Limitations of the ETP Mobile Client

These limitations currently apply to ETP Mobile Client:

  • User Authentication is not supported for the ETP Mobile Client. For this reason, make sure that the Authentication Mode field on the policy's Settings tab is set to None or Optional. This factor also applies to other areas of the policy, including user and group exceptions configured for a custom list or data loss prevention (DLP).
  • A VPN client application cannot run simultaneously with the mobile client. If a VPN client is activated on the device, ETP client app automatically disables itself. To protect users with ETP mobile client, you can use your organization’s MDM solution to restrict use of another VPN client and prioritize the ETP mobile client.
  • Any user and group that is set up for authentication and configured as exceptions to a blocked application visibility and control (AVC) risk level, category, category operation, application, and application operation, are not granted access. These authentication settings do not apply to traffic that goes through the mobile client. This also applies to other areas of the policy, including user and group exceptions configured for a custom list or data loss prevention (DLP).
  • When an administrator makes policy changes or other configuration changes to ETP, these updates are communicated to the ETP mobile client and take effect within a five minute interval.
  • Certificate pinning is used by many mobile applications to validate that TLS certificates presented by web servers are known. These pinned certificates may be incompatible with the TLS man-in-middle certificate that is used for ETP Proxy. As a result, the ETP policy is applied differently if traffic comes from a mobile browser or a mobile app, as follows:
    • On an Android operating system version 10 and later, mobile traffic from mobile browsers is forwarded to ETP Proxy and TLS inspection is performed with the ETP Proxy certificate.
    • A selective proxy is applied to traffic from Apple iOS, iPadOS, Android apps, as well as any Android OS that is earlier than version 10. In this case, only known domains, AUP and AVC configured with block error page action, and risky domains and customer lists configured with the classify or block action are sent to ETP Proxy. All other domains are handled on DNS level by ETP DNS.
  • The ETP Mobile Client supports the selective ETP proxy. Full ETP Proxy is only supported for Android 10 and higher for browser traffic only.
  • If your organization sets up proxy chaining for the full web proxy and you use the ETP mobile client, make sure you configure the local proxy to copy the Akamai-User-Agent header Mobile Clients send and forward it to the proxy.