cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
933
Views
0
Helpful
5
Replies

iCloud Photos regex

michaellperrin
Level 1
Level 1

Hello,

I'm trying to allow users to be able to send photo's with iMessage.

It's getting blocked due to policy however I would like to allow just the photo to be sent.

TCP_DENIED_SSL/403 0 POST https://p12-content.icloud.com:443/M184B68849E5AA0D8DEFF37E90C933887B4B372722FC2D76A7DFA5A8DB282A02C.C01USN00/authorizePut - NONE/- - BLOCK_WEBCAT_12-Elevated_Access_Policy-Corporate_Mobile_Devices-NONE-NONE-NONE-NONE <IW_osb,0.0,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_osb,-,"-","-","iCloud","File Sharing","iCloud Photos","-",0.00,0,Local,"-","-"> - "IMTransferAgent/1000 CFNetwork/758.2.8 Darwin/15.0.0"

Is there a way for me to allow that "iCloud Photos" in a custom cat with regex? If so what would the regex be?

I've tried \iCloud\Photos but that didn't work.

Thanks

5 Replies 5

Handy Putra
Cisco Employee
Cisco Employee
From the log that you provided, looks like it is block by the category of "Online Storage and Backup" in your "Elevated Access Policy" access policy. The easiest way is to un-block that category from your access policy. However if you still want to block that category and only allowing that access, you can create custom URL category with .icloud.com in it and include that custom category to your access policy and set to "allow" while still blocking online storage and backup category. According to the Post request in the logs, it will be difficult to use regular expressions since the file that uploaded might be using random links/hash/etc. Perhaps can try regex: \.icloud\.com/.*authorizePut This is providing in the link fir iCloud Photos will always has "authorizePut" in it

Yeah I don't want to allow all of the icloud domain or online storage and backup.

This is why I want to just allow the iphoto.  Right now users cannot send or recieve pictures with their iphone while on the corporate wireless, they need to disconnect and go on LTE which I want to avoid.

You need to inspect the logs for iPhoto traffic that been blocked to see any similarity in the links (for example if they are all have wording of  "authorizePut")

Then you can use that regex to allow only \.icloud\.com/.*authorizePut  and block the all the domain

what about the  "IMTransferAgent/ part of the log?

\.icloud\.com/.*IMTransferAgent

would that be a thing?

"IMTransferAgent/1000 CFNetwork/758.2.8 Darwin/15.0.0" in the log is the user agent used for the traffic.

You can not use it in the regex in the custom URL category.

If you allow based on user agent, you will be allowing all traffic from that user agent which you do not want to