06-03-2016 01:53 PM
I have been testing decryption and different apps on our iPads. With decryption turned on we are not able to use different apps, for example Facebook. Now if I use a browser and go to Facebook, I am fine. Anybody do any testing with decrypting the iPad or iPhone traffic and getting Facebook to work?
I am hoping that once I figure out how to get that app working, I can resolve other app issues.
Thanks in advance,
Steve
06-03-2016 02:11 PM
Facebook has designed their iOS app to be incompatible with SSL Decryption technologies. For iOS devices, your choices are going to be permit/deny.
If you leave the decryption policy in-place, that will prevent the iOS app from working. I believe you'll still be able to access Facebook via the mobile Safari web-browser.
06-03-2016 02:11 PM
Facebook has designed their iOS app to be incompatible with SSL Decryption technologies. For iOS devices, your choices are going to be permit/deny.
If you leave the decryption policy in-place, that will prevent the iOS app from working. I believe you'll still be able to access Facebook via the mobile Safari web-browser.
06-06-2016 11:40 AM
Thanks for the response. That is what I thought. So let me pose another question. Is there a way to identify and IOS device and enforce a decryption policy based on if it is an IOS device or not? Then maybe I would set it to decrypt if it was a Windows device and not decrypt if it was an IOS device.
-Steve
06-07-2016 03:31 PM
You can vary decryption policies by:
Source/Destination Zone
Source/Destination Address
Source User
Service(port#)
URL Category
If you wanted to only decrypt facebook for non-iOS devices, then you'd need some sort of mechanism that separates the iOS devices from everything else. This isn't a comprehensive list, but hopefully gives you some ideas on how you could do this:
DHCP serves iOS devices 1 scope, all other devices a 2nd scope:
(this article talks about doing this for VoIP phones, but should be just as applicable for iOS devices)
Leverage your wireless system to allocate device types to different VLANs. Your wireless controller might be able to determine the host OS and place in a different VLAN (which maps to a different IP address range). A BYOD solution could do similar things. At an extremely "manual" level, you could make 2 SSID's, one for mobile devices, and one for everything else.
There may also be ways to identify the IP Addresses of the mobile devices, publish those addresses into an object group on the firewall via an API, and then create decryption policies based on the dynamic object groups.
Once you can "group" all of the iOS devices together, then you can give them different policies.
Again, not a conclusive list, but hopefully gives you some food for thought.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
