Reply To: Locking down iOS to prevent DNS changes

Forums Service Issues Setups & Configurations Locking down iOS to prevent DNS changes Reply To: Locking down iOS to prevent DNS changes

June 25, 2020 at 4:39 am

I am afraid to say this is no small task. Your best option is to use configuration profiles. I suggest setting them up through Apple Configurator 2 on a Mac. Otherwise you would have to tinker around with the XML syntax of the profiles. You will want to set the device as a supervised device to have the most control. That requires wiping the device I believe.

Once you have a supervised device there are some great restriction settings for app and website whitelists: prevention of installing or removing configuration profiles, prevention of Erase All Content and Settings. You can prevent installation of VPNs.

Now to your question, unfortunately, the only current way to force DNS settings on WiFi AND Cell is to implement an IKEV2 VPN on the iPhone and force it through the configuration profile. This is called an Always On VPN. These cannot be uninstalled or toggled off in any way. Don’t get them confused with the auto connect VPNs. What is annoying is that no VPN services I found out there had an IKEV2 profile that I could configure on the iPhone. I ended up creating my own and hosting it on Digital Ocean for about $5 a month. Definitely a pain. Especially for anyone not experienced with tech. Now, what is super annoying is that I had issues with WiFi calling and connection to an Apple Watch.

Long story short, Apple does not provide the kind of customization that is needed to create a properly restricted device. They don’t even allow app developers that customization either. Even pushing Apple’s configuration profiles to the limit, you are still going to run into technical issues and lack of documentation. I am making the switch to Android after battling for a long time to get iOS to where I was satisfied with their native restriction offerings. If you are set on Apple, an IKEV2 VPN forced into an Always On connection through a configuration profile is your only option.