In this article
DNSFilter account users with admin permissions or higher can install the iOS Roaming Client on managed devices (iPhone, iPad) through a Mobile Device Management (MDM) provider. Due to Apple Configurator 2 limitations, manual app installation is not supported.
The iOS Roaming Client operates a VPN that forwards DNS queries to DNSFilter without routing other traffic through DNSFilter servers. This feature is available for Enterprise accounts.
The agent checks in every 5 minutes to detect available updates and identify offline agents.
Assign local domains before installing the iOS Roaming Client to avoid internet connection interruptions.
Install the iOS Roaming Client
All MDMs have different specifications for managing and installing apps. Consult the MDM provider's documentation for the specific steps required to deploy the iOS agent.
- From the DNSFilter dashboard, navigate to Deployments and select Roaming Clients
- Select Install Roaming Client
- Select the Site
- Select iOS
- Copy the Site Key
- Enable Auto Registration if applicable
- Download the .mobileconfig file
- Edit the KEYHERE field in the file to include the Site Key
-
Add any MDM-specific information such as permissions, groups, or licensing
To include a Client Name from the MDM, add a
host_namekey to the.mobileconfigfile. In the example below, the Client Name appears as Test SERIALNUMBER in the DNSFilter dashboard. Tags can also be passed with this edit:<key>ProviderConfiguration</key> <dict> <key>site_key</key> <string>YOUR SITE KEY HERE</string> <key>host_name</key> <string>Test {{serial_number}}</string> <key>dashboard_tags</key> <string>Tag1, Tag2, Tag3</string> </dict>Device-specific variables such as
{{serial_number}}may differ across MDM providers. Verify the correct variable syntax in the MDM provider's documentation before deploying. See examples for Microsoft Intune and Addigy. - Create an MDM profile and upload the file
- Download the DNSFilter Roaming Client from the App Store
- Push the app to devices
Once the app is pushed, devices register in the DNSFilter dashboard and the Filtering Policy associated with the Site applies.
DNS over TLS (DoT) default behavior
DoT is enabled by default on iOS devices and may cause DNS conflicts for some clients. To disable DoT, add the following key to the .mobileconfig file before deploying:
<key>dns_over_tls_enabled</key>
<false/>Additional MDM-specific deployment guides are available. Search the DNSFilter Help Center for example solutions including Jamf Pro and Intune.
Comments
4 comments
Thank you for providing an alternative solution.
I have been waiting for a long time to get this resolved!
So glad this update helps you out, Lokken Wong ! The team was definitely excited to get this fix into everyone's hands, so they appreciate the feedback.
I have some questions about this article. The Avoid filtering interruptions by encrypting DNS (DoT) article says:
But at the beginning of this article, it mentions disabling DoT, almost as it needs to be done in preparation for installation. To me, that shouldn't be at the top, or perhaps the article should discuss why we would ever want to disable DoT.
Thanks for the feedback! The option to disable DoT is available because some IT admins prefer the option for compatibility with internal DNS setups, easier troubleshooting, or better visibility into DNS traffic for security tools. It’s all about giving admins flexibility based on their network needs.
We make recommendations and set defaults, but want to make sure our customers are aware of default updates and changes, hence the callout at the top of the process steps like you see here: DoT wasn't enabled by default until recently.
Hope this helps!
Please sign in to leave a comment.