Prevent DNS Change on IOS Device?

soomeGUy
Here to help

Prevent DNS Change on IOS Device?

Hi. I have a few questions regarding locking down an Ipad for classroom use (not using school program, its not an official school).  

 

First, I am using all meraki gear + SM.  MX64, MR42, MS220-8.   I also use cisco umbrella for DNS filtering.  

 

The first problem is that even though my ipads are locked down to the tilt the user can simply go in to the wifi settings and change the DNS servers away from my own that use umbrella and just change to 8.8.8.8 or something similiar to bypass my blocks.  Is there a way to prevent this?  (These are supervised DEP Ipads).  I recall IOS11 had some new locks regarding DNS but i dont know if this was included.  Actually, its all network settings that can be changed, in my classroom they are certainly going to mess these settings up on purpose to cause chaos.

 

I could probably block dns traffic on my security appliance mx64 but id rather not do this, id really rather lock this in the ipad, I dont want people messing with those settings and breaking the ipad connectivity so easily by putting in a dummy dns address.  if this is not possible its a huge oversight by apple I would think.

 

Also, if I deploy my ipads using DEP and get meraki profiles loaded on them on first boot, and i uploaded my configurator p12 cert to meraki, should that not let me connect these ipads to my macbook pro which has the p12 cert on it for apple configurator?  I have host pairing disabled and when I connect it, it tells me host pairing is not allowed unless I am using the supervision certificate but I thought that was the point of me uploading it to Meraki in the first place?

 

I also had an issue with WIFI whitelisting, what happens is it doesnt get all the profiles loaded and the wifi whitelisting applies and then i lost connectivity and then had to factory restore the ipad to get it working again as it was wiifi whitelisting on with no wifi loaded, is this normal?  

 

Thanks

 

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

I haven't tried it - but are you saying if you push out the SSID settings to an iPad that users can then go in and changed those pushed settings?  I would have thought if you specified a managed SSID that they should not be able to change those managed settings.


@PhilipDAth wrote:

I haven't tried it - but are you saying if you push out the SSID settings to an iPad that users can then go in and changed those pushed settings?  I would have thought if you specified a managed SSID that they should not be able to change those managed settings.


Unfortunately not, the user can disable wifi, they can change dns and proxy settings and mess with ip settings.  I just dont get it, how does apple expect these ipads to be used in a classroom enviroment when they user can totally trash the settings and make MDM worthless because the ipad loses internet connectivity.  It looks like i will be forced to lock the ipad to a single app (the web browser) to prevent this.  

 

with DEP ipads they really need to offer more restricftions.

Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@soomeGUy Have you had any luck playing around with this?

 

In reading your post a few things jump out to me:

 

1 - If you enforce wifi whitelisting without first having installed wifi configuration profiles on devices, this would likely cause problems (as the device can only connect to configured wifi networks, and if not installed...there would not be any). 

 

2 - Does wifi whitelisting solve your DNS issue?

 

3 - Would using a proxy or content filter help? (Settings>Restrictions>ios restrictions (supervised))

 

Lastly...if all else fails, have you seen anything about Cisco Security Connector? This is a new product that integrates Umbrella and Clarity for supervised iOS devices. It might be what you are looking for! 

https://meraki.cisco.com/blog/2017/12/cisco-security-connector-now-available/

jared_f
Kind of a big deal

@Melissa Does that integrate with OpenDNS? Very interesting!

Find this helpful? Click the kudos button. Thanks!
Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@jared_f Yes! Security Connector is basically an app that combines the Cisco Amp for Endpoints product (called "Clarity") and Umbrella (formerly Open DNS).

 

Systems Manager can be used to manage all products in one interface, as well as automated deployment of Security Connector app itself. 

 

Here's some more info and use cases - https://blogs.cisco.com/security/now-available-cisco-security-connector-for-ios

 

Here's a link to our guide - https://documentation.meraki.com/SM/Apps_and_Software/Cisco_Security_Connector_(CSC)

jared_f
Kind of a big deal

I will definitely take a look!

 

In regards to the WiFi profile, I agree - I usually push profiles separately to devices and don't combine them into a "mega" like profile. This always makes it easier to exclude a device from the scope. The only way (easily) I could think of fixing that problem where the WiFi profile comes after is to push them as a pair inside one profile. The other option would be to use a policy that sees if the Systems Manager app is installed and then trigger it to install when the device is compliant with that (the systems manager app always deploys after the profiles).

 

 

Find this helpful? Click the kudos button. Thanks!
jared_f
Kind of a big deal

I am using Cisco Umbrella/OpenDNS to filter for spam. VPNs were the problem for me and the solution was just to do a wildcard search with email notifications when they become a member of the policy. There is no restriction that I know of that can disable that little "i" button next to the network.

 

In regards to WiFi whitelisting, I gave your scenario a test with the WiFi Whitelisting and my WiFi profile (both configured and scoped separately to the same device) got pushed before the whitelisting. Obviously, there are factors that play into this like network speed, servers, etc. But are you configuring that restriction within your WiFi Profile to make sure they are being pushed together?

Find this helpful? Click the kudos button. Thanks!
Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@jared_f Good points!! 

 

I would always recommend that wifi configuration profiles are made without any other settings applied. The reason being - if you add a long list of settings to a configuration profile and need to change anything that profile, when the profile is refreshed, this could affect connectivity to the wifi networks configured in that profile. It would basically "reset" anything in the given profile. 

 

I would also recommend making any configuration profiles with Active Sync separate as well - for the same reason! When refreshed, a configuration with Active Sync or mail (if using App settings instead to configure mail accounts) can prompt the user to re-input their password. 

 

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels