>
    Prisma Access Mobile Browser
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Browser
    3. Prisma Access Mobile Browser
    Download PDF
    Prisma Access Browser

    Prisma Access Mobile Browser

    Table of Contents

    Prisma Access Mobile Browser

    This provides the information regarding the Prisma Access Mobile Browser
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Prisma Access Browser standalone
    • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
    • Superuser or Prisma Access Browser role
    Prisma® Access Mobile Browser works with both Android and iOS devices. The browser easily integrates with the Prisma Access Secure Enterprise Browser and console, allowing you and your end users to include mobile devices in the tool sets.
    The Prisma Access Browser and the Prisma Access Mobile Browser share policy rules. However, some controls within the policy rules can operate differently, or are not available. For example, the File Download control skips the setting for specific file extensions because it's not supported for mobile use. As a result, enabling this setting causes the Mobile Browser to block all file downloads.
    The Prisma Access Mobile Browser enables you to use the most common functionality from the regular browser. We recommend that you create rules with the appropriate device groups in the Scope. This will allow you to properly manage the Mobile device users. By defining device groups for mobile devices, you can set different rule sets to apply for all mobile devices.

    Important

    When using iOS version 17 and its minor versions, users may encounter errors when routing public or private traffic through Prisma Access. To avoid this issue, we recommend upgrading to iOS 18.
    If you are using iOS 17, you can explicitly exclude these versions from being routed through Prisma Access by following these steps:
    1. Create a mobile device group:
      1. In the Devices page, click on the device group tab.
      2. Click Add device group.
      3. Click on Mobile to display the available Posture Attributes for mobile devices.
      4. Select OS versions.
      5. Click Select Versions.
      6. Select iOS 17.
      7. Click Save.
      8. Click Create.
    2. Create a Customization rule:
      1. Select Add a new rule.
      2. Select Browser Customization:
      3. Name the rule.
      4. Select the mobile device group you have created.
      5. In Browser Customization controls, select “Traffic Flow.”
        • Click “Do not route traffic through Prisma Access:”
          Mobile Devices: To ensure an optimal experience with Network Detection and Prisma Access, either route only Private App traffic, or exclude the Mobile Device group from routing.

    Onboard Prisma Access Mobile Browser from the Strata Cloud Manager

    In the onboarding phase, you can install the Android and iOS Prisma Access Mobile Browser apps to test on your own devices before sending the links out to your users. Once you're satisfied with your tests, you can install the relevant Android and iOS apps and distribute the links to your users via your mobile device management (MDM) application.

    Install the Prisma Access Mobile Browser

    You can download the Prisma Access Mobile Browser from the following locations:
    Additionally, when you access the regular download link https://get.pabrowser.com/ from a mobile device, the URL directs you to the relevant app store. This means that you can send a single link to your users, even when you don't know their particular device.

    Create Prisma Access Browser Mobile Device Groups

    The Prisma Access Mobile Browser has a device group function that allows you to create different groups for different devices. Groups are dynamic. For example, you can set up groups for specific managed devices, different subsidiary devices, or contractors. As an administrator, you can exercise a considerable amount of flexibility in configuring the mobile device groups you need within your organization. For example, groups meet changing business, operational, and organizational circumstances. You can use device groups either with sign-in rules to set the security bar for accessing Prisma Access Mobile Browser, or with posture-focused scoping for policy rules.
    For more information, see Manage Device Groups.

    Configure Mobile Browser Posture Attributes

    The Prisma Access Mobile Browser allows you to configure the posture requirements for your devices running the Mobile Browser in the same way that it configures posture for your desktop and laptop devices running the Prisma Access Browser.
    For more information on the available Mobile Browser attributes, refer to Configure Prisma Access Mobile Browser Device Posture Attributes.

    Configure Prisma Access Mobile Browser Sign-In Rules

    Along with the various policy rules, the Sign-in rules act as a security measures. Before relying on the policy rules, the Sign-in rules serve as the first access gatekeeper for Users and Devices.
    When you create a Sign-in rule, make sure that the Scope contains the Users and User Groups and Device Groups that are designed for the Mobile Browser.
    While the Prisma Access Mobile Browser's Sign-in rules are configured the same way as the Sign-in rules for the Prisma Access Browser, be aware of the following exception:
    Starting with iOS browser version 1.4259 and Android browser version 1.4260, the Prompt action functions as Block. For all earlier versions, it functions as Allow.

    Configure Prisma Access Mobile Browser Policy Rules

    The Prisma Access Mobile Browser has various policy rules that you can configure to create rules as you require. The configuration process is exactly the same as for the Prisma Access Browser. Some of the policy rules contain different functionality due to the restrictions in mobile browsers.

    Mobile Access & Data Control

    Mobile Devices support Access & Data Control rules with the following exceptions:
    • The Mobile Browser does not support the Set dialog text feature that permits you to customize your text for a particular feature.
    • The Web Access section of the rule creation process does not support the following features:
      • Permission request (a “Prompt” option) becomes a Block.
      • Require MFA becomes a Block.
      • Pick a Label is skipped.
    • Login restrictions - Not supported and can be skipped.
    • When contains - Not supported and can be skipped.
    To see the policy rules that you can use for creating rules in the Prisma Access Mobile Browser, open the policy page, select Data Control, and click Mobile Browser.
    For more information on the available policy rules, refer to the following articles:
    • File Download
      The following File Download controls operate differently in the Prisma Access Mobile Browser:
      • Allow (Protected) - The Prisma Access Mobile Browser will block all downloads.
      • Block - The Prisma Access Mobile Browser will block all downloads.
      • Apply on - When applied on specific files the Prisma Access Mobile Browser will block all downloads.
      • Prompt - Selecting any prompt will block downloads.
    • File Upload
      The following File Upload controls operate differently in the Prisma Access Mobile Browser:
      • Allow - The Prisma Access Mobile Browser will allow all uploads.
      • Allow protected files only between the rule’s web applications - The Prisma Access Mobile Browser will block all file uploads.
      • Allow only nonprotected files – The Prisma Access Mobile Browser will block all file uploads.
      • Block – The Prisma Access Mobile Browser will block all file uploads.
      • Apply on: - Select one of the following options:
        • Any file - The upload restrictions will apply to all files.
        • Specific Files - The Prisma Access Mobile Browser supports file specification only for the following Microsoft web-apps:
          • Teams
          • Outlook
          • OneDrive for Business
          • SharePoint online
            For all other applications and URLs, the action will block file uploads for both blocking specific file uploads and allowing specific file uploads.
            Additionally, only File size and File type are supported. The upload restrictions will apply to files that meet the selected specifications (the rule can contain as many of these specifications as needed):
            • File size - Set the size of the file.
            • File types - set the that need to match this rule.
            • File hash - The Prisma Access Mobile Browser will block all file uploads using File Hash.
            • MIP label - The Prisma Access Mobile Browser will block all file uploads requiring an MIP label.
              • Prompt - Selecting any prompt will block all downloads.
    • Clipboard
      The following Clipboard commands operate differently in the Prisma Access Mobile Browser.
      • Cut & Paste Data out:
        • Block (Permit only within the rule's web applications) - The Prisma Access Mobile Browser will block Copy and Paste Data out.
          • Exclude URL address bar – Not supported in Prisma Access Mobile Browser. If selected, it will be skipped.
        • Prompt - The Prisma Access Mobile Browser will treat this as Block. All Copy & Paste Data Out will be blocked.
      • Copy & Paste Data in:
        • Prompt - The Prisma Access Mobile Browser will treat this as Block. All Copy & Paste Data In will be blocked.
    • Print
      The Print control can also be used to manage File Downloads by printing to a PDF.
    • Screenshot
      The following screenshot control operates differently in the Prisma Access Browser:
      • Allow (Protected) – The Prisma Access Mobile Browser will block screen capture, screen recording, and screen sharing using video conference tools.

    Mobile Browser Security

    To see the policy rules that you can use for creating rules in the Prisma Access Mobile Browser, open the policy page, select Browser Security, and click Mobile Browser.
    For more information on the available policy rules, refer to the following articles:

    Mobile Browser Customization

    To see the policy rules that you can use for creating rules in the Prisma Access Mobile Browser, open the policy page, select Browser Customization, and click Mobile Browser.
    For more information on the available policy rules, refer to the following articles:

    Set Prisma Access Mobile as the Default Browser for Intune-Managed Applications

    Intune enables you to set a default browser for organization-managed apps. You can apply this globally through App Protection policy rules, or selectively for specific, critical applications. This is relevant for mobile devices (iOS and Android), as they are often employee-owned. However, enforcing a company browser as the default for all apps might raise employee concerns.
    Enforcing the Prisma Access Mobile Browser for your Intune-managed apps significantly enhances your organization's Data Security. You can safeguard against phishing and identity theft by limiting how URLs are opened. You will be minimizing the risk of exposure to malicious links by enforcing the use of the Prisma Access Mobile Browser.
    Furthermore, Intune’s clipboard control adds another layer of protection. It prevents users from copying and pasting links into unmanaged apps. This ensures that organizational data is always accessible through trusted and controlled applications.
    In essence, designating the Prisma Access Mobile Browser for Intune apps mitigates the risks associated with phishing and other identity-based attacks, along with data leak exposure.

    To Enable Intune-Managed Applications

    This requires an Intune Plan 1 license
    Browse to the Intune admin Portal → App Protection policy rules → Select the policy you want to modify or create.
    At the Data Protection admin, select “Restrict web content transfer with other apps,” and enter Unmanaged browser.
    iOS Devices
    In the Unmanaged browser protocol field, enter pab://.
    Android Devices
    In the Unmanaged Browser ID field, enter com.talonsec.talon.
    In the Unmanaged Browser Name field, enter PA Browser.
    Click here for more information on Intune's App Protection policy rules.
    .

    © 2024 Palo Alto Networks, Inc. All rights reserved.