Can NEFilterControlProvider Be Used Without MDM in ADEP Distribution?

Question

Tim81 OP

Created Apr ’25

Replies 2

Boosts 0

Participants 2

Hi~

I implemented network filtering on iOS using NEFilterControlProvider and NEFilterDataProvider. However, I found that their usage is restricted when distributing in the App Store.

Does ADEP-based distribution allow the use of NEFilterControlProvider and NEFilterDataProvider?

In TN3134, it states that NEPacketTunnelProvider requires MDM. Should I assume that NEFilterControlProvider and NEFilterDataProvider also require MDM in the same way?

thanks.

Answered by DTS Engineer in 836365022

Enterprise distribution doesn’t change the NE deployment calculus. The rules from TN3134 apply to all distribution mechanisms.

it states that NEPacketTunnelProvider requires MDM.

No it doesn’t. Packet tunnel providers only need MDM in per-app VPN mode. The standard routing mode for packet tunnel providers, destination IP, does not require MDM.

Should I assume that NEFilterControlProvider and NEFilterDataProvider also require MDM in the same way?

No. Rather, look at the table in the Deploying a content filter provider section of TN3134. Currently, content filter providers support three deployment scenarios on iOS:

Supervised devices [1]
Managed devices, but only in per-app mode
Standard devices, but only for the Screen Time case

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Curiously, it’s possible to set up a supervised device without an MDM system, although in practice the vast majority of supervised devices are actually managed by MDM.

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’25

Recommended

Enterprise distribution doesn’t change the NE deployment calculus. The rules from TN3134 apply to all distribution mechanisms.

it states that NEPacketTunnelProvider requires MDM.

No it doesn’t. Packet tunnel providers only need MDM in per-app VPN mode. The standard routing mode for packet tunnel providers, destination IP, does not require MDM.

Should I assume that NEFilterControlProvider and NEFilterDataProvider also require MDM in the same way?

No. Rather, look at the table in the Deploying a content filter provider section of TN3134. Currently, content filter providers support three deployment scenarios on iOS:

Supervised devices [1]
Managed devices, but only in per-app mode
Standard devices, but only for the Screen Time case

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Curiously, it’s possible to set up a supervised device without an MDM system, although in practice the vast majority of supervised devices are actually managed by MDM.

0

Answer 2

DTS Engineer OP

Apple

Apr ’25

It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits.

Given all three conditions above, can NEFilterControlProvider and NEFilterDataProvider function properly when distributed via ADEP?

No.

Reiterating, content filters support three cases on iOS:

Supervised devices
Managed devices, but only in per-app mode
Standard devices, but only for the Screen Time case

Your setup doesn’t match any of those cases.

Also, you wrote:

VPN is in a destination IP-based routing mode that filters all device traffic

The configuration of your VPN isn’t relevant here. My second bullet refers to the configuration of your content filter. iOS 16 introduced the ability to run a content filter in per-app mode. This doesn’t require a supervised device. However, it does required a managed device, because the targeted apps must be installed via MDM. That’s because the system matches the apps to the content filter based on the ContentFilterUUID property, and for an app that property can only be set on an app managed by MDM.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0