Certificate-pinned apps and SSL/TLS bypass domains
This topic lists known certificate-pinned mobile applications and the domains that must be bypassed to ensure correct application functionality when SSL/TLS inspection is enabled.
Certificate pinning is a security technique used by some mobile applications to validate that the TLS certificates presented by their backend servers match a set of certificates hardcoded in the application. This prevents man-in-the-middle (MITM) attacks, but it also means that SSL/TLS inspection by the Mobile Endpoint Agent cannot be performed on traffic from these applications.
When a certificate-pinned application detects a certificate mismatch, such as the Forcepoint CA certificate used for inspection. It terminates the connection, causing the application to
fail.
Note: If your organization requires a certificate-pinned application to function correctly, bypass the corresponding domains from SSL/TLS inspection. Bypassing a domain means its traffic will
not be inspected by the Mobile Endpoint Agent.
Certificate-pinned applications
The following table lists known certificate-pinned applications and their corresponding domains that must be bypassed to ensure correct application functionality.
| Applications | Domains |
|---|---|
| Apple iMessage |
|
| Apple iTunes and App Store |
|
| Apple Mail App |
|
| Google Gemini |
|
| Google - Shared Services, Drive, etc. |
|