The payload that configures web content filters.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
FilterType FilterType The type of filter, built-in or plug-in. In macOS, the system only supports the plug-in value. | string | optional | BuiltIn | ✓Yes | iOS (8.0+) |
SafariHistoryRetentionEnabled SafariHistoryRetentionEnabled New in visionOS 26.0 If `true`, this payload enforces a policy which requires retention of browsing history. This causes Safari to disable clearing of browsing history, and prevents the use of private browsing mode because that mode doesn't keep browsing history. | boolean | optional | true | ✓Yes | iOS (26.0+)macOS (26.0+)visionOS (26.0+) |
Web filter enabled AutoFilterEnabled If `true`, the system enables automatic filtering. Use when `FilterType` is `BuiltIn`. | boolean | optional | false | ✗No | |
PermittedURLs PermittedURLs An array or URLs that are accessible whether or not the automatic filter allows access. Use when `FilterType` is `BuiltIn`. Requires that `AutoFilterEnabled` is `true`. 1 subkey | array | optional | — | ✗No | |
└─ Permitted url items PermittedURLItems | string | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) | |
BlacklistedURLs BlacklistedURLs Deprecated (iOS 14.5) Use `DenyListURLs` instead. 1 subkey | array | optional | — | ✓Yes | iOS (legacy - 14.5) |
└─ Blacklisted url items BlacklistedURLItems | string | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) | |
DenyListURLs DenyListURLs An array of URLs that are inaccessible. Use when `FilterType` is `BuiltIn`. Limit the number of these URLs to no more than 500. 1 subkey | array | optional | — | ✓Yes | iOS (14.5+) |
└─ Denylisted url items DenyListURLItems | string | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) | |
HideDenyListURLs HideDenyListURLs If `true`, the device hides the `DenyListURLs` item in the profiles that display in Settings > General > VPN & Device Management. | boolean | optional | false | ✓Yes | iOS (18.0+)visionOS (2.0+) |
White list WhitelistedBookmarks Deprecated (iOS 14.5) Use `AllowListBookmarks` instead. 1 subkey | array | optional | — | ✓Yes | iOS (legacy - 14.5) |
└─ Identifier WhitelistedBookmarksItem 2 subkeys | dictionary | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) | |
└─ └─ URL URL The URL of the bookmark in the allow list. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ Title Title The title of the bookmark. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
Allow list AllowListBookmarks An array of dictionaries that define the pages that the user can bookmark or visit. Use when `FilterType` is `BuiltIn`. 1 subkey | array | optional | — | ✓Yes | iOS (14.5+) |
└─ Identifier AllowListBookmarksItem 2 subkeys | dictionary | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) | |
└─ └─ URL URL The URL of the bookmark in the allow list. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ Title Title The title of the bookmark. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
UserDefinedName UserDefinedName The display name for this filtering configuration. Required when `FilterType` is `Plugin`. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
PluginBundleID PluginBundleID The bundle ID of the plug-in that provides filtering service. Required when `FilterType` is `Plugin`. Otherwise, it ignores this value. Consult your filtering solution vendor to determine what to specify for this value. Required when `FilterType` is `Plugin`. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
ServerAddress ServerAddress The server address, which may be the IP address, hostname, or URL. Use when `FilterType` is `Plugin`. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
Username UserName The user name for the service. Use when `FilterType` is `Plugin`. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
Password Password The password for the service. Use when `FilterType` is `Plugin`. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
Certificate UUID PayloadCertificateUUID The UUID of the certificate payload within the same profile that the system uses to authenticate the user. Use when `FilterType` is `Plugin`. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
Organization Organization The organization string to pass to the third-party plug-in. Use when `FilterType` is `Plugin`. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
VendorConfig VendorConfig The custom dictionary that the filtering service plug-in needs. Use when `FilterType` is `Plugin`. 1 subkey | dictionary | optional | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
└─ ANY ANY The custom key/value pairs for the filtering service. | any | required | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
FilterBrowsers FilterBrowsers If `true`, the system enables filtering WebKit traffic. Use when `FilterType` is `Plugin`.
> Note:
> At least one of `FilterBrowsers` or `FilterSockets` needs to be `true`. | boolean | optional | false | ✗No | |
FilterSockets FilterSockets If `true`, enables the filtering of socket traffic. Use when `FilterType` is `Plugin`.
> Note:
> At least one of `FilterBrowsers` or `FilterSockets` needs to be `true`. | boolean | optional | false | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
Filter Data Provider Designated Requirement FilterDataProviderDesignatedRequirement The designated requirement string that the system embeds in the code signature of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. Required if `FilterSockets` is `true`. | string | optional | — | ✓Yes | macOS (10.15+) |
Filter Data Provider Bundle Identifier FilterDataProviderBundleIdentifier The bundle identifier string of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. Required if `FilterSockets` is `true`. | string | optional | — | ✓Yes | macOS (10.15+) |
Filter Network Packets FilterPackets If `true` and `FilterType` is `Plugin`, the system enables filtering network packets. Use when `FilterType` is `Plugin`.
> Note:
> At least one of `FilterPackets` or `FilterSockets` needs to be `true`. | boolean | optional | false | ✓Yes | macOS (10.15+) |
Filter Packet Provider Designated Requirement FilterPacketProviderDesignatedRequirement The designated requirement string that the system embeds in the code signature of the filter packet provider system extension. This string identifies the filter packet provider when the filter starts running. Required if `FilterPackets` is `true`. | string | optional | — | ✓Yes | macOS (10.15+) |
Filter Packet Provider Bundle Identifier FilterPacketProviderBundleIdentifier The bundle identifier string of the filter packet provider system extension. This string identifies the filter packet provider when the filter starts running. Required if `FilterPackets` is `true`. | string | optional | — | ✓Yes | macOS (10.15+) |
Filter Grade FilterGrade The system uses this value to derive the relative order of content filters. Filters with a grade of `firewall` see network traffic before filters with a grade of `inspector`. However, the system doesn't define the order of filters within a grade. | string | optional | firewall | ✓Yes | macOS (10.15+) |
Content Filter UUID ContentFilterUUID A globally unique identifier for this content filter configuration. The content filter processes network traffic for managed apps with the same `ContentFilterUUID` in their app attributes. Use when `FilterType` is `Plugin`.This key must be present for unsupervised devices and user enrollment. | string | optional | — | ✓Yes | iOS (16.0+) |
FilterURLs FilterURLs If `true`, the system filters URL requests. Use when `FilterType` is `Plugin`. Available in iOS 26 and macOS 26, and later. | boolean | optional | false | ✓Yes | iOS (26.0+)macOS (26.0+) |
URLFilterParameters URLFilterParameters A dictionary containing URL filter parameters. Required when `FilterURLs` is `true`. Available in iOS 26 and macOS 26 and later. 7 subkeys | dictionary | optional | — | ✓Yes | iOS (26.0+)macOS (26.0+) |
└─ URL Filter Control Provider Designated Requirement URLFilterControlProviderDesignatedRequirement The designated requirement string in the code signature of the URL filter control provider app extension. The system uses this string to identify the URL filter control provider when the filter starts running. Required in macOS. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
└─ URL Filter Control Provider Bundle Identifier URLFilterControlProviderBundleIdentifier The bundle identifier string of the URL filter control provider app extension. The system uses this string to identify the URL filter control provider when the filter starts running. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
└─ Private Information Retrieval server URL PIRServerURL The URL containing the domain name of the private information retrieval server. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
└─ Privacy Pass Issuer URL PIRPrivacyPassIssuerURL The URL containing the domain name of Privacy Pass Issuer. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
└─ Authentication Token PIRAuthenticationToken The per-user authentication token string, which is an HTTP bearer token for the person using your app. The system uses this token to attest that it is a valid user when requesting anonymous authentication tokens for PIR exchanges. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
└─ URLFilterFailClosed URLFilterFailClosed If `true`, the system blocks URLs if the filter is enabled, but it fails to make any filtering decision; for example, if there's a communication failure with the PIR server. If `false`, the system allows URLs if the filter is enabled, but it fails to make any filtering decision. | boolean | optional | false | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
└─ URLPrefilterFetchFrequency URLPrefilterFetchFrequency The time interval in seconds that the system uses to periodically run the `NEURLFilterControlProvider` app extension. The default value is 86400 seconds (1 day). The minimum allowed value is 2700 seconds (45 minutes). The system allows `NEURLFilterControlProvider` implementations to download prefilter Bloom filter data onto the device periodically at the specified interval. Implementations need to allow for a slight difference between the scheduled time and the actual runtime of the task, due to the scheduling mechanism on the system. Range: 2700 - | integer | optional | 86400 | ✓Yes | iOS (7.0+)macOS (10.15+)visionOS (1.1+) |
