By Werner Ruotsalainen on Fri, 05/04/2012
At MacRumors, I've been asked to elaborate on whether it's possible not to let users browse non-company Web pages, preferably with a mirrored, offline set of the company's pages for reference to get 3G data usage costs down.
Let's start with the former (to keep the size of the article down, I'll discuss the strictly offline solution in a separate writeup). Note that the solutions I present can be not only used in a corporate environment but, say, at home if you don't want your children to access certain “adult” pages.
Sure, you can configure your company (home etc.) proxy servers / firewalls (if any) not to let for browsing certain and/or non-company websites when their iDevices use the local Wi-Fi network. However, they won't necessarily let for filtering out contents from employee's iDevices connecting via another, for example, 3G network. In addition, it's much easier to do the filtering locally than via the network, unless you want to apply a generic, configure-once-for-every-device approach (you can't just “push” the list of non-allowed pages to iDevices dynamically), for which the local proxy server-based solution can be better, particularly if you need to block certain pages on hundreds of employee iDevices and/or the list of blocked sites change frequently.
There are two major ways of blocking arbitrary Web pages on your (company's / family's etc.) iDevices: the non-jailbroken (meaning having to use third-party browsers) and the jailbroken way. As usual, jailbreaking allows iDevices to be used to their full potential. However, currently, it's not available to any current A5(X)-based devices (iPad 2/3, iPhone 4S) running iOS 5.1, ruling out for example the iPad 3 entirely.
Non-jailbroken devices and third-party Web browsers
Unfortunately, the stock Safari doesn't have any support for any kind of filtering and without jailbreaking it's entirely impossible to force it to block arbitrary pages. Therefore, you'll need to use third-party Web browsers capable of filtering – and sufficiently protect your iPad by disabling both Safari and app installation.
You may already know how the latter is done: navigate to General > Restrictions in Settings, tap “Enable Restrictions” at the top (if they aren't enabled already) and switch off the switch of Safari in the “Allow” group. After this, Safari won't be accessible at all and your employees will need to use third-party users for any kind of Web access. To avoid them installing other third-party browsers and, this way, access the entire Web, you'll want to disable “Installing apps” here, too.
Then, get iCab Mobile, the, currently, best third-party browser now (iTunes link). Fire it up, tap the Settings icon (the rightmost icon in the top right), go to Privacy/Access Control, and enable the “Password protection” button (topmost rectangle in the next screenshot):
(as usual, click the thumbnails for full-sized images!)
Now, enter a password (twice) above in the Password and Repeat fields (second rectangle from the top). After this, enable “Guest Mode” (topmost switch in the red oval at the bottom of the screenshot). You can also supply a homepage (here, I've supplied www.winmobiletech.com). Make sure “Filters” remain enabled (the center button).
What are these filters? They're the ones you can use to tell iCab not to let browse any other Web site than your company's. To set them up (which is a very easy process!), tap Edit Filters:
then, My Filters at the bottom of the list (red rectangle above), then, the Create new Filter button (bottom right).
Now, enter the URL of your company's website (the one you need to grant access to) in the “Enter Filter URL” field (uppermost rectangle below). You MUST end it with a /* (slash-asterisk) to allow your employees browse / access any page / resource in the site. Also, you will need to tap “Load” instead of the default “Block” so that the pages are allowed. (The default functionality of filters is, of course, blocking.) The results should look like this (apply your own site address instead of winmobiletech.com, of course):
Now, go back to the list of filters and add another one; it should be a simple asterisk (*). Leave “Block” on as this rule will instruct the browser to block every Web site out there:
Now, the list of filters in “My Filters” should look like this (note that, for this shot, instead of "*", I've supplied "http://*" for the "Block" entry):
Notice the order of filters. We define a “Load” filter first for our company's website (annotated by rectangles here) and, then, a “Block” filter (annotated by ovals) for everything. As the filters are evaluated in the order they've listed (which, unless you reorder them using the “Edit” button, is the order they're defined) and filters defined first have precedence of filters defined later, this will guarantee your company's website doesn't get blocked, while everything else does.
Note that you can quickly change the state of the filters. For example, if you want to quickly disable a blocked filter for a given website, just toggle it to “Off” in the list on the right and so on. You don't need to delete it entirely.
Now that both filtering and guest mode is enabled, any iCab restart or resuming (even after leaving the app via Home) will result in the login screen, where, if your employees don't know the administrator password (the one you've supplied in the Password and Repeat fields), can only select “Guest Mode”. Then, filtering will be on and any request to blocked web sites will result in the following result:
This will only apply to the otherwise also restricted Guest mode.
Jailbroken case: Firewall iP
If you're jailbroken and want to use the stock Safari, there's an excellent application in Cydia you will absolutely LOVE: Firewall iP:
It's not very expensive ($4.50) and can be not only used to filter Web pages, but also filter anything. A very good usage scenario is, for example, blocking loading images from e-mails:
(An example showing a mail (incidentally, the mail PayPal sent me after my purchasing Firewall iP from the Cydia store) trying to access paypal.com for the PayPal icon)
You can also use it to catch ANY kind of network access from ANY(!!) third-party app. Just two examples of these:
(Skype trying to connect; this has been caught on the lock screen)
(GoodPlayer sending out a discovery multicast message when opened to discover nearby media servers)
You can, as has already been stated, use it to filter out any pages. (The same rules apply as with iCab: you can define as many exceptions to filtering as you want.) Safari users will see the following when trying to navigate to a blocked page:
Configuring Firewall iP to allow your company's website and block every other one is pretty straightforward. Start it (via its own Firewall iP icon) and select Safari. Enable the “Deny all connections” (basically, this is the “*” you passed to iCab) and the “still apply detailed” switches. (The two are annotated with a red oval below.)
Tap the “Always allow” list item at the bottom (annotated by a rectangle in the above screenshot) to switch to the next list. There, tap the big + icon at the top of the screen and enter the Web page you want to allow (while the others are blocked):
After tapping OK, it'll be added to the list (which, in my case, already contained two Yahoo mail URL's I've previously added using the pop-up dialog of the app):
It's this easy!
Note that Firewall iP doesn't have password protection yet (unlike iCab); that is, tech-savy users will probably be able to disable Web page filtering. I'll immediately contact the developer of the app to tell him to add password protection to enable the app for true “kiosk mode”.
UPDATE (some hours later): published the promised Part II.