1 2 3 4 5 6 7

Layer 3 of 7 — you are here

Last verified: July 7, 2026

The network wall guards the house. Today we armor each device individually, so the protection travels — into the school parking lot, onto the neighbor's Wi-Fi, onto cellular. Work through your Inventory's Screens list device by device.

iPhone / iPad: Screen Time

  1. On the parent device: Settings → Screen Time → [child's name] (child accounts from Layer 2 appear here automatically). Managing from the parent device is better than configuring on the kid's device — the settings live behind your Face ID, not in their hands.
  2. Open Content & Privacy Restrictions and turn the master toggle on.
  3. Inside Content & Privacy Restrictions, open App Store, Media, Web, & Games (iOS 18 added this middle layer) and set: age-appropriate ratings for apps, movies, and TV; Web Content → Limit Adult Websites (the device-level cousin of your DNS wall); explicit content off for music and books.
  4. Block changes to accounts and passcode settings (in the same restrictions area) so the account you fixed yesterday stays fixed.
  5. Set a Screen Time passcode — separate from the device unlock code, known only to parents. Without it, everything above is a suggestion. This passcode is a wall key: it goes in the vault on Day Six, and it is never a birthday, an anniversary, or the garage code. (Since iOS 18.5, parents get a notification when the child's Screen Time passcode is used — leave that on.)
iOS Content & Privacy Restrictions screen with the master toggle on, showing iTunes & App Store Purchases, Allowed Apps & Features, App Store, Media, Web, & Games, Intelligence & Siri, and the Allow Changes list.
Content & Privacy Restrictions on one of our kids' devices — note the "App Store, Media, Web, & Games" layer from step 3.

Android / Chromebook: Family Link

  1. In the Family Link app on the parent phone: [child] → Controls.
  2. Controls → Google Play: set rating ceilings for apps and games.
  3. Controls → Google Chrome and Web: "Try to block explicit sites." (Allow/block lists live under Manage sites.)
  4. Controls → Google Search: SafeSearch on.
  5. Review app-by-app controls: Family Link lets you block or approve individual apps already on the device, and every new install routes through the purchase-approval gate you set in Layer 2.
Chromebook constraint worth knowing: when Family Link supervision is active, ChromeOS disables custom "secure DNS" settings — you can't point a supervised Chromebook at your DNS service directly. That's by design, and it's fine: Family Link itself provides the off-network filtering on Chromebooks, and your router covers it at home. Don't fight it; note it and move on.

The shared computer

The family desktop or laptop needs the oldest trick in the book: separate front doors.

The traveling wall

Your DNS wall from Layer 1 stops at your front door. The phone doesn't. The traveling wall puts the same filtering on the device itself, so it works on cellular and on other people's Wi-Fi.

  1. Install the DNS service on the device. For NextDNS: on iOS, install the NextDNS app and sign into your configuration, or generate a configuration profile at apple.nextdns.io (the profile is what the supervision play below locks down); on Android, the NextDNS app, or Android's Private DNS setting pointed at your configuration's DNS-over-TLS hostname.
  2. Verify ON CELLULAR. Turn off Wi-Fi, then load the test page and the dummy test sites (see Layer 1's verification section). If you only tested on Wi-Fi, you tested the router, not the phone.
  3. Now test removal. Hand yourself the kid's device and try to delete the app or profile. On a stock device, you can — a profile has a Remove button and an app can be deleted. Restrictions help (Screen Time can block app deletion), but the honest answer is the deeper cut below.

The deeper cut: Apple Configurator supervision + the removal-lock

This is the strongest move on this page, and the one Chapter 6 leans on hardest. A normal iPhone treats a DNS profile as a guest: it can be shown the door. A supervised iPhone treats your profile as the landlord: with one flag set, the Remove button doesn't exist. Supervision is Apple's own mechanism — it's what schools use for managed iPads — and it's available to any parent with a Mac and a cable.

Putting a device under supervision erases it. Back up first (or better, do this on a new device before it's loaded). Budget an hour for your first run. This is a determined-non-expert job: fiddly, not hard.

What you need

Step 1 — Generate the DNS profile

  1. Generate a .mobileconfig DNS profile at apple.nextdns.io: enter your configuration ID and check "Prohibit Disablement" ("prohibit users from disabling NextDNS"). Heed the generator's own warning — that option only works on supervised devices, which is exactly what we're about to make this one. Download the profile to the Mac.

Step 2 — Make sure the removal lock is in the profile BEFORE install

  1. If you checked "Prohibit Disablement" in Step 1, the lock is already baked in — skip to Step 3.
  2. Using a different generator, or a hand-built profile? Open the .mobileconfig in a text editor (it's XML) and add the removal lock inside the top-level payload dictionary:
    <key>PayloadRemovalDisallowed</key>
    <true/>
  3. Save. The flag must be in the profile before it's installed — it can't be added to a profile that's already on the device.

Step 3 — Supervise the device

  1. Plug the child's device into the Mac and open Apple Configurator. The device appears as a tile.
  2. Select it → Prepare. Choose Manual Configuration; select "Do not enroll in device management" (you're a family, not an IT department); check the supervision option ("designate as a supervised device"). Name your organization something plain ("Our Family").
  3. Configurator erases and re-provisions the device. Restore the backup / sign back in as the child when it comes up.

Step 4 — Push the locked profile

  1. With the supervised device connected, drag your edited .mobileconfig onto its tile in Configurator (or use Add → Profiles).
  2. On the device: Settings → General → VPN & Device Management → the profile is listed — and there is no Remove button. That's the whole point. Worth being honest about: on an unsupervised device this flag isn't actually enforced — the profile stays removable with the device passcode. Supervision is the whole play, not a nice-to-have.
  3. Verify filtering on cellular one more time. Then try to remove it. Fail. Smile.
[SCREENSHOT: supervised device profile screen showing no Remove button — Matt to capture]

Factory tunnels: close these on every device

Modern devices ship with features that politely tunnel around DNS filtering. They're privacy features — legitimately good against advertisers, accidentally great against parents. Close them:

TunnelWhere to close it
iCloud Private RelaySettings → [name] → iCloud → Private Relay → off, on every family device. Apple's own docs say Relay is incompatible with network-based filtering and parental controls — it encrypts DNS and routes Safari around your wall. (Per-network alternative: Settings → Wi-Fi → (i) → Limit IP Address Tracking off.)
Android Private DNSSettings → Network & internet → Private DNS (Samsung: Connections → More connection settings). Either "off"/"automatic," or better: pointed at your own NextDNS hostname (that's the traveling wall). What it must never be: some other provider's hostname.
Browser secure DNSChrome: Settings → Privacy and security → Security → Use secure DNS. Firefox: Settings → Privacy & Security → DNS over HTTPS. Edge and others have equivalents. Each browser can pick its own DNS provider and skip your wall — set them to use the system default, or lock browsers down via the device policies above.

These reappear after major OS updates often enough that they're on the Layer 7 bypass checklist and the Quarterly Walk.

Done when

Next: Day Four — Streaming & Consoles →