Meraki

PaulF · ‎Jan 29 2020

Prompted by a customer request the other day to lock down Chrome on iOS to a range of webpages, I thought it was worth sharing my findings and a solution.

So, the request: To Lock down Chrome so that it could only display a range of webpages, and not allow browsing elsewhere

Many apps support the appconfig.org standards that allow for application config management. Meraki Systems Manager also supports this, so, if the app supports it, when creating a managed app config, such as Nine Work for Enterprise...

Systems Manager will offer a list of supported settings when you can then configure, as above.

So, having created one for Chrome, I found nothing...

I then found the following resources:

https://sites.google.com/a/chromium.org/dev/administrators/ios-mdm-policy-format

https://sites.google.com/a/chromium.org/dev/administrators/policy-list-3

https://cloud.google.com/docs/chrome-enterprise/policies/

https://support.google.com/chrome/a/answer/9116814

http://www.chromium.org/administrators/policy-list-3

And discovered that, “Policy Support on Chrome on iOS is being removed in Chrome 48 as part of Chrome's move to WKWebView where supporting many of the policies was not possible.” And “Doesn't support managing browsers on Android or iOS.”

So, that ruled out trying to lock Chrome down...

Knowing that it's not (currently) possible to lock Safari down in Kiosk mode, my thoughts turned to Webclips...

A Web Clip is essentially a shortcut to a website that can act as an Application. You'll be able to click links within the Web Clip, but won't have free browsing, unless the website you add takes you to places like Google, for example!

So, I first created a restriction where I hid every single iOS app:

(Obviously, you can use this Restriction profile to further lock down the iPad, prevent the use of other capabilities, etc)

Secondly, I then created a Web Clip profile:

Note: It's important to tick the "Full Screen" option

I then deployed this down to the device.

Now, I'll admit, it's not perfect, but you end up with:

("I've included the Meraki SM app as well, for debug purposes). The Web Clip is on the right.

This takes you to:

Perfect!

However, some observations:

You can't get rid of the Settings application, sadly. You could use Home screen Layout and hide it in a folder, however.

Users can navigate to the "Today" view, by swiping right...

And search for things:

But clicking on them doesn't do anything (Thankfully!)

You can hide these if the devices is "Locked" in restrictions:

Show Control Center in lock screen
Show Notification Center in lock screen
Show Today view in lock screen

But not whilst unlocked

Conclusion

There are paid for applications that are managed web browsers, allowing much more functionality / lock down, but if you want to avoid that, and are willing to forgive some of the shortcomings of iOS, then the above should give you a locked down iPad, with a Web Clip that takes you to a single website!

BrechtSchamp · ‎Jan 29 2020

Thanks for taking the time to write that up @PaulF .

MCrowther · ‎Jun 3 2020

Knowing that it's not (currently) possible to lock Safari down in Kiosk mode, my thoughts turned to Webclips...

Per your quote above, I'm pretty sure it is and has been for some time. We've been using it on our iPad's since at least middle of last year.

Our method was to set Safari in Kiosk mode as per the usual process for setting any app in Kiosk mode.

Then add a managed app config that has some default pages we needed.

Then add content restriction whitelist bookmarks - that only allow the specific pages you need.

Pretty effectively blocked access to any pages that weren't explicitly bookmarked.

The only caveat is that we had some issues with renaming the profiles on-the-fly, so instead removed the profile first, renamed, re-added the profile.

PaulF · ‎Jun 4 2020

Hi @MCrowther Do you have a link to any Apple documentation that lists the keys and possible values for Safari managed app config?

beks88 · ‎Feb 2 2021

@MCrowther could you add some more in depth to this?

MCrowther · ‎Feb 2 2021

We create a custom tag e.g. CUSTOM

Then we create two profiles - one is Kiosk (single app) mode. With Safari as single app. Only the following are ticked. The tag is added to the profile's configuration page as a device tag.

Then we create another profile, same device tag, with a managed app config for safari that contains:
KEY: webpage title

TYPE: Text
VALUE: Webpage address

In that same profile we add Web Content Filter, with whitelist bookmarks. The bookmarks are the same address as the address in VALUE above. The name of it is the same as KEY above.

When we're done we save those profiles, apply the device tag to the device which adds both those profiles, and then we've got Safari locked down to just those webpages.

As it's whitelist, only those webpages listed in the whitelist are allowed to be opened. All others are blocked.

Network-dad · ‎Jun 16 2020

OMG ive been looking for a way to do this forever!!!!! thank you

Dakota Snow | Network-dad

CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad on

PeterJames · ‎Jun 22 2020

Hi @PaulF ,

Nice write up.

It really does surprise me that Apple have not made this easier by now. We used the Chrome config for Android, which works quite well. The steps are the same for the show/hide apps.

Is it still the case that iOS WebClips cannot be removed/updated remotely once added? I think this was the caveat that killed the iOS solution for us in the end when we looked at doing this.

Thank you,

Peter James

Meraki

Community

Info: Locking down an iOS device to a static webpage

Info: Locking down an iOS device to a static webpage