DLP WebApps Monitoring for macOS 14 Sonoma
Article ID: 276106
Updated On:
Products
Issue/Introduction
We can create WebApp from any website in Safari but only on Sonoma onwards. You can open any website Ex. https://dlptest.com in safari and Goto File→Add to Dock. this will create we WebApp for the website https://dlptest.com.
Basically, this feature enables user to turn any website into WebApp . Benefit is to have a quick access to the website . User does not need to open the browser and type the website again. He/She can just launch the WebApp created and start using it.
While exploring this Broadcom found that sensitive file is being uploaded successfully on such WebApp resulting into a data loss.
Environment
DLP Endpoint Agent
macOS Sonoma
Resolution
While exploration further we found that WebApp can be monitored using AFAC channel for file upload operations. We need to add the entry of application with binary name as 'Web App' into Global Application Monitoring page as below:
With that in place, File upload to these WebApps are monitored and respective remediation action is taken.
Incident of the AFAC is generated however the application name populated is 'com.apple.WebKit.Networking' instead of actual WebApp:
For every WebApp , below process is getting launched
/System/Volumes/Preboot/Cryptexes/App/System/Library/CoreServices/Web App.app/Contents/MacOS/Web App
Hence adding this into Global Application Monitoring page solves the issue for file uploads.
Additional Information
What Works with DLP Endpoint Agent:
- File Upload operations are monitored using AFAC
- Filters . File type, size filters worked as expected.
- Print Monitoring is also working as expected.
- Outlook Monitoring works when OWA is used as WebApp
Limitations and Known Issues:
- Domain filters do not work for WebApps. This issue will have more traction If we create WebApp for https://mail.yahoo.com or https://mail.google.com.
- Paste operations are still not monitored.
Feedback
