How can Smoothwall handle traffic from the Facebook mobile app on BYOD devices?

Article #: Product: Version:
KB-7 Guardian All


This article explains the capabilities of the Smoothwall with regards to using the Facebook app on bring your own devices (BYOD).


Many apps are starting to take advantage of certificate pinning. This prevents traffic from being intercepted by a man-in-the-middle attack, but also stops Smoothwall from performing Decrypt & Inspect on this traffic, as the returned traffic is signed by Smoothwall and not Facebook. This will cause issues with the apps and prevent them from working properly.

Note: The following assumptions are made:

  • A wireless network exists, specifically set up for users to use their own devices on
  • Users are not allowed to download the Facebook mobile app onto your organization-owned devices

For the Facebook app to work on user’s devices, the following URLs must be exempt from any decrypt and inspect policies on the Smoothwall:


Whilst disabling Decrypt & Inspect for these domains will fix the apps, it will prevent the Smoothwall from inspecting the content when Facebook is opened in a browser. This may cause issues if rolled out across the entire network.

As such, if your BYOD network is set as a location policy object in Guardian, then we would advise to disable Decrypt & Inspect for these URLs only on your BYOD network.


  1. Create a custom category in Guardian > Policy objects > Categories containing the above URLs.
  2. Create a location object in Guardian > Policy objects > Locations for the BYOD network
  3. Go to Guardian > HTTPS inspection > Policy wizard and create a new policy where:
    • What — The custom Facebook category you created
    • Where — Your BYOD network location
    • Action — Do not inspect.


Last updated: Author: Contributions by:
27th January 2017 Will Laycock-Smith