topic Re: Facebook IOS App and Decryption in General Topics

Facebook IOS App and Decryption

Steve27596 — Fri, 03 Jun 2016 20:53:22 GMT

I have been testing decryption and different apps on our iPads. With decryption turned on we are not able to use different apps, for example Facebook. Now if I use a browser and go to Facebook, I am fine. Anybody do any testing with decrypting the iPad or iPhone traffic and getting Facebook to work?

I am hoping that once I figure out how to get that app working, I can resolve other app issues.

Thanks in advance,

Steve

Re: Facebook IOS App and Decryption

jvalentine — Fri, 03 Jun 2016 21:11:45 GMT

Facebook has designed their iOS app to be incompatible with SSL Decryption technologies. For iOS devices, your choices are going to be permit/deny.

If you leave the decryption policy in-place, that will prevent the iOS app from working. I believe you'll still be able to access Facebook via the mobile Safari web-browser.

Re: Facebook IOS App and Decryption

Steve27596 — Mon, 06 Jun 2016 18:40:37 GMT

Thanks for the response. That is what I thought. So let me pose another question. Is there a way to identify and IOS device and enforce a decryption policy based on if it is an IOS device or not? Then maybe I would set it to decrypt if it was a Windows device and not decrypt if it was an IOS device.

-Steve

Re: Facebook IOS App and Decryption

jvalentine — Tue, 07 Jun 2016 22:31:04 GMT

You can vary decryption policies by:

Source/Destination Zone

Source/Destination Address

Source User

Service(port#)

URL Category

If you wanted to only decrypt facebook for non-iOS devices, then you'd need some sort of mechanism that separates the iOS devices from everything else. This isn't a comprehensive list, but hopefully gives you some ideas on how you could do this:

DHCP serves iOS devices 1 scope, all other devices a 2nd scope:

http://serverfault.com/questions/584697/have-dhcp-use-different-scopes-based-on-mac-address-using-server-2012

(this article talks about doing this for VoIP phones, but should be just as applicable for iOS devices)

Leverage your wireless system to allocate device types to different VLANs. Your wireless controller might be able to determine the host OS and place in a different VLAN (which maps to a different IP address range). A BYOD solution could do similar things. At an extremely "manual" level, you could make 2 SSID's, one for mobile devices, and one for everything else.

There may also be ways to identify the IP Addresses of the mobile devices, publish those addresses into an object group on the firewall via an API, and then create decryption policies based on the dynamic object groups.

Once you can "group" all of the iOS devices together, then you can give them different policies.

Again, not a conclusive list, but hopefully gives you some food for thought.