The Web Content Filter payload allows you to whitelist and blacklist specific web URLs. This payload is supported only on supervised devices.
When multiple content filter payloads are present:
The blacklist is the union of all blacklists—that is, any URL that appears in any blacklist is inaccessible.
The permitted list is the intersection of all permitted lists—that is, only URLs that appear in every permitted list are accessible when they would otherwise be blocked by the automatic filter.
The whitelist list is the intersection of all whitelists—that is, only URLs that appear in every whitelist are accessible.
URLs are matched by using string-based root matching. A URL matches a whitelist, blacklist, or permitted list pattern if the exact characters of the pattern appear as the root of the URL.
For example, if test.com/a is blacklisted, then test.com, test.com/b, and test.com/c/d/e will all be blocked. Matching does not discard subdomain prefixes, so if test.com/a is blacklisted, m.test.com is not blocked.
Also, no attempt is made to match aliases (IP address versus DNS names, for example) or to handle requests with explicit port numbers.
If a profile does not contain an array for PermittedURLs or WhitelistedBookmarks, that profile is skipped when evaluating the missing array or arrays.
As an exception, if a payload contains an AutoFilterEnabled key, but does not contain a PermittedURLs array, that profile is treated as containing an empty array—that is, all websites are blocked.
All filtering options are active simultaneously. Only URLs and sites that pass all rules are permitted.
Type of filter, built-in or plug-in
FilterType must be Plugin on macOS
Web filter enabled
Optional. If true, automatic filtering is enabled. This function evaluates each web page as it is loaded and attempts to identify and block content not suitable for children. The search algorithm is complex and may vary from release to release, but it is basically looking for adult language, i.e. swearing and sexually explicit language. The default value is false.
Used only when AutoFilterEnabled is true. Otherwise, this field is ignored. Each entry contains a URL that is accessible whether the automatic filter allows access or not.
Optional. If present, these URLs are added to the browser’s bookmarks, and the user is not allowed to visit any sites other than these. The number of these URLs should be limited to about 500.
A string which will be displayed for this filtering configuration.
The Bundle ID of the plugin that provides filtering service.
Server address (may be IP address, hostname, or URL).
A username for the service.
A password for the service.
UUID of the certificate payload containing an identity used as the client credential
An Organization string that will be passed to the 3rd party plugin.