Prisma® Access Mobile Browser works with both Android and iOS devices. The
browser easily integrates with the Prisma Access Secure Enterprise Browser and console,
allowing you and your end users to include mobile devices in the tool sets.
The Prisma Access Browser and the Prisma Access Mobile Browser share policy
rules. However, some controls within the policy rules can operate differently, or are
not available. For example, the File Download control skips the setting for
specific file extensions because it's not supported for mobile use. As a result,
enabling this setting causes the Mobile Browser to block all file downloads.
The Prisma Access Mobile Browser enables you to use the most common
functionality from the regular browser. We recommend that you create rules with the
appropriate device groups in the Scope. This will allow you to properly manage the
Mobile device users. By defining device groups for mobile devices, you can set different
rule sets to apply for all mobile devices.
Important
When using iOS version 17 and its minor versions, users may encounter
errors when routing public or private traffic through Prisma Access. To avoid this
issue, we recommend upgrading to iOS 18.
If you are using iOS 17, you can explicitly exclude these versions from
being routed through Prisma Access by following these steps:
Create a mobile device group:
In the Devices page, click on the device group tab.
Click Add device group.
Click on Mobile to display the available Posture Attributes for
mobile devices.
Select OS versions.
Click Select Versions.
Select iOS 17.
Click Save.
Click Create.
Create a Customization rule:
Select Add a new rule.
Select Browser Customization:
Name the rule.
Select the mobile device group you have created.
In Browser Customization controls, select “Traffic Flow.”
Click “Do not route traffic through Prisma Access:”
Mobile Devices: To ensure an
optimal experience with Network Detection and Prisma
Access, either route only Private App traffic, or
exclude the Mobile Device group from
routing.
Onboard Prisma Access Mobile Browser from the Strata Cloud Manager
In the onboarding phase, you can install the Android and iOS Prisma Access Mobile
Browser apps to test on your own devices before sending the links out to your users.
Once you're satisfied with your tests, you can install the relevant Android and iOS
apps and distribute the links to your users via your mobile device management (MDM)
application.
Install the Prisma Access Mobile Browser
You can download the Prisma Access Mobile Browser from the following
locations:
Additionally, when you access the regular download link https://get.pabrowser.com/ from a mobile device, the URL
directs you to the relevant app store. This means that you can send a single link to
your users, even when you don't know their particular device.
Create Prisma Access Browser Mobile Device Groups
The Prisma Access Mobile Browser has a device group function that allows you to
create different groups for different devices. Groups are dynamic. For example, you
can set up groups for specific managed devices, different subsidiary devices, or
contractors. As an administrator, you can exercise a considerable amount of
flexibility in configuring the mobile device groups you need within your
organization. For example, groups meet changing business, operational, and
organizational circumstances. You can use device groups either with sign-in rules to
set the security bar for accessing Prisma Access Mobile Browser, or with
posture-focused scoping for policy rules.
The Prisma Access Mobile Browser allows you to configure the posture requirements
for your devices running the Mobile Browser in the same way that it configures
posture for your desktop and laptop devices running the Prisma Access Browser.
Configure Prisma Access Mobile Browser Sign-In Rules
Along with the various policy rules, the Sign-in rules act as a security
measures. Before relying on the policy rules, the Sign-in rules serve as the first
access gatekeeper for Users and Devices.
When you create a Sign-in rule, make sure that the Scope contains the Users and User
Groups and Device Groups that are designed for the Mobile Browser.
While the Prisma Access Mobile Browser's Sign-in rules are
configured the same way as the Sign-in rules for the Prisma Access Browser, be aware
of the following exception:
Starting with iOS browser version 1.4259 and
Android browser version 1.4260, the Prompt action functions as
Block. For all earlier versions, it functions as
Allow.
Configure Prisma Access Mobile Browser Policy Rules
The Prisma Access Mobile Browser has various policy rules that you can configure to
create rules as you require. The configuration process is exactly the same as for
the Prisma Access Browser. Some of the policy rules contain different functionality
due to the restrictions in mobile browsers.
Mobile Access & Data Control
Mobile Devices support Access & Data Control rules with the
following exceptions:
The Mobile Browser does not support the Set dialog text
feature that permits you to customize your text for a particular
feature.
The Web Access section of the rule creation process does not
support the following features:
Permission request (a “Prompt” option) becomes a
Block.
Require MFA becomes a Block.
Pick a Label is skipped.
Login restrictions - Not supported and can be
skipped.
When contains - Not supported and can be skipped.
To see the policy rules that you can use for creating rules in the Prisma Access
Mobile Browser, open the policy page, select Data Control, and click
Mobile Browser.
For more information on the available policy rules, refer to the following
articles:
The following
File Upload controls operate differently in the Prisma Access Mobile
Browser:
Allow - The Prisma Access Mobile Browser will allow all
uploads.
Allow protected files only between the rule’s web
applications - The Prisma Access Mobile Browser will
block all file uploads.
Allow only nonprotected files – The Prisma Access Mobile
Browser will block all file uploads.
Block – The Prisma Access Mobile Browser will block all
file uploads.
Apply on: - Select one of the following options:
Any file - The upload restrictions will apply to
all files.
Specific Files - The Prisma Access Mobile Browser
supports file specification only for the following
Microsoft web-apps:
Teams
Outlook
OneDrive for Business
SharePoint online
For all other applications
and URLs, the action will block file uploads for
both blocking specific file uploads and allowing
specific file uploads.
Additionally, only
File size and File type are
supported. The upload restrictions will apply to
files that meet the selected specifications (the
rule can contain as many of these specifications
as needed):
File size - Set the size of the
file.
File types - set the that need to match
this rule.
File hash - The Prisma Access Mobile
Browser will block all file uploads using File
Hash.
MIP label - The Prisma Access Mobile
Browser will block all file uploads requiring an
MIP label.
Prompt - Selecting any prompt will
block all downloads.
The following screenshot control operates differently in the Prisma
Access Browser:
Allow (Protected) – The Prisma Access Mobile Browser will
block screen capture, screen recording, and screen sharing using
video conference tools.
Mobile Browser Security
To see the policy rules that you can use for creating rules in the Prisma Access
Mobile Browser, open the policy page, select Browser Security, and click
Mobile Browser.
For more information on the available policy rules, refer to the following
articles:
To see the policy rules that you can use for creating rules in the Prisma Access
Mobile Browser, open the policy page, select Browser Customization, and
click Mobile Browser.
For more information on the available policy rules, refer to the following
articles:
There is a Troubleshooting page for the Prisma Access Mobile Browser/. You can
find it at the following location:
iOS - Click 3 dots → Settings → Scroll down to Troubleshoot →
Click Prisma Access Integration.
Android - Click 3 dots → Settings → Scroll down to Troubleshoot →
Click Prisma Access Integration.
Set Prisma Access Mobile as the Default Browser for Intune-Managed
Applications
Intune enables you to set a default browser for organization-managed
apps. You can apply this globally through App Protection policy rules, or
selectively for specific, critical applications. This is relevant for mobile
devices (iOS and Android), as they are often employee-owned. However, enforcing
a company browser as the default for all apps might raise employee concerns.
Enforcing the Prisma Access Mobile Browser for your Intune-managed apps
significantly enhances your organization's Data Security. You can safeguard
against phishing and identity theft by limiting how URLs are opened. You will be
minimizing the risk of exposure to malicious links by enforcing the use of the
Prisma Access Mobile Browser.
Furthermore, Intune’s clipboard control adds another layer of
protection. It prevents users from copying and pasting links into unmanaged
apps. This ensures that organizational data is always accessible through trusted
and controlled applications.
In essence, designating the Prisma Access Mobile Browser for Intune
apps mitigates the risks associated with phishing and other identity-based
attacks, along with data leak exposure.
