"Kosher phone" is a broad category. Under the hood, solutions in this category split into two very different technical approaches: **content filters** and **Mobile Device Management (MDM) with Supervised Mode**.
They both promise similar outcomes. One delivers it reliably. The other delivers it until it doesn't.
How content filters work
A content filter sits between your phone and the internet. Every request the phone makes — web pages, app data, images — goes through the filter. The filter checks the destination against a blocklist. If it's blocked, the connection is refused. If it's not, traffic passes through.
Common implementations:
- **DNS-based filters**: your phone uses a custom DNS server that returns a "blocked" response for bad domains. - **Proxy-based filters**: your phone's traffic is routed through a proxy that inspects and blocks. - **App-based filters**: an app on the device intercepts and blocks traffic.
All three approaches share one critical property: **the phone is a regular phone**. Safari is installed. The App Store is available. VPNs can be installed. Profiles can be added. The filter is the only thing standing between the user and every bad corner of the internet.
Why that architecture fails
A determined user has many escape paths:
- **Change DNS**: iOS 17+ lets any user change the DNS server in Settings. One tap. - **Install a VPN**: every VPN app tunnels around the filter. The App Store is full of free ones. - **Install a new browser**: the App Store has dozens. Only some filters block specific browsers. - **Use cellular instead of Wi-Fi**: if the filter is a home DNS, cellular bypasses it entirely. - **Use an alternate App Store**: on iOS that's not currently possible, but on Android it is. - **Just Google "how to bypass [filter name]"**: there's always a guide.
For an adult committed to staying protected, filters work fine. For a curious child, a struggling teen, or a weak-moment adult, filters are a speed bump, not a wall.
How MDM with Supervised Mode works
MDM is Apple's enterprise device-management protocol. It was built for Fortune 500 companies to manage employee iPhones — devices where the employer, not the employee, makes policy decisions.
When an iPhone is put into **Supervised Mode** and enrolled in an MDM system, a different set of rules governs the device:
- **Apps the MDM doesn't approve cannot be installed.** Not by download, not by sideload, not by restore, not by AirDrop, not by any method. - **Apps the MDM removes cannot be re-installed by the user.** Safari, App Store, and every unapproved app are gone from the device. - **New VPN profiles cannot be added.** The OS blocks the installation at the system level. - **Configuration profiles cannot be installed without MDM approval.** The classic "install this profile to bypass" trick is prevented. - **A factory reset does not remove Supervised Mode.** On first boot, the device re-enrolls in the MDM automatically via Apple's DEP (Device Enrollment Program).
**There is no user-accessible setting that turns this off.** The policy lives in the MDM server, not on the device.
The practical difference
With a content filter: the user has Safari, the App Store, and VPN capability. The filter hopes to block whatever they might try to reach. The defensive surface is the entire internet, minus a blocklist.
With MDM Supervised Mode: the user does not have Safari, does not have the App Store, cannot install a VPN, and cannot install profiles. The defensive surface is **only the apps we've approved, doing only what those apps do**.
The content filter is a whitelist of forbidden places on the internet. MDM supervision is a whitelist of **what the phone can do at all**.
That's the structural difference.
Where filters still make sense
Content filters are simpler, cheaper, and appropriate for users who don't want to be locked down — adults who want a nudge, working professionals who self-monitor, users who would find MDM restrictions too tight for their job.
For those cases, a filter is the right tier. For anyone who wants real enforcement that doesn't depend on the user's willpower, MDM supervision is the answer.
Frequently Asked Questions
Can a regular user enroll their iPhone in MDM themselves?
No. MDM enrollment requires either a pre-configured DEP (Device Enrollment Program) account owned by an organization, or a user to accept an installation profile — which is a one-time action the user could undo. The Kosher iPhone ships via DEP, so the device is supervised from the first boot and the user cannot disenroll.
Does Supervised Mode work on Android?
Android has its own device management system (Android Enterprise), but it's structurally different from iOS. We currently focus on iOS because Supervised Mode on iOS is the deepest lockdown available in any consumer smartphone.
Does the MDM see my messages or browsing?
No. MDM is a policy system — it pushes configuration to the device. It does not read iMessages, phone calls, email, or (in our case) any app data. Our management console shows device health and policy compliance, not content.