Configure Network Filtering on Supervised Devices (Administrator Task) - Administrator Guide - 8.4 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent iOS App

Product
Cortex XDR
Cortex XDR Agent
Version
8.4
Creation date
2024-02-26
Last date published
2024-06-27
Category
Administrator Guide
Abstract

When your organization manages iOS devices, the administrator can set up the Network Shield feature to block network activity for specific URLs.

When your organization manages iOS devices, the administrator can set up the Network Shield feature to block network activity for specific URLs. The administrator must configure profiles both at the mobile device management (MDM) side, and at the Cortex XDR or Cortex XSIAM tenant side.

  • At the MDM side, configure a payload configuration profile for network filtering.

  • At the Cortex XDR or Cortex XSIAM tenant side, configure the Block list in the URL filtering section of the malware profile.

Note

We recommend that you configure your environment so that iOS device users cannot remove the Cortex XDR app manually.

In your MDM, configure a profile for the managed devices, that includes the payload that enables the Network Shield feature. Configure the following:

  • Enable FilterBrowsers and FilterSockets

  • Set PluginBundleID to the bundle ID of the Cortex XDR agent iOS app: com.paloaltonetworks.cortex.ios

  • (Optional, supported only on devices running iOS 17 or higher) Add the distributionID to the payload.

    • When the distributionID is included in the payload, registration is performed in the background when the device user first opens the app, and the user does not need to perform the installation wizard's onboarding procedures.

  • (Optional, supported only on devices running iOS 17 or higher) If your MDM solution allows you to set dynamic values in payloads (by providing a value such as $USERNAME or $EMAIL), you can define a user name that will be used during automatic registration in background.

The following example shows a sample configuration profile with the required payload settings:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>FilterBrowsers</key>
            <true/>
            <key>FilterSockets</key>
            <true/>
            <key>FilterType</key>
            <string>Plugin</string>
            <key>PayloadDescription</key>
            <string>Configures content filtering settings</string>
            <key>PayloadDisplayName</key>
            <string>Cortex XDR Network Data Filter</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.webcontent-filter.2EF1184F-FC41-4477-BA81-D46AB318D8BB</string>
            <key>PayloadType</key>
            <string>com.apple.webcontent-filter</string>
            <key>PayloadUUID</key>
            <string>2EF1184F-FC41-4477-BA81-D46AB318D8BB</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PluginBundleID</key>
            <string>com.paloaltonetworks.cortex.ios</string>
            <key>UserDefinedName</key>
            <string>Test667016 Filter Config</string>
            <key>VendorConfig</key>
            <dict>
                <key>distributionId</key>
                <string>******4046b24424d9ce252**********</string>
                <key>username</key>
                <string>$USERNAME</string>
            </dict>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Network Filter</string>
    <key>PayloadIdentifier</key>
    <string>M-NPGQ47GQG3.9A2AF4B6-BB2C-4956-B599-CAB4C0CCBD6B</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>187DABAB-297B-44B9-88FA-B57F0A44088F</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
  1. On your Cortex XDR or Cortex XSIAM tenant, create a new Malware profile, or edit an existing one for iOS devices.Add a Malware Security Profile (Administrator Task)

    • Ensure that you set URL filtering, Action Mode to Block.

      • Add malicious URLs to the Block List. You can specify exact URLs, or define a range of URLs using wildcards. For example:

        • Block a specific URL: www.google.com

        • Block all URLs under Google: www.google.com/*

    • Ensure that you set Network and EDR Security Module URL filtering to Enabled.

  2. If the Malware profile is not assigned to a prevention policy rule yet, add it to a new or existing policy rule, and ensure that supervised iOS devices are mapped to the policy rule.

  3. To validate that the network filter is enabled on the device, go to the Cortex XDR app Modules screen on the device. The Network Shield tile should display Controlled by admin.

To disable the network filter, use your MDM to remove the payload configuration profile that enabled the filter from the supervised iOS device.

Before deleting the Cortex XDR app from a supervised device, use your MDM to remove the payload configuration profile that enabled the filter from the supervised iOS device. This will ensure that all processes related to network filtering are terminated correctly, and ensures seamless reinstallation of the app.

Caution

If you do not delete the network filtering configuration profile before deleting the Cortex XDR app from the device, unexpected behaviors might occur, or network connectivity might be lost. Therefore, best practice is to always remove the configuration profile before deleting or reinstalling the Cortex XDR app.