Cisco Secure Access Policy for Mobile Devices

hank hale · ‎02-24-2025

I am trying to create an access policy for just mobile devices, that will block certain content categories that are different from macOS/Windows devices.

I have the macOS/Windows policies such as our global allow and global block applied to just those devices. However, when I navigate to Secure > Access Policy > Add Rule > Internet Access and create the policy, I built the policy with the following settings:

Name- Mobile Device Global Block, Specify Access- Block, From- Roaming devices Any iOS/ Android device, To- Pornography

Then I select a security profile that was built for mobile devices, and select save. I immediately get the Rule wasn't created error.

I try again with an allow policy which is the same steps as above, but with the change of Allow is selected vs Block, and again the same error.

I get no info on why it isn't created, how can I fix this or troubleshoot why it isn't working?

Thanks,

Hank

wajidhassan · ‎06-27-2025

Make sure the security profile you’re assigning to that rule actually supports web content categories (like "Pornography")—not just posture or app controls.

Go to Security Profiles and verify the profile type (e.g., “Mobile Web” or “Full Mobile”) includes content filtering.

Incompatible profiles (like posture-only) can't enforce URL category restrictions, and the rule creation will silently fail.

2. Rule Conditions & Ordering
Your rule might be conflicting with higher-priority rules. Web policies are evaluated top-down, and a matching generic rule may block creation of a more specific one.

Ensure your mobile-specific rule is at the top of the list or above any more general rules.

Double-check that:

"From" is correctly scoped to mobile devices (e.g., iOS/Android).

"To" uses valid category names (like “Pornography”).

Action (Block/Allow) and the selected security profile match the traffic type (e.g., web).

3. Advanced Enforcement Settings
Sometimes, advanced options must be either disabled or corrected to allow the rule creation.

In the Advanced section of the Security Profile, ensure web features (URL filtering, decryption, IPS, etc.) are enabled
https://docs.sse.cisco.com/sse-user-guide/docs/troubleshoot-internet-access-rules?utm_source=chatgpt.com

Temporarily disable IPS or decryption to test rule creation—if it succeeds, you’ve pinpointed a missing feature in the profile.

4. Validation Error Messages
More recent versions of Cisco Secure (Umbrella/SSE) might display a generic error message even when something deeper is wrong (like missing permissions or invalid traffic selection).

Review the browser dev console to see if there's a validation error suppressed by the UI.

Also review policy logs to see if your rule was partially accepted and then rejected.

What To Do Next
Open the Mobile Security Profile and confirm category filtering is enabled.

In Internet Access, click Advanced settings:

Enable “Web features” and “Decryption” temporarily to allow rule creation.

Move your “Mobile Device Global Block” rule to the top, then save again.

If it still fails:

Create an Allow rule for the same “Roaming iOS/Android → Pornography” combination. If that fails too, it's almost certainly a profile limitation.

Inspect developer console for hidden validation errors.