The device config generator can be used to protect a VPN connection on your Supervised iPhone or iPad, ensuring that a conflicting VPN connection isn't used (which would bypass content filtering).

This Config File adds a DNS Settings payload to your iPhone that points all non-VPN web traffic to your Content Policy. This DNS payload acts like a final backup filter, so if the VPN is ever disabled, web content you never want allowed on your Content Policy is still blocked.

We recommend configuring both the protected VPN profile and protected DNS settings if you have a supervised iPhone or iPad. With this setup, it's impossible to disable filtering without removing the Config File.

Combining the filtered VPN with DNS Settings

The filtered VPN profile can take advantage of member-specific rules, and should be enabled by default in your iPhone (this is referred to as the "Connect on Demand" feature).

While this VPN is active, any DNS Settings added with a Config File are essentially ignored. That means DNS Settings act like a backup to a VPN.

If you use DNS Content Policy rules that are targeted to specific devices or members on your Tech Lockdown account, DNS settings will only enforce rules that apply to everyone. It's similar to how, if you've connected a router, you can only filter content for everyone at once.

Use the Default-Deny Approach to Encourage Use of the Filtered VPN

If you have rules you want to ensure are being applied to a specific device or for a member, we recommend using the Default Deny approach on your Content Policy. Limit access to most non-critical websites and apps by default, unless someone is using a filtered VPN logged in with their email.

Using the Default Deny approach like this means someone using a protected device needs to enable the VPN to access some apps and websites.

1) Define what is allowed

First, you need to define what's allowed by your Content Policy. Create a new rule (or multiple rules) that specifically allows what content you can access, like apps, content categories, or websites. We'll call these Exception Rules, and they could apply to any app or website that you want to ensure has a DNS restriction enabled (like SafeSearch, YouTube restricted mode, or image blocks).

• Create Exception Rules for specific members on your account. Learn more about how to target specific devices.

Exception Rules must be scoped to a member on your account. If you have multiple members on your account, you can add them to the same or multiple different rules.

2) Default block everything else

Next, you'll generally block most non-critical content with a separate rule on your Content Policy. We'll call this the Default Block rule.

• Create a Default Block rule that generally disables apps, including ones that you want to use.

This Default Block rule would only restrict access to non-critical websites, like social media, video streaming, or other similar content categories. Critical websites, like a banking app or the Tech Lockdown dashboard, should not be blocked. Which content categories or apps should be restricted is up to you.

3) Connect your iPhone to the filter using both DNS Settings and the Filtered VPN

See Enabling and Enforcing DNS on an iPhone for more information.

Result:

If you have both the VPN and DNS Settings added to your iPhone, here's what this approach would look like:

1. While the filtered VPN is active, access granted by Exception Rules will be allowed on the iPhone. 
2. If the VPN is turned off or deleted, your iPhone switches to its DNS Settings, and only the Default Block rule will apply to your iPhone.

The idea is that if the VPN is disabled on the supervised iPhone device, then all but the most necessary apps and websites will be blocked. For example, if you set up YouTube using this approach, you can only visit YouTube's website or connect the app to the internet while the VPN is active, meaning that you will need to enable the VPN to access YouTube.

Help Keep the Filtered VPN Active

To help ensure the VPN is active by default, we recommend using a combination of multiple techniques.

If the default-deny approach is being used with DNS on your iPhone, then automatically re-enabling the filtered VPN should be a matter of convenience. It will allow iPhone users not to need to manually re-enable the VPN.

1) Enforce the Cloudflare One VPN on your iPhone

You can prevent common issues, such as deleting the filtered VPN profile on your iPhone, by enforcing it.

Depending on whether you're using a standard or supervised iPhone, there are multiple options for you to consider. Check out our dedicated guide for Enforcing the Cloudflare One VPN on iPhone to learn more.

We also have a general guide available on our main website for Enforcing VPNs on iPhone, if you use an alternative content filter.

2) Use Shortcuts and Automations to Re-Enable the filtered VPN

Shortcuts and Automations can be used to automatically re-enable the VPN if an app is opened or closed. Check out our dedicated guide for using iPhone Automations to prevent bypass.