Configuring Forcepoint ONE Mobile

After logging into the Forcepoint ONE portal, navigate to Protect > Forward Proxy > Mobile Proxy to configure the Forcepoint ONE Mobile settings. Admins should deploy the solution after configuring the Forcepoint ONE Mobile settings.

This page consists of the following parts:

1
Installer Key: The installer key uniquely identifies the customer tenant. It is included in the custom configuration file and will be uploaded to the MDM. 
2
Agent Download Links: Use the links to download the solution for the following operating systems (OS):
  • Note: The links will be updated in a future release.
    Android
  • Note: The links will be updated in a future release.
    ChromeOS
  • iOS and iPadOS
3
User Authentication: The following options allow the admin to control how users are prompted to log in to the solution to apply policy controls. When any setting changes are made and applied, all users will be logged out so that they can log back into the system using the new authentication method:
Important: Once the solution is deployed, the User Authentication setting should not be changed.
  • Login Prompt: In this case, the solution will display a login prompt for the user to log in manually.
  • Note: The following feature will be available in future releases.
    User Certificate: Uses the "Issued to" field in a user certificate installed on the device (typically by MDM) to identify, authenticate, and log in to the user automatically.
  • Note: The following feature will be available in future releases.
    User Certificate, Anonymous: This attempts to log in to the user automatically, and if that fails, it will default to Anonymous authentication.
  • Note: The following feature will be available in future releases.
    User Certificate, Login Prompt: This attempts to log in to the user automatically, and if that fails, it will present a Login Prompt.
  • Anonymous: Authentication does not prompt the user to log in. For this the Group field under the Protect > Policies page must be set to Any. All users will have the same policy.
4
Note: The following feature will be available in future releases.
Append Username Domain: This section is used for User Certificate login and requires that a user certificate containing an Issued to the field (usually a 6-character identifier) is installed on the device. The domain selected here will be appended to the Issued to field from the certificate to obtain the UPN used to identify the user for login purposes.

If the Issued to field in the User Certificate contains the full UPN, select None. If automatic login is not desired, select None.

5
Mobile Bypass Domains, Host IPS, or Subnets: List the domains or host IP addresses to be bypassed by the solution at the device.

Example: If xyz.com is to be bypassed, the solution will send the traffic directly to the Internet, not to the Forcepoint ONE Cloud.

The solution will use this list, one entry per line.

Note: Certificate pinned solutions should be bypassed for proper operation.
6
Block Domains, Host IPS or Subnets: List the domains or host IP addresses to be blocked by the solution at the device.

Example: If xyz.com is to be blocked, the solution will block the traffic at the device and will not forward to the Forcepoint ONE Cloud.

This list will be used by the solution one entry per line.

Note: Entries will be blocked by the solution and never leave the device. The user will not be notified about this block, and the browser will state that the Site cannot be reached.
7
Certificate Authority for Client certs: Select the following certificate authority to verify client certificates used by the Forcepoint ONE cloud. A client certificate is required on the mobile devices to be allowed to connect to the Forcepoint ONE cloud.
  • Note: The following feature will be available in future releases.
    Forcepoint Self Signed Client Certificate
  • Use External CA
8
Display VPN On/Off Toggle: Provide the admin with the ability to configure whether the solution should have an on/off toggle button.
  • If the box is checked: the solution will display an On/Off toggle button on the solution to allow the user to turn the inspection service on or off.
    • If the user selects On, the VPN turns on, and the solution will inspect all traffic. This means the device will use the configuration from the server to decide whether to proxy or send the traffic directly to the internet.
    • If the user selects Off, the solution will bypass all traffic directly to the internet.
  • If the box is unchecked: the mobile solution will not display this toggle button, and all traffic will be subject to solution inspection.

For more details, see the Using Forcepoint ONE Mobile section

9
Login Session Timeout: Configure the period after which the user login credentials are re-validated.
10
Fail Open:
  • If the box is checked: the solution will send traffic directly to the internet when the Forcepoint ONE cloud service is down.
  • If the box is unchecked: the solution will block web traffic.
Note: If the user is not logged in, traffic is blocked regardless of this setting.