Discussions
Start typing to search…

Discussions

Ask a Question
Back to all

Preventing DNS setting reversion on iOS/iPadOS devices in managed deployment

2 days ago by Toschi Schiesser

I am implementing a device-protection solution (digital self-control) for end-users (private devices) and I'm using ControlD as the DNS filtering component.

My requirement is that the DNS settings on the device remain fixed to the ControlD resolvers and cannot be changed by the end-user (for example from manual DNS back to ‘Automatic’, or switching to another DNS resolver). This is critical for my use case, as the solution must prevent users from reverting the filtering via DNS change.

Here are the details of my set-up / context:

Devices: iPhones and iPads (iOS/iPadOS) deployed supervised via MDM.

DNS profile: I push a ControlD DNS profile (resolvers) via MDM.

I need the following behaviour: once installed, the resolver must be locked; the user must not be able to modify or delete the profile; the DNS must not revert to automatic or manually changed values; other DNS or VPN installations must not bypass or override the ControlD resolvers.

I expect that even if the user tries Settings > Wi-Fi > DNS > Automatic or manually enters a custom DNS in Wi-Fi or VPN settings, the device should still use the ControlD resolvers and the profile remains enforced.

My questions:

Does the ControlD DNS profile (or a specific configuration) support enforcement on iOS/iPadOS such that the user cannot revert to automatic DNS or change the DNS servers, provided the device is supervised and managed via MDM?

Is there a recommended configuration on the ControlD side (within the dashboard) or in the profile settings that ensures the DNS cannot be changed by the end-user?

Are there known limitations on iOS/iPadOS (versions, supervised mode requirement, MDM restrictions) that would permit the DNS to be changed despite profile enforcement?

In case the user installs a VPN or changes Wi-Fi network settings, are there measures in ControlD (or recommended workflow) that ensure the DNS filtering stays active and is not bypassed by the user’s settings or network changes?

I would appreciate any documentation, best-practice guidance, or examples from similar deployments.
Thank you in advance for your assistance.

Kind regards,
Thomas “Toschi” Schiesser

Log in to add a comment.