Most "kosher phone" conversations happen at one level: the content filter. But the iPhone is actually a stack of security layers, and **the content filter is the thinnest layer** — the one most easily defeated.
This guide walks the entire iPhone security architecture top to bottom. By the end you'll understand why Supervised Mode is different from every consumer filter — and why that difference is the entire reason The Kosher iPhone exists.
Layer 1 — The Secure Enclave (hardware)
Every iPhone shipped since 2013 contains a **Secure Enclave** — a dedicated hardware processor separate from the main CPU, with its own encrypted memory. The Secure Enclave holds your Face ID data, Touch ID fingerprints, your iCloud keychain passwords, your Apple Pay tokens, and the encryption keys for your iMessages.
Nothing running on the main iOS system can read the Secure Enclave directly. Even Apple cannot read your Face ID data or iMessage keys. This is the foundation: **your most sensitive secrets live below the operating system, in hardware**.
For a kosher iPhone, the Secure Enclave is neutral — it protects your data, same as on any iPhone.
Layer 2 — iOS kernel and sandbox
iOS apps run in a **sandbox** — a restricted environment that prevents an app from reading another app's data or modifying the operating system. The kernel (the core of iOS) enforces this sandbox at a level below user apps.
Apple famously refuses to ship iOS with a user-accessible file system for exactly this reason. Every app has its own container. Apps communicate through narrow, Apple-sanctioned APIs. Malicious apps can't pivot to take over the device.
This is why iPhones are harder to jailbreak than Android devices. The kernel sandbox is strict.
Layer 3 — User settings and Screen Time
This is where consumer protections live. **Screen Time** lets parents set app limits, content restrictions, and schedule-based blocks. It's built into iOS.
And here's where the wall cracks for kosher-phone purposes: **Screen Time can be disabled from Settings**. If you know the password (or can watch someone enter it), or if you're willing to factory-reset the device, Screen Time is off.
Every "kosher phone" solution built on Screen Time is defeated by a curious teen with 60 seconds of access to Settings. This is why we don't build on Screen Time.
Layer 4 — Content filter
A DNS or proxy-based content filter sits outside the iPhone, intercepting traffic. It blocks connections to known-bad domains.
This layer works well against passive exposure — a child accidentally following a link, an ad network rotating in a bad banner. It does not work against active bypass. Every basic filter fails against:
- User changing DNS in Wi-Fi settings (iOS 17+ makes this trivial) - User installing a VPN - User switching from Wi-Fi to cellular (cellular may not be filtered) - User connecting to a friend's hotspot - User installing a different browser
Content filters are a speed bump, not a wall. Appropriate for trusted users; inappropriate as the sole defense for a teen or vulnerable adult.
Layer 5 — Mobile Device Management (MDM)
MDM sits **above** user settings — in a policy layer that the user cannot modify. An MDM-enrolled device receives its policies from the MDM server, stores them at the OS level, and enforces them regardless of what the user tries to change.
On an **unsupervised** iPhone, only a subset of MDM policies apply. The user can remove the MDM enrollment in Settings.
On a **supervised** iPhone, the full enterprise policy set applies, and the user cannot remove enrollment.
Layer 6 — Supervised Mode (policy)
Supervision unlocks the restrictions that actually matter:
- Remove Safari entirely - Disable App Store - Block VPN installation at the OS level - Block configuration profile installation without MDM approval - Disable AirDrop / file sharing - Prevent erase-and-setup without MDM reauthorization (factory reset re-enrolls)
Unlike Screen Time, none of these policies have a user-accessible "off" switch. Unlike content filters, they don't rely on network traffic interception — they prevent the bypass surfaces from existing on the device at all.
**This is the tier The Kosher iPhone operates on.** Nothing we do relies on users resisting temptation or remembering passwords. The protection is architectural.
Where other kosher phones sit
Most "kosher phone" products on the market operate between Layer 3 and Layer 4. They use a combination of Screen Time + a DNS filter + a custom launcher. Each of those layers is, as shown above, bypassable.
**We sit at Layer 6.** The level where Apple's own enterprise security architecture operates. The level where bypass requires factoring an iPhone's hardware-backed cryptographic identity — something no consumer-grade attacker can do.