Apple - iOS MDM Monitoring Internet Search History

Your school doesn't need MDM to log all your network activity. Nothing about iOS or macOS or any other OS can prevent them from logging:

  1. Every DNS lookup you make
  2. Setting up a web proxy to save all the search terms
  3. Inspecting the contents of packets to look at what sort of traffic you are generating.

Being able to control the configuration profiles means the IT can make it easier to push your device to a specific web proxy or ensure your network traffic goes to a different device than others, so it might make it a bit easier to manage traffic, but anyone that knows how to run the MDM will know how to do the above activities.

The one big dividing line is "supervised" - I would be sure you talk with your parents and school leadership to carry a supervised device with you. That's a GPS beacon that could report your location at any times you have a working network connection to the MDM. Hopefully there are strong protections on access to that information and some audibility to ensure it is only being used properly.

When a device is not supervised, you can opt out of that management and remove the MDM but you will also have to face whatever sanctions or policies the organization has established for use of their network. When a device is not supervised, you may be able to opt out of network configurations that make it easy for the school to track things.

When a device is supervised, you no longer have that control and can only choose to power on that device or power off that device.


The rest of the profiles are routine and don't change with supervision on/off status.

The MDM profiles are quite clear about what they allow and you can take each one pretty narrowly. As you can see Apple explicitly forces the MDM provider to tell you if it can "list all profiles" or has elevated "add/remove profiles" so there's not much nefarious snooping that can be done on the iOS side that you won't be able to inspect.

I would sit with a teacher and ask them to walk through that part with you and discuss the social and privacy concerns. Being engaged is a good thing and you will probably need to look at each item and really think about the benefit and harm of going along with the setup and then make your choice what to do.

Good luck and be glad you're on an OS that respects your right to know what's happening with control and your information.


The manual enrolment payload does not by itself provide the ability to see network traffic on the device. However, that payload does provide the ability to "add/remove configuration profiles", which could add this ability. You would need to examine the contents of such profiles to find out exactly what can be viewed/controlled on the device.