Dropbox is not working when enforcing users or group based policy

book

Article ID: 171329

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Policy to allow or block Dropbox for specific users or group does not work.

Cause

Certificates are verified/validated by inspecting the signature hierarchy:  

 -  >  [MyCert]  →  signed by  [IntermediateCert]  →  signed by  [RootCert]
 -  -  > Where  [RootCert]  is listed in your computer's "Trusted Cert Store."

Certificate Pinning differs in that you ignore the hierarchy above and instead say "Trust this cert only," or "Only trust certificates, signed by this certificate."  

For example, Windows Update Service trusts only certificates signed by Microsoft. This can effectively mitigate any risk of a compromised CA cert.
See: Certificate and Public Key Pinning

Dropbox is not currently supported by the Web Security Service (WSS) because of Certificate Pinning.  SSL Interception is not possible for Dropbox.

Environment

Web Security Service

Resolution

Dropbox can only be Enabled or Disabled for everyone. It cannot be enforced for specific users or groups.

Change the current policy that is not working to be Global for all users and groups.

Check if Dropbox is in SSL interception list.  If yes, then remove it.