This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.
Android devices use certificate pinning to prevent network devices from decrypting and inspecting HTTPS traffic. Certificate pinning hard-codes an application with the details of a specific Certificate Authority, allowing the Android OS or application to ensure communication with the server isn't intercepted or tampered with.
On Android 7 and above, user installed Certificate Authorities are not trusted by Android for any function other than any installed web browser application. This means that Android devices connected to a WiFi network with a Decrypt and Inspect policy:
- Will show warning messages suggesting that internet access is restricted, with either an "x" or an "!" next to the WiFi icon. Note that they can still browse the internet.
- Cannot access or download items from the Google Play store. A message will be displayed informing the user that the device does not have an internet connection.
Important: As part of this process, you will apply a Do Not Inspect HTTPS Policy to Google. This is a requirement if you want the warning messages not to appear, and for users to be able to access the Google Play store, and there are no alternative options.
Here are the steps you need to take:
- When you have a policy to Do Not Inspect Google, inappropriate content will not be filtered. To prevent access, you must switch on the SafeSearch via CONNECT header Content Modification.
Tip: With a Do Not Inspect Policy in place, the information required to enforce the standard Force SafeSearch Content Modification option cannot be seen or modified, so you need to use the SafeSearch via CONNECT header option instead.
- Create a Custom Category and name it something like Android connectivity checks.
- In the Domains/URLs section, enter:
- https://google.com
- https://ggpht.com
- https://googleusercontent.com
- https://gvt1.com
- https://googleapis.com
- Create a new HTTPS Inspection Policy for the custom Android connectivity checks category and our built-in Captive Portals category, with Do not inspect as the Action. Ensure that it is placed at the top of the table.
Android devices will connect to WiFi without displaying warning messages, and users can access the Google Play store to download applications.