A policy rule, created in the ThreatPulse portal editor, to block or allow Dropbox for specific users or groups does not work. A likely cause is certificate pinning.
Normally, certificates are verified/validated by inspecting the signature hierarchy:
- > [MyCert] → signed by [IntermediateCert] → signed by [RootCert]
- - > Where [RootCert] is listed in your computer's "Trusted Cert Store."
Certificate Pinning differs in that you ignore the hierarchy above and instead say "Trust this cert only," or
"Only trust certificates, signed by this certificate." For example, Windows Update Service trusts only certificates signed by Microsoft. This can effectively mitigate any risk of a compromised CA cert.
Because of Certificate Pinning, SSL Interception is not possible for Dropbox policy.
Thus, Dropbox can only be ALLOWED or BLOCKED for everyone. It cannot be enforced for specific users or groups.