Facebook IOS App and Decryption

L1 Bithead

Facebook IOS App and Decryption

I have been testing decryption and different apps on our iPads. With decryption turned on we are not able to use different apps, for example Facebook.  Now if I use a browser and go to Facebook, I am fine.  Anybody do any testing with decrypting the iPad or iPhone traffic and getting Facebook to work?

I am hoping that once I figure out how to get that app working, I can resolve other app issues.

Thanks in advance,


L7 Applicator

Re: Facebook IOS App and Decryption

Facebook has designed their iOS app to be incompatible with SSL Decryption technologies.  For iOS devices, your choices are going to be permit/deny.


If you leave the decryption policy in-place, that will prevent the iOS app from working.  I believe you'll still be able to access Facebook via the mobile Safari web-browser.  

L1 Bithead

Re: Facebook IOS App and Decryption

Thanks for the response.  That is what I thought.  So let me pose another question.  Is there a way to identify and IOS device and enforce a decryption policy based on if it is an IOS device or not?  Then maybe I would set it to decrypt if it was a Windows device and not decrypt if it was an IOS device.



L7 Applicator

Re: Facebook IOS App and Decryption

You can vary decryption policies by:

   Source/Destination Zone

   Source/Destination Address

   Source User


   URL Category


If you wanted to only decrypt facebook for non-iOS devices, then you'd need some sort of mechanism that separates the iOS devices from everything else.  This isn't a comprehensive list, but hopefully gives you some ideas on how you could do this:


DHCP serves iOS devices 1 scope, all other devices a 2nd scope:


(this article talks about doing this for VoIP phones, but should be just as applicable for iOS devices)


Leverage your wireless system to allocate device types to different VLANs.  Your wireless controller might be able to determine the host OS and place in a different VLAN (which maps to a different IP address range).  A BYOD solution could do similar things.  At an extremely "manual" level, you could make 2 SSID's, one for mobile devices, and one for everything else.  


There may also be ways to identify the IP Addresses of the mobile devices, publish those addresses into an object group on the firewall via an API, and then create decryption policies based on the dynamic object groups.


Once you can "group" all of the iOS devices together, then you can give them different policies.  


Again, not a conclusive list, but hopefully gives you some food for thought.  


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!