diff --git a/README.md b/README.md
index 42ae0cf..527fbff 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,10 @@ Previous signatures by:
 
 To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
 
+## On demand activation
+
+You can optionally exclude some trusted Wi-Fi networks where you don't want to use encrypted DNS. To do so, add your SSIDs in the [OnDemandRules](https://github.com/paulmillr/encrypted-dns/blob/master/profiles/template-on-demand.mobileconfig#L22-L38) section inside the `PayloadContent` dictionary of a profile. Note: you can't edit signed profiles.
+
 ## Contributing a new profile
 
 Profiles are basically text files. Copy an existing one and change its UUID, make sure you update README with new profile's info.
diff --git a/profiles/template-on-demand.mobileconfig b/profiles/template-on-demand.mobileconfig
new file mode 100644
index 0000000..7bb5f1c
--- /dev/null
+++ b/profiles/template-on-demand.mobileconfig
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>DNSSettings</key>
+			<dict>
+				<key>DNSProtocol</key>
+				<string>HTTPS</string>
+				<key>ServerAddresses</key>
+				<array>
+					<string>2001:db8::1</string>
+					<string>2001:db8::2</string>
+					<string>192.0.0.1</string>
+					<string>192.0.0.2</string>
+				</array>
+				<key>ServerURL</key>
+				<string>https://dns.example/dns-query</string>
+			</dict>
+			<key>OnDemandRules</key>
+			<array>
+				<dict>
+					<key>Action</key>
+					<string>Disconnect</string>
+					<key>SSIDMatch</key>
+					<array>
+						<string>TRUSTED_NETWORK_1</string>
+						<string>TRUSTED_NETWORK_2</string>
+						<string>TRUSTED_NETWORK_3</string>
+					</array>
+				</dict>
+				<dict>
+					<key>Action</key>
+					<string>Connect</string>
+				</dict>
+			</array>
+			<key>PayloadDescription</key>
+			<string>Configures device to use Example Encrypted DNS over HTTPS</string>
+			<key>PayloadDisplayName</key>
+			<string>Example DNS over HTTPS</string>
+			<key>PayloadIdentifier</key>
+			<string>com.apple.dnsSettings.managed.f0ffd552-7183-4f2e-86e5-ee1ecad2a53a</string>
+			<key>PayloadType</key>
+			<string>com.apple.dnsSettings.managed</string>
+			<key>PayloadUUID</key>
+			<string>556aa9a6-04bb-4144-9a1b-e1b20cda3b46</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+			<key>ProhibitDisablement</key>
+			<false/>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>Adds the Example DNS to Big Sur and iOS 14 based systems</string>
+	<key>PayloadDisplayName</key>
+	<string>Example Encrypted DNS over HTTPS</string>
+	<key>PayloadIdentifier</key>
+	<string>com.paulmillr.apple-dns</string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>B27E8E10-697D-4938-8745-7FFEEEED57A0</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>