Prisma Browser for Mobile works with both Android and iOS devices. The browser
easily integrates with the Prisma Browser and console, allowing you and your end
users to include mobile devices in the tool sets.
The Prisma Browser and the Prisma Browser for Mobile share policy rules.
However, some controls within the policy rules can operate differently, or are not
available. For example, the File Download control skips the setting for specific
file extensions because it's not supported for mobile use. As a result, enabling this
setting causes the Prisma Browser for Mobile to block all file downloads.
The Prisma Browser for Mobile enables you to use the most common functionality
from the regular browser. We recommend that you create rules with the appropriate device
groups in the Scope. This will allow you to properly manage the Mobile device users. By
defining device groups for mobile devices, you can set different rule sets to apply for
all mobile devices.
Important
When using iOS version 17 and its minor versions, users may encounter
errors when routing public or private traffic through Prisma Access. To avoid this
issue, we recommend upgrading to iOS 18.
If you are using iOS 17, you can explicitly exclude these versions from
being routed through Prisma Access by following these steps:
Create a mobile device group:
In the Devices page, click on the device group tab.
Click Add device group.
Click on Mobile to display the available Posture Attributes for
mobile devices.
Select OS versions.
Click Select Versions.
Select iOS 17.
Click Save.
Click Create.
Create a Customization rule:
Select Add a new rule.
Select Browser Customization:
Name the rule.
Select the mobile device group you have created.
In Browser Customization controls, select “Traffic Flow.”
Click “Do not route traffic through Prisma Access:”
Mobile Devices: To ensure an
optimal experience with Network Detection and Prisma
Access, either route only Private App traffic, or
exclude the Mobile Device group from
routing.
Do not route apps
via EP. It is not supported.
Onboard Prisma Browser for Mobile from the Strata Cloud Manager
In the onboarding phase, you can install the Android and iOS Prisma Browser for
Mobile apps to test on your own devices before sending the links out to your users.
Once you're satisfied with your tests, you can install the relevant Android and iOS
apps and distribute the links to your users via your mobile device management (MDM)
application.
Install the Prisma Browser for Mobile
You can download the Prisma Browser for Mobile from the following
locations:
Additionally, when you access the regular download link https://get.pabrowser.com/ from a mobile device, the URL
directs you to the relevant app store. This means that you can send a single link to
your users, even when you don't know their particular device.
Create Prisma Browser for Mobile Device Groups
The Prisma Browser has a device group function that allows you to create
different groups for different devices. Groups are dynamic. For example, you can set
up groups for specific managed devices, different subsidiary devices, or
contractors. As an administrator, you can exercise a considerable amount of
flexibility in configuring the mobile device groups you need within your
organization. For example, groups meet changing business, operational, and
organizational circumstances. You can use device groups either with sign-in rules to
set the security bar for accessing Prisma Browser for Mobile, or with
posture-focused scoping for policy rules.
The Prisma Access Mobile Browser allows you to configure the posture requirements
for your devices running the Mobile Browser in the same way that it configures
posture for your desktop and laptop devices running the Prisma Browser.
Configure Prisma Access Mobile Browser Sign-In Rules
Along with the various policy rules, the Sign-in rules act as a security
measures. Before relying on the policy rules, the Sign-in rules serve as the first
access gatekeeper for Users and Devices.
When you create a Sign-in rule, make sure that the Scope contains the Users and User
Groups and Device Groups that are designed for the Mobile Browser.
While the Prisma Browser for Mobile's Sign-in rules are
configured the same way as the Sign-in rules for the Prisma Browser, be aware of
the following exception:
Starting with iOS browser version 1.4259 and
Android browser version 1.4260, the Prompt action functions as
Block. For all earlier versions, it functions as
Allow.
Configure Prisma Access Mobile Browser Policy Rules
The Prisma Browser for Mobile has various policy rules that you can configure to
create rules as you require. The configuration process is exactly the same as for
the Prisma Browser. Some of the policy rules contain different functionality due
to the restrictions in mobile browsers.
Mobile Access & Data Control
Mobile Devices support Access & Data Control rules with the
following exceptions:
The Mobile Browser does not support the Set dialog text
feature that permits you to customize your text for a particular
feature.
The Web Access section of the rule creation process does not
support the following features:
Permission request (a “Prompt” option) becomes a
Block.
Require MFA becomes a Block.
Pick a Label is skipped.
Login restrictions - Not supported and can be
skipped.
When contains - Not supported and can be skipped.
To see the policy rules that you can use for creating rules in the Prisma Browser
for Mobile, open the policy page, select Data Control, and click
Mobile Browser.
For more information on the available policy rules, refer to the following
articles:
The following
File Upload controls operate differently in the Prisma Browser for
Mobile:
Allow - The Prisma Browser for Mobile will allow all
uploads.
Allow protected files only between the rule’s web
applications - The Prisma Browser for Mobile will block
all file uploads.
Allow only nonprotected files – The Prisma Browser for
Mobile will block all file uploads.
Block – The Prisma Browser for Mobile will block all file
uploads.
Apply on: - Select one of the following options:
Any file - The upload restrictions will apply to
all files.
Specific Files - The Prisma Browser for Mobile
supports file specification only for the following
Microsoft web-apps:
Teams
Outlook
OneDrive for Business
SharePoint online
For all other applications
and URLs, the action will block file uploads for
both blocking specific file uploads and allowing
specific file uploads.
Additionally, only
File size and File type are
supported. The upload restrictions will apply to
files that meet the selected specifications (the
rule can contain as many of these specifications
as needed):
File size - Set the size of the
file.
File types - set the that need to match
this rule.
File hash - The Prisma Browser for
Mobile will block all file uploads using File
Hash.
MIP label - The Prisma Browser for
Mobile will block all file uploads requiring an
MIP label.
Prompt - Selecting any prompt will
block all downloads.
The following screenshot control operates differently in the Prisma Browser:
Allow (Protected) – The Prisma Browser for Mobile will
block screen capture, screen recording, and screen sharing using
video conference tools.
Mobile Browser Security
To see the policy rules that you can use for creating rules in the Prisma Browser
for Mobile, open the policy page, select Browser Security, and click
Mobile Browser.
For more information on the available policy rules, refer to the following
articles:
To see the policy rules that you can use for creating rules in the Prisma Browser
for Mobile, open the policy page, select Browser Customization, and click
Mobile Browser.
For more information on the available policy rules, refer to the following
articles:
There is a Troubleshooting page for the Prisma Browser for Mobile. You can find
it at the following location:
Android - Click 3 dots → Settings → Scroll down to Troubleshoot →
Click Prisma Access Integration.
iOS - Click 3 dots → Settings → Scroll down to Troubleshoot →
Click Prisma Access Integration.
There are two common SSL-related issues on iOS devices:
Outdated Certificates: iOS enforces certificate validity limits.
Certificates valid for more than one year may cause SSL errors. These
issues typically affect internal websites, not public ones. Apple Certificate Requirements.
Traffic Routing with Decryption: Routing all traffic through the
enforcement point (EP) while SSL decryption is enabled is not
supported.
Since the Prisma Browser provides network and CDSS, SSL issues (usually
related to decryption) are rare.
Set Prisma Browser for Mobile as the Default Browser for Intune-Managed
Applications
Intune enables you to set a default browser for organization-managed
apps. You can apply this globally through App Protection policy rules, or
selectively for specific, critical applications. This is relevant for mobile
devices (iOS and Android), as they are often employee-owned. However, enforcing
a company browser as the default for all apps might raise employee concerns.
Enforcing the Prisma Browser for Mobile for your Intune-managed apps
significantly enhances your organization's Data Security. You can safeguard
against phishing and identity theft by limiting how URLs are opened. You will be
minimizing the risk of exposure to malicious links by enforcing the use of the
Prisma Browser for Mobile.
Furthermore, Intune’s clipboard control adds another layer of
protection. It prevents users from copying and pasting links into unmanaged
apps. This ensures that organizational data is always accessible through trusted
and controlled applications.
In essence, designating the Prisma Browser for Mobile for Intune apps
mitigates the risks associated with phishing and other identity-based attacks,
along with data leak exposure.
