Symantec App Center lets you create app policies that restrict an app's access to only the hosts that you specify in the policy. In addition to specifying the location and port address, for each entry in the whitelist you can also specify other requirements. You can require that the connection use SSL, allow untrusted certificates, and set the minimum cipher strength. If you integrate with Symantec O₃, you can enable the O₃ DNS proxy. And you can enable credential injection, which passes authentication credentials or cookies from the application to the remote server during connection. When connections are blocked, you can make sure that your end users are notified through a notification message. Notifications are also logged to the device's log. Network access control is only supported for the iOS 5.0 or higher.
App Center App matches entries starting from the top of the whitelist list. The wrapper evaluates the first entry to see if there is an exact match. If there is an exact match, the connection is permitted. If there is not an exact match, the wrapper evaluates to the next entry and so forth until there is an exact match (in which case, the connection is permitted) or there are no exact matches (in which case, the connection is blocked).
The following provides examples of how the wrapper evaluates whitelist entries.
Assume that the entries appear in the White-listed Locations list in the order that they appear below.
Table 3-2 Example 1
Other Port
Location
N/A
*
*
SSL
*
*.example.com
In example 1, App Center evaluates the first address. No matter what the address is, the connection is permitted because the criteria is a match ((*) means to allow
all). App Center never evaluates the second address because a match occurred and the connection has been permitted.
Table 3-3 Example 2
Other Port
Location
SSL
*
*
In example 2, App Center evaluates if any connection uses SSL encryption. If it does, the connection is permitted. If not, the connection is blocked.
Table 3-4 Example 3
Other Port
Location
SSL
* 192.168.100.10
Strong cipher
*
*.example.com
Any Encryption 8004
192.168.100.10
In example 3, App Center evaluates the first address. If the location matches (any port is accepted) and has SSL encryption , the connection is permitted. If not, App Center evaluates the second address. If the second location matches (any port is accepted) and the cipher meets the OWAPS TLS criteria, then the connection is permitted. If not, App Center evaluates the third address. If the third location and port matches, then the connection is permitted. If not, then the connection is blocked.
To control app network access
1 In the Admin Console on the left pane, click App Policy.
2 Do one of the following:
On the center pane, click New App Policy.
Specify a name and a description for your policy. You can also go ahead and specify the General Settings.
See“Creating and managing app policies”
on page 71.
To create a new app policy
On the center pane, select the policy that you want to modify, and on right pane, click Edit.
Policy changes are applied dynamically and do not require that you rewrap the app. The policy update occurs after logins or check ins. Policy changes affect connections that are opened after the App Center App receives the policy changes.
To modify an existing app policy
3 Click Network Access Control.
You may need to click the down arrow to the far right of Network Access Control to display the options.
4 To specify whether you want end users to receive notifications when apps are blocked, check Show notification messages.
A notification message may not appear in every instance an app is block. If multiple instances of blocked apps occur, the notification messages maybe bundled together. However, each blocked event appears in the device's log.
The notification message only appears if the application is running in the foreground and the device screen in on. The message includes the server name, IP address, or URL that is blocked.
This option is enabled by default.
5 By default, all connections are allowed. If you want to restrict the locations that you want to allow, in the White-listed Locations list, select *.* and either modify it or click Delete.
6 To add a new location, in the White-listed Locations box, click New.
When you add a new row, the settings from the prior row are copied and brought forward.
7 In the Location field, type the domain.
This field accepts the following values:
■ IPv4 addresses
■ Host names with or without a single wildcard prefix
The following table shows examples of supported values for the Location field:
Description Example
Connections to www.example.com www.example.com
Connections to the hosts in the example.com domain
*.example.com
Connections to all hosts
*
Requests to the hosts that start with yahoo.com
*.yahoo.com
All IPv4 addresses in range from 192.168.0.0 to 192.168.127.255 192.168.0.0/17
8 In the Port field, type the port.
This field accepts multiple ports separated by commas or in a range.
For example: 80, 1000-1999, 443
An empty value or an asterisk (*) wildcard means all ports are accepted.
9 To specify the security criteria, select any of the following options:
When you select this option, only traffic that is sent over a secured connection is permitted.
The supported versions are as follows:
■ SSL 3.0
■ TLS 1.0
■ TLS 1.1
■ TLS 1.2 Require SSL
By default, this option is not enabled and the certificate check is enforced. Traffic is only permitted if the server that the application is connecting to has a trusted certificate according to the device's trusted root store.
When you enable this option, the remote server certificate is accepted even if it cannot be validated using device's trusted root store.
Accept untrusted certificates
Click the drop-down menu to specify the SSL cipher strength required for the connection to be permitted.
The default value is None.
If you select Any Encryption, then a connection is permitted based on any level of cipher encryption. However, locations that use cipher suites without encryption are blocked.
If you select Strong, then only connections that meet the OWAPS TLS criteria are permitted.
For more information, on the Internet go the following URL:
https://www.owasp.org/index.php/Testing_for_SSL-TLS_
(OWASP-CM-001) SSL Cipher
Restriction
10 Select one of the following options:
■ None
This is the default setting. Leave the default setting if you have not integrated with Symantec O₃ and enabled SAML as your external IDP.
■ Use O3 DNS substitution proxy
Select this option if you have integrated with Symantec O₃, have enabled SAML as your external IDP, and you want to use O3 as your DNS substitution proxy.
When you enable this option and are integrated with O₃, the O₃ server that you integrated with App Center also automatically appears. To use O₃ DNS substitution proxy for a whitelisted location, a preceding whitelist entry must exist to first allow your O₃ server.
If O₃ DNS substitution is enabled, then the wrapper code intercepts calls and changes the URLs in a way that is stylized. App Center only supports one style, which is referred to as dashification. In the original URL, "." is substituted with "-" and "-" is substituted with "--". Then the name of the O₃ server is appended to the URL.
Dashification only occurs if (1) O₃ is the SAML provider and (2) O₃ DNS substitution is enabled. Then only the URLs that match the whitelist entry are dashified.
Note:If the O₃ server name changes, the user must re-save the app policy, which causes the O₃ server name to be re- populated with the current data.
It also triggers re-wraps for any apps that use it.
11 Check Enable credential injection so that credentials that are used for wrapped app login are passed to the network connection to enable SSO functionality.
You must have first enabled the User authentication required option in General Settings to enable this option.
If you use SAML or SiteMinder as the IDP, the session cookie is injected. If you use any other IDP, the user name and password credentials are injected.
User name and password are only injected for sites protected by HTTP Basic or HTTP Digest authorization.
See“Enrolling and authenticating users”on page 43.
12 To add additional whitelisted locations, repeat steps5-11.
App Center supports 50 domains per policy.
13 To change the order of the domain in the list, on the White-listed Locations box, select the location that you want to move and drag and drop it in the desired order.
14 To remove a domain from the list, select the domain and click Delete.
15 When you have finished making all your changes, click Save.