Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

Securing the Remote Edge: A Guide to On-Device Content Filtering

Jump To

In a decentralized work environment, relying solely on corporate firewalls is no longer effective. Devices constantly shift between home Wi-Fi, 5G networks, and public hotspots. By leveraging OS-level Web Content Filtering, Hexnode UEM pushes network security directly to the endpoint, ensuring that web traffic is evaluated against organizational compliance rules regardless of the device’s physical location.

1. The Architectural Concept: On-Device Filtering

Traditional web filtering relies on a choke point (e.g., the office router). Hexnode UEM circumvents this by installing the filter directly at the operating system level. Because the restriction payload is configured via MDM, the device enforces its own security perimeter:

  • iOS/iPadOS (Supervised): Utilizes Apple’s native Web Content Filter payload. It allows administrators to automatically restrict adult content, enforce strict Allowlists (creating automated Safari bookmarks), or deploy custom Blocklists. Private browsing and history clearing are automatically disabled.
  • macOS: Supports both native Apple web filtering and advanced Content Filter Plug-ins (System Extensions). Admins can integrate third-party filtering services (like Cisco Umbrella or CrowdStrike) to monitor WebKit-based browsers, network packets, and socket traffic.
  • Android: Utilizes Samsung Knox (API level 19+) firewall rules to intercept traffic. It seamlessly blocks access on both standard browsers and mobile applications.
  • Windows: Filtering happens right inside supported browsers (like Chrome, Edge, or Firefox). Administrators give the browser a specific list of allowed or blocked websites, and the browser stops users from visiting the restricted ones.
  • Linux: Filtering happens at the device level. The system checks all web traffic against a list of allowed or blocked websites. If a user tries to visit a blocked site, the system drops the connection, and the page simply won’t load.

2. Logic Gate Matrix: Content Filtering Strategies

Hexnode allows organizations to tailor their filtering logic based on the strictness required for different user groups or device use-cases.

Filter Approach Primary Mechanism Best Used For Platform Behavior
Strict Allowlist Denies all traffic except explicitly defined URLs. Kiosks, Point-of-Sale (POS) devices, strict compliance environments. On iOS, allowed URLs become Safari bookmarks. Subdomains must be added manually.
Targeted Blocklist Permits general browsing but blocks specific unproductive or malicious URLs. Corporate-owned devices, General Staff. Blocks the entire domain (e.g., blocking site.com/sub blocks all of site.com).
Auto-Filter (Apple) Built-in Apple algorithm that targets explicit/profane content. Education sectors (CIPA compliance), standard corporate limits. iOS/macOS natively evaluates the content. Allows exceptions to be manually permitted.
Plug-in Filtering Third-party vendor integration via Hexnode. High-security environments requiring deep packet inspection. macOS only. Filters sockets and packets (Firewall/Inspector grade).

3. Advanced Implementation: macOS System Extensions

For environments requiring more than basic URL blocklists, Hexnode supports the deployment of macOS Content Filter Plug-ins.

By deploying this policy, network architects can configure a third-party application to operate as a local security proxy. Hexnode manages the configuration seamlessly by defining the:

  • Plug-In Bundle ID
  • Socket and Packet Bundle IDs
  • Filter Grade: Dictating whether the extension operates at the Firewall level or the Inspector level.

(Note: To prevent the plug-in from failing or being disabled by macOS security protocols, the app’s Bundle ID and Team Identifier must be explicitly approved via a Hexnode System Extensions policy).

4. Troubleshooting & Expected Behaviors

When deploying web content filtering at scale, IT teams should be aware of the specific OS-level behaviors governed by the MDM profile:

Behavior / Issue Technical Reason Resolution / Admin Note
URL Redirect Bypasses Block If a blocklisted URL auto-redirects to a new domain, the OS may permit the traffic if the new domain isn’t blocklisted. Ensure all known aliases and redirect URLs are explicitly added to the Hexnode blocklist.
Tethering/VPN Failures (Android) On Android devices, associating a Web Content Filtering policy utilizes Knox firewall rules, which can conflict with local tethering. This is expected behavior on Samsung Knox devices. Network architecture may need adjustment.
Plugin Blocked (macOS) A deployed content filter plugin fails to capture socket or browser traffic. The macOS System Extension was not explicitly approved in the Hexnode portal prior to plugin deployment.
Subdomain Unreachable An admin allowlisted hexnode.com, but users cannot reach forums.hexnode.com. Allowlisting domains does not automatically allowlist subdomains. Add them explicitly.

5. Governance: Privacy & Productivity

  • Bandwidth Conservation: By blocking access to high-bandwidth streaming domains or unsanctioned software repositories, organizations reduce cellular data overages on corporate endpoints.
  • App-Level Restrictions: While Hexnode blocks URLs in the browser, administrators can complement this by using Hexnode’s Application Management capabilities to blocklist the native applications of restricted services (e.g., blocklisting both youtube.com and the YouTube mobile app).
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework