SEP Mobile users integrating with Cloud SWG for IOS devices.
After upgrading to SEP mobile 6.14, users have started to complain about connectivity issues - users cannot send images over Whatsapp on their work iphones (text is ok though), or getting 'not able to check for update' error when searching for iOS updates.
When the SEP mobile VPN is disabled, the images send without issue and update checks complete.
The iPhones are on the latest iOS version, 16.6 and Whatsapp and SEP are also showing the latest versions.
SEP Mobile 6.14.
Cloud SWG SSL inspection bypass rules failing, and any application using certificate pinning breaks.
Updated Cloud SWG service to handle the new SEP mobile device types.
SEP mobile update changes the device type from eMobile_device to eClient_connector for mobile devices. The default SSL interception bypasses needed for mobile devices check for eMobile_device device type and fail to find a match.
Policy trace confirms that the device type is not eMobile_device.
2023-08-10 16:42:57 "DP4-GGBLO12_proxysg2" 46 14.13.12.11 "[email protected]" "h8rqRE3sWD3AtDfj+Mv0+zcvMicRAaqw2i9cge9D1pE=" h8rqRE3sWDtDfj+Mv0+zcvdEAaqw2i9cge9D1pE= "Group1" - OBSERVED "Chat (IM)/SMS" - 0 - unknown - ssl media-lhr8-1.cdn.whatsapp.net 443 / - - - 192.168.4.85 0 0 - - - - - - - - 0 "client" client_connector "WhatsApp" "Chat/Instant Messaging" 10.240.221.60 "United Kingdom" CERT_VALID none - - TLSv1.3 TLS_AES_128_GCM_SHA256 128 *.whatsapp.net "Chat (IM)/SMS" TLSv1.3 TLS_AES_128_GCM_SHA256 128 - ICAP_NOT_SCANNED - - ICAP_NOT_SCANNED - - - - - - 0 - "United Kingdom" %2210.240.221.60|United%20Kingdom|timeout%22 "United Kingdom" 2 2 wss-agent architecture=arm64%20name=iOS%20version=16.6.0 10.0.51.19802 11.12.13.205 0d55b698-01ca-45a6-b45f-3690d09b5d1a iPhone - - - - SSL_Intercept_1 - - - - 2001:0DB8:03f6:28e5:6ced:fbc8:5e37:8840 9a1565189c0b4aeb-00000000479dc415-0000000064d51391 - - - - - - - client
Policy trace confirms that the SSL inspection bypass rule fails to MATCH and the proxy inspects the traffic ..
<ssl-intercept@ssl-int> [layer 54] [tenant:119]
[Rule]
miss: condition=BC_SSL_Rule_325352_destination_SSL-Intercept_ssl_interception_CategoryList
miss: client.location.access_type=mobile_device
miss: condition=BC_MobileAppBypass_UrlList
miss: client.location.access_type=mobile_device
miss: client.location.access_type=mobile_device
miss: condition=BC_SSL_Custom_SSL-Intercept_ssl_interception_UrlList_13961355_OS_CLI_Tool_SSLExceptions
miss: condition=BC_SSL_Rule_312140_destination_SSL-Intercept
miss: condition=BC_SSL_Custom_SSL-Intercept_ssl_interception_UrlList_13905767_OS_SSL_AzureBypass
MATCH: variable.BC_SSL_Intercept_exempt(false) variable.BC_SSL_Intercept_exempt.rationale(SSL-G3)