Content Filtering Policy Controls

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Allow and Block

For each policy rule, you can choose whether to allow or block traffic.

You can configure allow and block settings at the root, leaf and group levels for common services (which are pre-defined via Jamf Protect's internet content filtering capabilities) and also specify any custom domains that should be allowed or blocked.

  • Policy rules that you set to Block will be blocked for users at all times. You can add custom rules to create individual exceptions for one of the blocked policy rules.

  • A common option is to allow ActiveSync and Find My, so that your users can access this functionality at all times.

    Note:
    • Jamf recommends that you explicitly allow access to your organization's website domain, the domain where emails are hosted, and the domain where your UEM or MDM solution is hosted. This ensures all devices can access your core organization resources.
    • The Jamf block page (http://block.jamf.com/) and *.jamfcloud.com are allowed by default, and cannot be blocked.
  • Policy rules set to Allow take precedence over policy rules set to Block.
    Example:

    If apple.com is blocked and anything.apple.com is allowed, then all subdomains of apple.com apart from anything.apple.com will be blocked. However, if anything.apple.com has a dependency (via a redirect, for example) on a different apple.com subdomain, then it is blocked.

How Site and App Blocking Works

When you select Block for a category within the policy, all web sites included in the category cannot be accessed by end users. Go to Policies > Internet > Content filtering policy > Domain checker to find the category for any domain or IP address.

App blocking, however, requires a detailed analysis of not only the sites an app calls out to, but also the identifier it uses when making such requests, or the content type requested. Traffic generated and requested by apps is analyzed to ensure that all relevant traffic required to effectively block an app is captured. For some apps, while not all data may be blocked, enough could be blocked to render the app unusable.

Also note that some apps run in the background, making requests to various sites. This could result in a user being notified of a block even though they have not actively used the app.