Manage Internet access using managed browser policies with Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager SP1
Beginning with System Center 2012 Configuration Manager SP2, you can deploy the Intune Managed Browser, a web browsing application, and associate the application with a managed browser policy. The managed browser policy configures an allow list or a block list that restricts the web sites that users of the managed browser can visit.
Because this app is a managed app, you can also apply mobile application management policies to the app, such as controlling the use of cut, copy and paste, preventing screen captures, and also ensuring that links to content that users click only open in other managed apps. For details, see How to Control Apps Using Mobile Application Management Policies in Configuration Manager.
If users install the managed browser themselves, it will not be managed by any policies you specify. To ensure that the browser is managed by Configuration Manager, they must uninstall the app before you can deploy it to them as a managed app.
You can create managed browser policies for the following device types:
Devices that run Android 4 and later
Devices that run iOS 7 and later
Create a managed browser policy
In the Configuration Manager console, click Software Library.
In the Software Library workspace, expand Application Management, and then click Application Management Policies.
In the Home tab, in the Create group, click Create Application Management Policy.
On the General page, enter the name and description for the policy, and then click Next.
On the Policy Type page, select the platform, select Managed Browser for the policy type, and then click Next.
On the Managed Browser page, select one of the following options:
- **Allow the managed browser to open only the URLs listed below** – Specify a list of URLs that the managed browser can open. - **Block the managed browser from opening the URLs listed below** – Specify a list of URLs that the managed browser will be blocked from opening.
You cannot include both allowed and blocked URLs in the same managed browser policy.
For more information about the URL formats you can specify, see URL format for allowed and blocked URLs in this topic.
The General policy type lets you modify the functionality of apps that you deploy to help bring them into line with your company compliance and security policies. For example, you can restrict cut, copy and paste operations within a restricted app. For more information about the General policy type, see How to Control Apps Using Mobile Application Management Policies in Configuration Manager.
Complete the wizard.
The new policy is displayed in the Application Management Policies node of the Software Library workspace.
Create a software deployment for the managed browser app
After you have created the managed browser policy, you can then create a software deployment type for the managed browser app. You must associate both a General and Managed Browser policy for the Managed Browser app.
For more information, see How to Create and Deploy Applications for Mobile Devices in Configuration Manager.
Security and privacy for the managed browser
On iOS devices, web sites that users visit that have an expired or untrusted certificate cannot be opened.
Settings that users make for the built-in browser on their devices are not used by the managed browser. This is because the managed browser does not have access to these settings.
If you configure the options Require simple PIN for access or Require corporate credentials for access in a mobile application management policy associated with the managed browser and a user clicks the help link on the authentication page, they can then browse any Internet sites regardless of whether they were added to a block list in the managed browser policy.
The managed browser can only block access to sites when they are accessed directly. It cannot block access when intermediate services (such as a translation service) are used to access the site.
URL format for allowed and blocked URLs
Use the following information to learn about the allowed formats and wildcards you can use when specifying URLs in the allowed and blocked lists.
You can use the wildcard symbol ‘*’ according to the rules in the permitted patterns list below.
Ensure that you prefix all URLs with http or https when entering them into the list.
You can specify port numbers in the address. If you do not specify a port number, the values used will be:
Port 80 for http
Port 443 for https
Use the following table to learn about the permitted patterns you can use when you specify URLs:
Does not match
Matches a single page
Matches a single page
Matches all URLs beginning with www.contoso.com
Matches all sub-domains under contoso.com
Matches a single folder
Matches a single page, using a port number
Matches a single, secure page
Matches a single folder and all subfolders
The following are examples of some of the inputs you cannot specify:
*.microsoft.com is always allowed – it is always treated as allowed.
How conflicts between the allow and block list are resolved
If multiple managed browser policies are deployed to a device and the settings conflict, both the mode (allow or block) and the URL lists are evaluated for conflicts. In case of a conflict, the following behavior applies:
If the modes in each policy are the same, but the URL lists are different, the URLs will not be enforced on the device.
If the modes in each policy are different, but the URL lists are the same, the URLs will not be enforced on the device.
If a device is receiving managed browser policies for the first time and two policies conflict, the URLs will not be enforced on the device. Use the Policy Conflicts node of the Policy workspace to view the conflicts.
If a device has already received a managed browser policy and a second policy is deployed with conflicting settings, the original settings remain on the device. Use the Policy Conflicts node of the Policy workspace to view the conflicts.