Web security and content filtering for mobile devices and BYOD initiatives

By Tim Lloyd

This article discusses the options available for filtering smartphones, tablets and other mobile devices using the Hybrid Web Security service.

I get many questions about how to safely manage Bring-Your-Own-Device (BYOD), so I thought it would be a good idea to write this article and consolidate all the information in one place.

The first question to answer is whether the mobile devices you want to secure belong to the company or if they are owned by the employees. The latter is becoming more and more common and we are seeing many employees wanting to use their own mobile device at work. This is good news for businesses, as the employee will be more productive using their own device and the company does not have to maintain and support the equipment. Regardless of the ownership, it is necessary to ensure the device is secure and is not able to access unsuitable content online or worse, download any malware. CensorNet Hybrid Web Security product is flexible and provides numerous options for solving this problem.

What are the options for BYOD environments?

With BYOD, you are primarily concerned with securing the device when it is connected to your corporate network. When it leaves the network, the device ceases to be your problem from a security point of view.

The most common and possibly the simplest option is to use the Captive Portal feature of the   software appliance, which is typically installed on your network. To enforce web content filtering on mobile devices, without needing to configure anything on the device itself, simply issue the mobile device with the Cloud Gateway IP address as its default gateway via DHCP. When the user of the mobile device opens a browser, they will be redirected to the Captive Portal where they will be prompted to sign-in (typically with their Active Directory username and password). You can customise the Captive Portal with your logo, welcome message and terms of service/AUP if necessary.


For devices that regularly connect in this way, you can bypass the authentication by mapping the MAC address of the device to a username within the web interface. The advantage of the Captive Portal is it works with any device, regardless of manufacturer or model, and is a completely hands-off approach so your IT engineer cannot get the blame for fiddling with someone else’s brand new tablet.

The other option available to you is to configure a proxy server in the device Wi-Fi settings. This requires you to have access to the device so that you can configure it which by nature makes this a less favourable option. Having said that, if you are not able to install a Cloud Gateway on the network this serves as the second best solution. We currently provide an experimental proxy interface for the Cloudwebfiltering.com service:


Location Proxy server hostname Port
UK, London proxy.uk.cloudwebfiltering.com 3128
Ireland, Dublin proxy.ie.cloudwebfiltering.com 3128
USA, Texas proxy.us-tx.cloudwebfiltering.com 3128

It’s experimental as we are seeing how popular this option is for our customers and partners. Please let us know what you think. Some customers have actually installed a Cloud Gateway in their own data centre, which can then act as the proxy server, for additional control and sometimes better latency.

What are the options for company-owned devices?

With a company-owned or “managed” device you want to ensure that wherever the device is and whatever network it is connected to, your security policies are applied and content is filtered. This is more of a challenge because almost all mobile device operating systems put the owner in complete control, and as such the user can simply uninstall the app or alter the setting which enforces the filtering. As a result, it is essential that you use a Mobile Device Management (MDM) solution to restrict the options available to the user, such as being able to alter Wi-Fi settings or install alternative browser apps. Without an adequate MDM solution in place the filtering can easily be circumvented.

Assuming that MDM is in place, there are a number of options available:

You can of course use the proxy servers listed in the table above but please bear in mind on most mobile devices the proxy is configured per-Wi-Fi connection and as such is not active when browsing over GPRS, 3G or 4G. Also, the user will encounter many different Wi-Fi networks whilst roaming and any new Wi-Fi connections will not be filtered.


Hopefully this article has given you a good starting point and outlined the options available as well as considerations to be aware of. To discuss your deployment in more detail please contact your CensorNet account manager or our support helpdesk.