SafeSearch Forces YouTube into Restricted Mode

We have users utilizing ZIA and when attempting to view YouTube videos they are met with a Restricted Mode notification. This appears to be an effect of SafeSearch which includes the Cloud App YouTube. Is there a recommended way to remedy this issue without completely disabling SafeSearch in ZIA?

We decided to turn off SafeSearch in the end.
There is ER-8730 to add some additional granular controls to SafeSearch.
You could also Exclude YouTube from your SSL policy but that might introduce other issues for you.

If you just want to enforce Safesearch on Google searches rather than Youtube etc you may be able to do it with a DNAT rule as below. Note that this option only works with some search engines, Google and Bing I believe. You may need to block the others.

It requires a NAT control rule to change the destination IP for particular domains, as you can see in the screenshot.

I’ve tested and I seem to get the right results. I had to turn off Safesearch in URL - Advanced Settings*, but after that I seemed to get safesearch results for and, but not - which makes sense based on the rule criteria.


The two domains in question seemed to get DNAT’D to the IP address. You can also use a FQDN which would be even better.

The rule is very flexible with the ability to enforce it on a wide range of criteria.

The Google doc is at Lock SafeSearch for accounts, devices & networks you manage - Google Search Help

We opt to temporarily disable ssl inspection for youtube for select users when they encounter the issue. It’s not ideal as it’s a manual add/remove in the ssl policy when it’s needed, but we did not want to turn off safesearch completely for the organization. I am looking forward to the granular controls for safesearch when those are introduced.