Web Filtering configuration (Mobile Threat Defense policy for Android)

With the Web Filtering configuration you manage the Web Filtering feature of Sophos Intercept X for Mobile. This protects users from browsing sites with malicious, undesirable or illegal content.

Warning Web Filtering blocks all websites if a device can’t connect to the Sophos website classification service https://4.sophosxl.net/lookup.
Restriction Web Filtering doesn’t work with Android Enterprise work profile devices. This is because Web Filtering requires the Sophos Accessibility Service, which is not available when Sophos Intercept X for Mobile is installed in the work profile.
Note You must also turn off the Intercept X for Mobile permissions can be denied compliance rule. If you don’t, users are able to stop Web Filtering by turning off Sophos Accessibility Service.
Tip For the purpose of testing website filtering, Sophos has created the site sophostest.com containing example pages for each category. Although some of these pages are classified as potentially offensive or dangerous, the page content itself is harmless in all cases.

Settings

Setting

Description

Filter malicious websites

Select whether users can access websites with malicious content.

Create alerts

Select whether an alert is created when the user tries to access a filtered website.

You can select if alerts are only created for blockings or also for warnings.

Filter websites by category

Select whether users can access types of websites.

Websites are categorized based on data from SophosLabs. The data is updated constantly.

Website exceptions

Configure exceptions to the category filters:

Allowed domains: Websites that are allowed, even though the category they belong to is blocked.

Blocked domains: Websites that are blocked, even though the category they belong to is allowed.

How to specify website exceptions

In Allowed domains and Blocked domains, enter one of the following per line (without separator):

  • IPv4 or IPv6 address

    203.0.113.0

    2001:db8:85a3:0:0:8a2e:370:7334

  • IPv4 or IPv6 subnet

    203.0.113.0/24

    2001:db8::/32

  • Domain

    www.example.com

  • Wildcard domain. The wildcard * must be the leftmost character.

    *.example.com

    *example.com

In Blocked domains, you can use a single wildcard * to block all websites.

Filtering logic

When Web Filtering evaluates whether a website must be allowed or blocked, the allow list takes precedence over the block list, and policy-defined lists take precedence over user-defined lists.

Filtering rules are applied in the following sequence:

  1. If the website is included in Allowed domains, it is allowed.
  2. If the website is included in Blocked domains, it is blocked.
  3. If the user has added the website to the allow list, it is allowed.
  4. If the user has added the website to the block list, it is blocked.
  5. The website is allowed or blocked based on its category.

Supported browsers

Web Filtering can be used in combination with the following web browsers:

  • Android web browser
  • Firefox
  • Google Chrome
  • Microsoft Edge

Other browsers may also work, but have not been tested.