Forum Discussion
Web content filtering and indicator aren't working on third party browser
We're having trouble with Mac's at the moment and it's largely due to browsers having implemented ECH by default, and QUIC, ECH obfuscates the domain which is what the web filtering is based on. IP Network Protection probably still works but anything domain based where ECH is used won't. We're also finding the protection is inconsistent, likely because ECH falls back if it doesn't work and then the domain can be seen and blocked. So even if you block QUIC at firewall unless you explicitly configure the browsers to disable ECH and QUIC and don't allow the users to override, then when the users go home they can be unprotected.
I have managed to disable QUIC on Chrome and Edge for all users but still have the issue with Chrome, is it possible to disable ECH? Funny how MS implement blocking QUIC into their secure score and recommendations yet they can't get the web filter to work on Chrome...
We moved away from our Firewall doing web filtering for the pure reason people we're not protected at home... but now if they use Chrome they bypass all protection anyway.. feels like a somewhat step backwards
Yep, for GPO you'll need to use the latest ADMX or ADML file and the field is "EncryptedClientHelloEnabled", for intune it's in administrative templates
Enable TLS Encrypted ClientHello | DeviceFor Macs I believe you have to update the plist manifest values for:EncryptedClientHelloEnabled
QuicAllowedI'm no expert on Macs though.Tested this to no avail!
Disables ECH and QUIC, reboot etc... the chrome:policy and Chrome:flags both show QUIC and ECH disabled yet the filter does not work.
Ensured history was cleared and but still no luck, works flawless on edge just nothing on Chrome