Whitelist and blacklist URL filtering (Android)

Using key-value pairs, you can configure a whitelist and/or blacklist of URLs to allow or block access to these URLs from Web@Work.

A blacklist defines a list of URLs the Web@Work browser is not allowed access to. URLs that do not appear in the blacklist are accessible. If the user navigates to a blacklisted URL, Web@Work displays a warning message. (See also: Custom warning messages for blacklisted URLs (Android))

If both a blacklist and a whitelist are defined, the whitelist rules override the blacklist rules. The whitelist is considered a list of exceptions to the blacklist. The user can always access the URLs that are defined by a whitelist rule.

Blacklist/Whitelist rules and AppTunnel

Blacklist/Whitelist rules do not apply if an AppTunnel is blocked. AppTunnel continues to block the resources as it is configured to do. Users will see the following message: App tunnel is blocked.

However, if the AppTunnel is allowed and the resource is blacklisted, then the blacklist is applied. Users will see the following message: The website you are trying to reach is blacklisted. Please contact your administrator.

Configuring a blacklist or whitelist

To define a blacklist or whitelist:

1. Sign in to the Core Admin Portal.
2. Go to Policies & Configs > Configurations.
3. Select the Web@Work setting that applies to the devices of interest.
4. Click Edit.
5. Under Custom Configurations, click Add.
6. Add the following keys and values, for a whitelist or a blacklist respectively.

Key

Value Description

whitelist

 

blacklist

 

URL filter rule strings must be enclosed in double quotes, and comma separated if multiple entries are used.

For “URL_filter_rule”, seeURL Filter Format.

- A blacklist can be used with or without a whitelist.
- A minimum of one URL filter rule must be provided.
7. Click Save. Apply this Web@Work configuration to labels that identify the devices that should receive this configuration.

Configuring an exclusive whitelist

An exclusive whitelist allows access to URLs that are in the whitelist, and excludes all other URLs. For example, you may wish to limit Web@Work’s access to only the URLs that belong to your company for a special purpose device.

To configure an exclusive whitelist, use a blacklist value of “*” to match all hosts, and then provide the whitelist URL filter rules to enable access to the desired URLs.

Key

Value Description

whitelist

 

blacklist

“*”

URL Filter Format

Web@Work uses the same URL filter format for whitelist and blacklist as does Chromium. See also: www.chromium.org/administrators/url-blacklist-filter-format.

The filter rule can be a URL pointing to a white- or blacklisted resource, or may be a wildcard matching a range of URLs.

The URL filter format is:

[scheme://][.]host[:port][/path][@query]

Where:

Scheme is optional, and can be: http, https, ftp, chrome, etc., but cannot be mibrowser or mibrowsers

Port, path, and query are optional.

Host is required.

- Host can be the special value “*”, which matches all hosts.

If a host is prefixed with a '.' (dot), only exact host matches will be filtered:

- "example.com" matches "example.com", "www.example.com" and "sub.www.example.com";
- ".www.example.com" only matches exactly "www.example.com".

Troubleshooting blacklists and whitelists

You can enable debug level of logging for the whitelist and blacklist features by adding the following key-value pair to the Web@Work configuration:

Key

Value Description

vlog_level

“1” -- enables debug level of logs

The logs will show the list of allowed and disallowed URLs.