Web Security - Mimecast Security Agent for iOS

Updated
This article how to deploy, configure, disable or enable, and uninstall the Mimecast Security Agent for iOS on iOS devices, to work in conjunction with the Mimecast Web Security feature and is intended for use by Administrators.

Overview

The Mimecast Security Agent for iOS ensures that web access from iOS devices stays protected. Users can monitor the app to see whether they are protected and view recently blocked activities. Additionally, users are notified if they are using an app that connects to a blocked or harmful domain.
The Mimecast Security Agent for iOS must be deployed via an Enterprise Mobility Management (EMM) / Mobile Device Management (MDM) platform that supports the AppConfig standard.
This enables the Administrator to enforce corporate security policies.
 

Considerations

Your iOS device is not protected by Mimecast Web Security if:

  • Private Relay is enabled on iOS 15.
  • It is configured to use a proxy server.
  • If you have enabled a VPN application.
  • It uses browsers that use VPN, proxy services or load the web on the server side. This includes TOR Browser Private Web, Aloha browser, and Puffin browser.

Additionally, consider the following:

  • If an application makes a request flagged by the Web Security proxy as suspicious, this is treated as a block. If you must prevent this, add the URL to the allow list. See Managing Policies.
  • The connected device to the iOS device in Hotspot mode isn't protected.
  • The iOS device may report high battery usage for MSA if the device isn't actively used. This occurs because the iOS device constantly makes DNS requests in the background. On a phone that is regularly used, this isn't the case.
  • Downloading the Mimecast Security Agent for iOS app singularly from the App Store does not protect traffic, as Mimecast Web Security must be configured first.

Prerequisites

To use Mimecast Security Agent for iOS, you must have the following:

  • You have an Administrator role, with permission to access the Web Security section, in the Administration Console.
  • Prerequisites for Mimecast Web Security have been met.
  • The local DNS resources have Exceptions defined to enable your trusted domains and IPs to bypass the Mimecast Web Security functionality. See Managing Exceptions.
  • Mimecast Security Agent Settings have been configured. See Managing MSA Settings.
  • You have an EMM/MDM with administrator privileges to configure and deploy the Mimecast Security Agent.

Configuring the Mimecast Security Agent for iOS

Refer to MDM Deployment for specific guidance on app configuration and deployment for:

  • SimpleMDM.
  • MobileIron.
  • MaaS360.
  • Meraki.

To configure the Mimecast Security Agent for iOS you must complete all of the following processes.

Downloading the Mimecast Root CA Certificate

You can download the Mimecast Root CA Certificate by using the following steps:

  1. Log on to the Administration Console.
  2. Navigate to Web Security | Certificate and DNS Setup.
  3. Click on the Download Certificate button to download the Root CA certificate.
  4. On your EMM/MDM, add the Mimecast Root CA certificate, and deploy to the chosen device.

Configuring the DNS Proxy Profile

You can configure the DNS Proxy Profile, by using either the generic configuration file, or by manually configuring the DNS proxy profile.

Using a Generic Configuration File

This configuration file was created using Apple Configurator 2, and should be compatible with a 3rd party EMM / MDM. If you’re unable to load the configuration file to your EMM / MDM, you’ll need to manually create the proxy profile.

You can configure the DNS proxy profile using a generic configuration file by using the following steps:

  1. Download the generic configuration file by clicking here.
  2. Open the configuration file in a text or code editor.
  3. Change the following values:
Value Description
authenticationKey This is located in the Web Security | Agent Settings menu item.
userId Specify the user's email address used for policies and reporting.
deviceId Specify a unique identifier for the device or serial number.
bypassedApplications These values are optional. See below for details.
trustedApplications
additionalBrowsers

An example of the relevant script snippet is provided below.

<key>bypassedApplications</key>
	<array>
	<string>Add Apple Bundle ID</string>
	</array>
	<key>trustedApplications</key>
	<array>
	<string>Add Apple Bundle ID</string>
	</array>
	<key>additionalBrowsers</key>
	<array>
	<string>Add Apple Bundle ID</string>
	</array>
	<key>authenticationKey</key>
	<string>Add Authentication Key</string>
	<key>deviceId</key>
	<string>Add Device ID</string>
	<key>userId</key>
	<string>Add User’s Email Address</string>  
  1. Save the configuration file.

Some EMM / MDMs allow you to dynamically populate the device ID and user ID if it’s already setup. Use the below table to help you create your configuration file.

EMM / MDM User Id Device Id
MobileIron ${userEmailAddress} ${deviceSN}
Maas360 %email% %deviceSerialNumber%
SimpleMDM {{email_address}} {{serial_number}}
Meraki $OWNEREMAIL $DEVICESERIAL
InTune {{mail}} {{serialnumber}}
Mosyle %Email% %SerialNumber%

Optional Configuration for Apps and Browsers

For a better end user experience and increased security, apps and browsers are treated differently on iOS devices. Most apps (non-web browser) don't use cookies and are unable render our inspection page resulting in full or partial errors. To address this issue, when an app makes a DNS request or connects to a domain, it bypasses the proxy inspection. This is the default behavior to ensure apps function properly. However if the DNS request falls under the security category or a block / allow policy, the policy is enforced.

Type Sent to Proxy Domain Level Policy Logged Activity
Apps Only if Suspicious Yes Yes
Browser Apps Yes Yes Yes
Trusted App No Yes Yes
App Bypass No No No

You can manage how apps and browsers are treated by using the configuration below. See the iOS Bundle IDs page in the Apple support documentation for information on displaying the bundle ID for iOS apps. The Mimecast Security Agent shows the bundle ID in the activity report.

Application Bypass

Application bypass allows you to add the app's bundle ID, so it bypasses the protection offered by Mimecast Web Security. This is useful if you're using a trusted internal app, and is similar to using domain exceptions.
See Managing Exceptions.

Trusted Applications

Trusted applications allow you to add an app’s bundle ID. This ensures any DNS request the app makes isn’t sent to Mimecast web proxy for inspection. Domain level policies still apply, and the activity is reported on the activity report.

Additional Browsers

The Mimecast Security Agent for iOS recognizes the apps listed below as browsers, and the end user experience is identical to the desktop counterpart. If, however you are using a different browser app then you can add it to the list.

  • Safari
  • Firefox
  • Web Browser+
  • Opera
  • Aloha Browser
  • Chrome
  • Edge
  • Puffin
  • Duckduckgo
  • Private Browser Deluxe

For example, to add the bundle ID for the Microsoft Edge browser app:

<key>additionalBrowsers</key>
<array>
<string>com.microsoft.msedge</string> 
</array>

Manually Configure the DNS Proxy Profile

You may need to manually configure the DNS proxy profile if your EMM / MDM doesn’t accept the generic config file.

You can manually configure the DNS proxy profile, by adding the following information:

  1. App Bundle ID: com.mimecast.SecurityAgent
  2. Provider Bundle: com.mimecast.SecurityAgent.DNSProvider
  3. Provider Configuration: Add the following values:
Value Description
authenticationKey This is located in the Web Security | Agent Settings menu item.
userId Specify the user's email address used for policies and reporting.
deviceId Specify a unique identifier for the device or serial number.
bypassedApplications These values are optional.
trustedApplications
additionalBrowsers

Pushing the Profile and App to Devices Using EMM/MDM

You can deploy the profile and app to devices by using the following steps:

  1. Push the profile (configuration file) to the desired device.
  2. Either:
    • Add the Mimecast Security Agent app from the App Store via EMM / MDM.
    • Manually download the app from the App Store.

Using the Mimecast Security Agent for iOS

Once you've installed the Mimecast Security Agent for iOS, your device is automatically protected.

The app shows three tabs: Home, Activity, and Settings.

Home

The Home tab displays the status of the app, along with the number of threats blocked for the day.

Activity

The Activity tab displays a 30-day block activity log. You can tap on an Activity tab to view the following information:

  • Application Name.
  • Blocked Domain/URL:   
    •  Blocked are DNS requests blocked due to policy or threats.
    •  Warned are shown for suspicious sites.
  •  Apple's bundle ID.

You can delete the activity on the application and it will not affect the data in the Administration Console.

Settings

The Settings tab displays the user and device identification set by the EMM/MDM. There is also an option to disable protection using the disabler password. See Managing MSA Settings to locate the disabler password.

You can disable the Mimecast Security Agent for iOS from the Settings tab, by using the following steps:

  1. Tap on the Disable Protection menu item.
  2. Enter the Disabler Password.
  3. Tap on the Disable button.

Disable or Enable MSA for iOS 

You can enable the Mimecast Security Agent for iOS from the Settings tab, by using the following steps:

  1. Tap on the Enable Protection menu item.
  2. Tap on the Enable button.

For troubleshooting purposes, you can:

  • Reset the local settings by using the Reset App option.
  • Share diagnostic information to an app or to Mimecast support.
  • Revisit the tour by using the Show Tour option.

Related to

Was this article helpful?
1 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.