This article discusses what steps need to be taken in order to get some of the most popular Mobile Apps working through your Smoothwall, without affecting filtering of the desktop based version of the App.
More and more applications are beginning to use certificate pinning, which causes mobile applications to not work correctly if a decrypt and inspect policy is in place. This article provides steps which will allow popular mobile applications to continue working with a decrypt and inspect policy by adding specific sub-domains (were possible) to a ‘Do not inspect’ policy.
Within this solution we will discuss what subdomains or categories need to be inserted into a ‘Do not Inspect ‘policy in your HTTPS inspection policies table.
The applications that will be discussed below are as follows, all of these apps use certificate pinning:
Facebook, Instagram, Twitter, Facebook Messenger, Pinterest and YouTube
|Facebook App [NEW]||Follow this KB for instructions|
|Instagram App [NEW]||Follow this KB for instructions|
|Twitter App [NEW]||Follow this KB for instructions|
Facebook App [NEW]
|Follow this KB for instructions|
|You should still be able to content filter Pinterest through the web on all devices. You will be able to access the App however you won’t be able to do any filtering in the App.|
|You should still be able to content filter YouTube through the browser on all devices. You will be able to access the App however you won’t be able to do any filtering in the App.|
Setting up the Policies
For the Apps without released categories you'll need to create a custom category:
- Go to Guardian > Policy Objects > Categories.
- Enter a name (for example, Pinterest App)
- Enter the relevant Subdomains listed above under Domain/URL Filtering:
- Click Save.
Next we need to setup a ‘Do not Inspect policy’ for those categories
- Go to Guardian > HTTPS inspection > Policy wizard.
- Who Everyone*
- What Pinterest App
- Where Everywhere*
- When Always*
- Action Do not inspect
*Change these values based on your own needs.
- Make sure the Enabled policy option is selected.
- Click Confirm and then Save.