Whitelist and blacklist URL filtering (Android)
Using key-value pairs, you can configure a whitelist and/or blacklist of URLs to allow or block access to these URLs from Web@Work.
•A blacklist defines a list of URLs the Web@Work browser is not allowed access to. URLs that do not appear in the blacklist are accessible. If the user navigates to a blacklisted URL, Web@Work displays a warning message. (See also: Custom warning messages for blacklisted URLs (Android))
•If both a blacklist and a whitelist are defined, the whitelist rules override the blacklist rules. The whitelist is considered a list of exceptions to the blacklist. The user can always access the URLs that are defined by a whitelist rule.
Blacklist/Whitelist rules and AppTunnel
Blacklist/Whitelist rules do not apply if an AppTunnel is blocked. AppTunnel continues to block the resources as it is configured to do. Users will see the following message:
However, if the AppTunnel is allowed and the resource is blacklisted, then the blacklist is applied. Users will see the following message: The website you are trying to reach is blacklisted. Please contact your administrator.
Configuring a blacklist or whitelist
To define a blacklist or whitelist:
1. | Sign in to the Core Admin Portal. |
2. | Go to Policies & Configs > Configurations. |
3. | Select the Web@Work setting that applies to the devices of interest. |
4. | Click Edit. |
5. | Under Custom Configurations, click Add. |
6. | Add the following keys and values, for a whitelist or a blacklist respectively. |
Key |
Value Description |
whitelist |
|
blacklist |
URL filter rule strings must be enclosed in double quotes, and comma separated if multiple entries are used.
For “URL_filter_rule”, seeURL Filter Format.
- | A blacklist can be used with or without a whitelist. |
- | A minimum of one URL filter rule must be provided. |
7. | Click Save. Apply this Web@Work configuration to labels that identify the devices that should receive this configuration. |
Configuring an exclusive whitelist
An exclusive whitelist allows access to URLs that are in the whitelist, and excludes all other URLs. For example, you may wish to limit Web@Work’s access to only the URLs that belong to your company for a special purpose device.
To configure an exclusive whitelist, use a blacklist value of “*” to match all hosts, and then provide the whitelist URL filter rules to enable access to the desired URLs.
Key |
Value Description |
whitelist |
|
blacklist |
“*” |
URL Filter Format
Web@Work uses the same URL filter format for whitelist and blacklist as does Chromium. See also: www.chromium.org/administrators/url-blacklist-filter-format.
The filter rule can be a URL pointing to a white- or blacklisted resource, or may be a wildcard matching a range of URLs.
The URL filter format is:
[scheme://][.]host[:port][/path][@query]
Where:
•Scheme is optional, and can be: http, https, ftp, chrome, etc., but cannot be mibrowser or mibrowsers
•Port, path, and query are optional.
•Host is required.
- | Host can be the special value “*”, which matches all hosts. |
• If a host is prefixed with a '.' (dot), only exact host matches will be filtered:
- | "example.com" matches "example.com", "www.example.com" and "sub.www.example.com"; |
- | ".www.example.com" only matches exactly "www.example.com". |
Troubleshooting blacklists and whitelists
You can enable debug level of logging for the whitelist and blacklist features by adding the following key-value pair to the Web@Work configuration:
Key |
Value Description |
vlog_level |
“1” -- enables debug level of logs |
The logs will show the list of allowed and disallowed URLs.