced with the BMEE Domain application. Instructions for this can be found HERE.
If you are not using Google and have a Windows Active directory, you can sync users and OUs with the Blocksi for AD Synchronization application. Instructions for this can be found HERE.
To import iPad serial number mappings
Navigate to the Device Management > Inventory menu on bm.blocksi.net.
Locate the iPad Serial Number Management section on the Device Inventory page.
Use one of the following methods to add serial number mappings:
Add Mapping Manually
Enter a valid user email in the designated field.
Input a corresponding serial number.
Click the Add button to submit the mapping.
Prepare a CSV File and Import the CSV File
CSV file needs to consist of mappings in the following format: Annotated User,serial number.
For example, john.smith@example.com,SN12345678 and jane.doe@example.com,SN12345679.
Note
In order to apply filtering to iPads based on device serial number, the annotated users should either be enrolled in the Blocksi system through Google Workspace or Blocksi AD Synchronization application for LDAP users. The filtering policy is applied to the annotated users Google OU or LDAP OU.
To assign the filtering policy to an OU
Create a filtering policy on bm.blocksi.net under the Filtering > Policies menu.
If your users are Google Workspace users, you need to create a DNS policy
If your users are LDAP users, you need to create a OSX regular or OSX Time-based policy
Assign the filtering policy to either:
Google Workspace OU or
LDAP OU
Verify filtering on the target device.
To configure Blocksi for iPad application on MDM
In order for the filtering policy to be applied on the target device, you need to configure the Blocksi for iPad application on your MDM.
The collection of configurable values is a dictionary (key-value collection), where keys and values are strings. Other data types are not currently supported. The list of configurable values is valid for all MDM services and does not depend on the MDM service provider, except for userId.
iOS/iPad App Key Values
Key | Value | Required | Default Value |
|---|---|---|---|
organizationId | Any string | YES | Empty string |
userAuthEnabled | true/false | YES | false |
userId | MDM service dependent | NO | Empty string |
adminPassword | Any string | NO | Empty string |
ttl | String interpretation of int | NO | 60 |
serialNumber | Any string | NO | Empty string |
showDisclaimer | true/false | YES | true |
The serialNumber key is used for filtering on iOS by serial number. This is a payload variable and its value is different for each MDM. Below is a list of the values for some of the most commonly used MDMs by our clients.
For Jamf Pro, the value is $SERIALNUMBER
For Jamf School, the value is %SerialNumber%
For Kandji, the value is $SERIAL_NUMBER
For Kace Cloud, the value is %device.SerialNumber%
For FileWave, the value is %SerialNumber%
The showDisclaimer key is used to either display or not display the Apple Privacy & Data collection notice to the end user when opening the App on the target device. When set to true, the notice is displayed, when set to false, the notice is not displayed.
Below is an example of the payload configuration for Jamf Pro:
<plist>
<dict>
<key>organizationId</key>
<string>admin@example.com</string>
<key>adminPassword</key>
<string>123Password</string>
<key>ttl</key>
<string>0</string>
<key>serialNumber</key>
<string>$SERIALNUMBER</string>
<key>userAuthEnabled</key>
<string>false</string>
<key>showDisclaimer</key>
<string>false</string>
</dict>
</plist>
Important
The same payload configuration needs to be defined for the App configuration XML/PLIST and Profile Configuration XML/PLIST.
To create the filtering policy, please see Configuring the iOS Filtering Policy on the BMEE Admin Dashboard.