topic From the log that you in Web Security

iCloud Photos regex

michaellperrin — Thu, 10 Mar 2016 18:11:01 GMT

Hello,

I'm trying to allow users to be able to send photo's with iMessage.

It's getting blocked due to policy however I would like to allow just the photo to be sent.

TCP_DENIED_SSL/403 0 POST https://p12-content.icloud.com:443/M184B68849E5AA0D8DEFF37E90C933887B4B372722FC2D76A7DFA5A8DB282A02C.C01USN00/authorizePut - NONE/- - BLOCK_WEBCAT_12-Elevated_Access_Policy-Corporate_Mobile_Devices-NONE-NONE-NONE-NONE <IW_osb,0.0,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_osb,-,"-","-","iCloud","File Sharing","iCloud Photos","-",0.00,0,Local,"-","-"> - "IMTransferAgent/1000 CFNetwork/758.2.8 Darwin/15.0.0"

Is there a way for me to allow that "iCloud Photos" in a custom cat with regex? If so what would the regex be?

I've tried \iCloud\Photos but that didn't work.

Thanks

From the log that you

Handy Putra — Thu, 10 Mar 2016 22:34:16 GMT

From the log that you provided, looks like it is block by the category of "Online Storage and Backup" in your "Elevated Access Policy" access policy. The easiest way is to un-block that category from your access policy. However if you still want to block that category and only allowing that access, you can create custom URL category with .icloud.com in it and include that custom category to your access policy and set to "allow" while still blocking online storage and backup category. According to the Post request in the logs, it will be difficult to use regular expressions since the file that uploaded might be using random links/hash/etc. Perhaps can try regex: \.icloud\.com/.*authorizePut This is providing in the link fir iCloud Photos will always has "authorizePut" in it

Yeah I don't want to allow

michaellperrin — Fri, 11 Mar 2016 00:31:45 GMT

Yeah I don't want to allow all of the icloud domain or online storage and backup.

This is why I want to just allow the iphoto. Right now users cannot send or recieve pictures with their iphone while on the corporate wireless, they need to disconnect and go on LTE which I want to avoid.

You need to inspect the logs

Handy Putra — Fri, 11 Mar 2016 00:37:06 GMT

You need to inspect the logs for iPhoto traffic that been blocked to see any similarity in the links (for example if they are all have wording of "authorizePut")

Then you can use that regex to allow only \.icloud\.com/.*authorizePut and block the all the domain

what about the

michaellperrin — Fri, 11 Mar 2016 00:40:06 GMT

what about the "IMTransferAgent/ part of the log?

\.icloud\.com/.*IMTransferAgent

would that be a thing?

"IMTransferAgent/1000

Handy Putra — Fri, 11 Mar 2016 00:43:10 GMT

"IMTransferAgent/1000 CFNetwork/758.2.8 Darwin/15.0.0" in the log is the user agent used for the traffic.

You can not use it in the regex in the custom URL category.

If you allow based on user agent, you will be allowing all traffic from that user agent which you do not want to