Disabling Web Protection on Devices

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

There are certain situations where your network security policies require you to disable web protection completely on the device. These situations include:

  • When devices are using an enterprise network that has a local security stack or proxy that the device must use.

  • When the device connects using a corporate VPN, all DNS requests must be handled by the enterprise's DNS name servers.

Note:If you want to bypass specific domains to handle split-brain DNS scenarios, see the Bypassing Specific Domains section.

You can configure a rule to disable web protection by defining certain network criteria. The criteria may include:

  • Wi-Fi SSID

  • DNS name server IP address

  • DNS search domain match is assigned to the device

As part of the network criteria, specify the connection that will disconnect when that criteria is met.

The following example shows a sample On Demand rules payload that does the following to the web protection service on the device, evaluated in this order:

  1. Disable web protection if the DNS search domain issued to a device matches *.customer.com.

  2. Disable web protection if the DNS name server addresses issued to the device is 10.102.46.20 or 10.102.46.30.

  3. Otherwise, enable web protection.

<array> 
  <dict> 
    <key>DNSDomainMatch</key> 
    <array> 
        <string>*.customer.com</string> 
    </array> 
    <key>Action</key> 
    <string>Disconnect</string> 
  </dict> 
  <dict> 
    <key>DNSServerAddressMatch</key> 
    <array> 
        <string>10.102.46.20</string> 
        <string>10.102.46.30</string> 
    </array> 
    <key>Action</key> 
    <string>Disconnect</string> 
  </dict> 
  <dict> 
    <key>Action</key> 
    <string>Connect</string> 
  </dict> 
</array>
Note:

You can use the following steps to discover the DNS search domains and DNS name service addresses that are configured by the network you are connecting:

In Terminal, enter the command scutil --dns when your macOS device is connected to the network in the manner in which you would like web protection disabled.

The resulting response should include a list of search domains and DNS name server IPs, like this: 

DNS configuration 
resolver #1 
  search domain[0] : cof.ds.customer.com 
  search domain[1] : ds.customer.com 
  search domain[2] : kdc.customer.com 
  search domain[3] : osd.dev.customer.com 
  search domain[4] : dev.customer.com 
  search domain[5] : uk.customer.com 
  search domain[6] : customer.com 
  nameserver[0] : 10.102.46.20 
  nameserver[1] : 10.102.46.30

Then, issue the same command when the device is "off net", and ensure the returned values sufficiently differ from the "on net" values that were returned.  You can then use those "on net" values to define the conditions in which web protection should be disabled.