Netskope Global Technical Success (GTS)

How to Block WhatsApp Native Application Access - Windows OS

Netskope Cloud Version - 120

Objective

Block WhatsApp Native Application Access

Prerequisite

Netskope Inline CASB or SWG license is required

Context

WhatsApp offers a native application to which customers are looking to restrict access to. While they have the ability to regulate uploads and downloads for WhatsApp Web through Real-Time policies, they encounter issues with the WhatsApp desktop application. Existing policies fail to effectively control access in this context, presenting a challenge for managing WhatsApp usage across different platforms.

Do You Know?

• Netskope acknowledges WhatsApp Web as a Cloud Application and provides a predefined cloud app connector.
• Predefined Cloud Connector for WhatsApp does not support DLP and Threat Protection on any activities due to end-to-end encryption.
• As of May 17, 2024 with Netskope’s WhatsApp predefined connector, customers can exercise control over the following activities:

Configuration

• Step 1 -  Create a new certificate pinned application

Path: Netskope Tenant UI >>> Settings >>> - Security Cloud Platform  - - -> App Definition  >>> New Certificate Pinned App

• Step 2 - Add the following executables: WhatsApp.exe, WhatsAppDesktop.exe

Note - Here you need to define the Platform where the application will be used, if needed for another platform then need to repeat the process.

• Step 3 - Edit the current steering configuration to allow non-standard ports to be steered to Netskope. The WhatsApp desktop uses 443 and 5222 ports. Reference : Link

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform  - - - Steering configuration → Edit  (In the example the default tenant configuration)

Note - When using non-standard ports and not specifying the domains you can potentially steer traffic from any other certificate pinned application that uses the same ports as destination.

• Step 4 - Create an Exceptions, while the action will be set to block as follow 

Path: Netskope Tenant UI >>> Settings >>> - Security Cloud Platform  - - - Steering configuration → Exceptions → New  

Select the previous created certificated pinned application, add * as custom app domains, then select “Block”

Note: Once the edition on steering configuration profile is saved, please ensure that Netskope Client is up-to-date by right-clicking on its icon, go to its configuration, and make sure there are no pending updates.

Verification

In a Windows machine with WhatsApp Desktop installed, run the application.

You should notice that the application will not be able to initiate as well as new messages will not be sent/received nor Upload/Download.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.