Best practise for deploying iOS devices

zapp
ssl
ios

(Oliver Meyer) #1

Hi all,

we have currently multiple deployments with customers ongoing. Some of our customers also use the ZApp for iOS. Due to the high amount of Apps on iOS devices which are using certificate pinning or other mechanisms to protect the SSL connection, we try to avoid the SSL inspection completly for these devices types. Obviously this is not an option for all customers, so in this case we add every application which doesn’t work with SSL inspection to the exceptions (with destination domains). This leads to a high configuration workload and also deactivates the SSL inspection for this domains for our Windows clients.

Is there any better way to handle the SSL inspection here? What are the recommended settings for iOS devices?

Best regards,
Oliver


(Arne Diaz) #2

Oliver,

You can also create a Custom URL Category specifically for iOS maybe called iOS SSL Bypass.

https://help.zscaler.com/zia/adding-custom-url-categories

Add your iOS specific domains to this list and then under Policy > SSL Inspection add this Custom Category to the Do Not Inspect Sessions to these URL Categories.

https://help.zscaler.com/zia/about-ssl-inspection#subc-configure-ssl-inspection-policy

The below article talks about cert pinning and might help provide more granular details on exactly which domains need to be bypassed by OS.

https://help.zscaler.com/zia/public-key-pinning-and-zscaler

Hope this helps!

Arne


(Oliver Meyer) #3

Hi Arne,

thanks a lot. The domain list for whitelisting is extremly helpful!

Best Regards,
Oliver