Remote Browser Isolation

Alongside OS and App DLP controls, some organizations want to reduce data loss and exfiltration capabilities via web browsers. Using Remote Browser Isolation, administrators can configure numerous policies, including copy/paste and printing controls. These work in any modern browser on multiple platforms.

Remote Browser Isolation can also be employeed as a layered security strategy to protect users in browsers.

Deep Packet Inspection and Remote Browser Isolation can be used selectively on traffic, devices, or users to augment additional policy controls.

Prerequisites

• Configure Jamf Connect ZTNA
• Setup an Access Gateway to Cloudflare via Magic WAN
• Deploy the Cloudflare root certificates to devices via your MDM

Steps

• In Jamf Security Cloud, configure an Access policy and specify the domains to be rended via remote browser isolation as hostnames in the policy.
  • Add *.browser.run for as a hostname in your RBI access policy.
  • Configure the access policy to route via your Cloudflare egress tunnel.
  • If you would like to subject all traffic that doesn't match another Jamf Access Policy, define * as the hostname to route all remaining traffic to RBI.
• Enable Non-identity on-ramps in your Cloudflare One portal.
• Configure a Remote Browser Isolation policy in your Cloudflare One portal.

Examples

API example convenience script:

curl --request POST \
  --url https://api.cloudflare.com/client/v4/accounts/{accountid}/gateway/rules \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer APITOKEN" \
  --data '{
  "action": "isolate",
  "description": "Test Isolate API",
  "enabled": true,
  "filters": [
    "http"
  ],
  "name": "isolatetest",
  "rule_settings": {
    "biso_admin_controls": {
      "dcp": true,
      "dd": true,
      "dk": true,
      "dp": true,
      "du": true
    }
  },
  "traffic": "http.request.host eq \"test.com\""
}'