We deal with this a lot in the MSP world, the way to go is with a DNS service/product that has an agent for roaming: the OpenDNS solution is Cisco Umbrella and it has an agent to force DNS traffic through it. It’s a bit pricey and I think the minimum device count is still 100. Webroot also has a DNS service and I believe the agent is out now. Comodo has Dome/Dome Shield that can install an agent and is free (but it’s Comodo). I believe WebTitan also has a DNS protection product that includes agents for mobile devices. Finally, there is NxFilter/NxCloud that can run agents but you’ll need to self-host it either on-site or up in the cloud.
EDIT: Just realized I had some of this up above, but those are the general contenders to OpenDNS/Umbrella for roaming device DNS filtering/protection.