Content Filter Providers

Create an on-device network content filter.


An on-device network content filter examines user network content as it passes through the network stack and determines if that content should be blocked or allowed to pass on to its final destination. You might create a content filter and sell it to organizations, like schools and businesses, that want to prevent users from accessing specific Internet content.

A content filter consists of two providers that work in close cooperation:

  • A filter data provider receives user network content and examines that content to determine whether to block or allow it.

  • A filter control provider passes configuration information to the filter data provider to allow that provider to do its job.

This separation exists to guarantee user privacy. The filter data provider runs in a very restrictive sandbox that prevents user network content from escaping that provider. The filter control provider has a less restrictive sandbox but doesn’t have access to user network content. By combining these providers, your content filter has access to the network but cannot use that access to export user network content.

For example, your filter control provider might download a set of filtering rules and save them to a shared app group. Your filter data provider has read-only access to that app group, allowing it use those rules to filter content but still preventing it from exporting user network content.

Content filter providers are only supported on supervised iOS devices.



Network Extensions Entitlement

The APIs an app can use to customize networking features.


Data and Control Providers

class NEFilterDataProvider

The principal class for a filter data provider app extension.

class NEFilterControlProvider

The principal class for a filter control provider app extension.

Flow Handling

class NEFilterBrowserFlow

A flow of network data originating from a WebKit-based browser that’s being examined by the filter.

class NEFilterSocketFlow

A flow of network data originating from a nonbrowser TCP connection that’s being examined by the filter.

class NEFilterFlow

An abstract base class shared by NEFilterBrowserFlow and NEFilterSocketFlow.

class NEFilterNewFlowVerdict

The filtering decision made by a filter data provider for a flow that it’s just seen for the first time.

class NEFilterDataVerdict

The filtering decision made by a filter data provider for subsequent chunks of data on a flow.

class NEFilterControlVerdict

The filtering decision made by a filter control provider.

class NEFilterRemediationVerdict

The filtering decision made by a filter data provider after the user requests remediation for a blocked flow.

class NEFilterVerdict

The abstract base class for filter verdict classes.

class NEFilterReport

The report of an action taken by the data provider on a flow.

Filter Configuration

class NEFilterManager

An object to create and manage a content filter’s configuration.

class NEFilterProviderConfiguration

Configuration parameters for a content filter.

See Also

Content Filters

Filtering Network Traffic

Use the Network Extension framework to allow or deny network connections.