Summary
This article explains the capabilities of the Smoothwall with regards to using the Facebook app on bring your own devices (BYOD).
Problem
Many apps are starting to take advantage of certificate pinning. This prevents traffic from being intercepted by a man-in-the-middle attack, but also stops Smoothwall from performing Decrypt & Inspect on this traffic, as the returned traffic is signed by Smoothwall and not Facebook. This will cause issues with the apps and prevent them from working properly.
Note: The following assumptions are made:
- A wireless network exists, specifically set up for users to use their own devices on
- Users are not allowed to download the Facebook mobile app onto your organization-owned devices
For the Facebook app to work on user’s devices, the Facebook category found in Social Media must be exempt from any decrypt and inspect policies on the Smoothwall.
Whilst disabling Decrypt & Inspect for the Facebook will fix the apps, it will prevent the Smoothwall from inspecting the content when Facebook is opened in a browser. This may cause issues if rolled out across the entire network.
As such, if your BYOD network is set as a location policy object in Guardian, then we would advise to disable Decrypt & Inspect for these URLs only on your BYOD network.
Solution
- Create a custom category in Guardian > Policy objects > Categories containing the above URLs.
- Create a location object in Guardian > Policy objects > Locations for the BYOD network
- Go to Guardian > HTTPS inspection > Policy wizard and create a new policy where:
- What The custom Facebook category you created
- Where Your BYOD network location
- Action Do not inspect.