Tweet
I finally figured out why my kids iphones keep escaping my policy enforcement and blocking.
My setup:
Basically I have
kids phones tagged with a username in devices panel, example kids-name.
firewall rule for kids set up to block all internet traffic.
policy manager set up with logic like : username = *kids* time of day= ___, etc.
if matches policy, then kids are blocked properly.
So this works great for days (more or less), which tells me I have everything setup fine.
All of the sudden nothing gets enforced on the kids iphone (at the same time the kids devices such as chromebooks are getting enforced fine). So clearly the iphones are doing something to escape the policy.
I have concluded that it is due to them switching mac address on the network(s), which then means they appear as a different mac address and they are no longer tagged with the proper username. I need to stop this.
when it happens is:
1. if they enter the untangle contrlled newtork a different wifi or vlan. that changes the address in device panel. I go and manually tag the new address and policies are back to getting enforced.
2. If iphones have "private address" turned on on the iphone it changes wifi address every time iphone is powered on/off or simply when private address is toggled. Same end result as #1 above.
How do I stop this. I can't go down and tag the new mac address with their usernname every time it changes?
If it is not possible to force the iphones to have only one username, I need to know how to set up Policy Manager (not with username) to make the desired behavior work.
Thanks.
My setup:
Basically I have
kids phones tagged with a username in devices panel, example kids-name.
firewall rule for kids set up to block all internet traffic.
policy manager set up with logic like : username = *kids* time of day= ___, etc.
if matches policy, then kids are blocked properly.
So this works great for days (more or less), which tells me I have everything setup fine.
All of the sudden nothing gets enforced on the kids iphone (at the same time the kids devices such as chromebooks are getting enforced fine). So clearly the iphones are doing something to escape the policy.
I have concluded that it is due to them switching mac address on the network(s), which then means they appear as a different mac address and they are no longer tagged with the proper username. I need to stop this.
when it happens is:
1. if they enter the untangle contrlled newtork a different wifi or vlan. that changes the address in device panel. I go and manually tag the new address and policies are back to getting enforced.
2. If iphones have "private address" turned on on the iphone it changes wifi address every time iphone is powered on/off or simply when private address is toggled. Same end result as #1 above.
How do I stop this. I can't go down and tag the new mac address with their usernname every time it changes?
If it is not possible to force the iphones to have only one username, I need to know how to set up Policy Manager (not with username) to make the desired behavior work.
Thanks.
Comment