Zero Trust Exclude Specific Devices From TLS Decryption/Inspection

Is it possible to create an HTTP policy (or otherwise) that can exclude a specific device from having HTTPS traffic inspected? I’ve not been able to find a way to do it for a device, it seems I can only apply that at the user level. There are a lot of mobile apps that prevent MITM and I’d like to be able to disable decryption on mobile devices. Thanks

Yeah it’s possible, we faced similar issues in the past but the do not inspect action fixes it.
https://developers.cloudflare.com/cloudflare-one/policies/filtering/http-policies/#do-not-inspect

I’m familiar with the Do Not Inspect action but I am unable to apply that action to a device or location. I’d like to create an HTTP policy that allows me to exempt a singular device (or group of devices) from inspection.

In case anybody stumbles across this post wondering the same thing: I was able to accomplish targeted device exclusion from HTTPS inspection/decryption by using a posture rule. I specifically used the serial number posture rule, as that currently does not work on mobile devices (and only works on Windows/Mac). I had the rule in place already, I just created a new HTTP policy with the Passed Device Posture Checks selector, ‘not in’ for the operator, and the Serial Number list for the value. I set the action to Do Not Inspect. This allows the mobile devices to still leverage WARP for DNS and tunneling but not for TLS inspection (which is what breaks most mobile apps).

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.