Can the WSS Agent recognise when there is a captive portal and allow temporary access only to that portal?

How does WSS Agent ensure the browser used for captive portal cannot be misused to browse anywhere?

Does your solution invoke a Single purpose / closed browser system to access the captive portal?

WSS Agent.

Captive Portal network [1] at Hotel or Cafe.

The WSS Agent does recognise when a host OS is connected to a captive network portal e.g. at a hotel where user is asked to enter their room number/surname in order to get out to Internet.

The WSS Agent does not have knowledge of the captive network itself - it leverages the Operating System APIs (available on both Windows and MacOS) to provide connectivity information.

Without the context that the OS provides, there is not a way to reliably determine the difference between a network being captive (when you need to allow traffic through), or a malicious actor targeting your application and service endpoints and preventing connection (when you need to fail open or closed, depending on configuration). Leveraging the OS APIs for determining captivity as we do removes the need for all that additional risk. The WSS Agent do not intercept traffic while on a captive network, because we cannot establish a tunnel on a captive network. Only when the OS tells us that the interface is no longer in the captive network detected state will the WSS Agent try and bring up the tunnel.

Note that neither OS vendor (Microsoft or Apple) provide many details into *HOW* their captive network APIs detect or enforce captivity - they simply provide a way of checking the state.

[1] A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources