Jump to:navigation, search
Wiki

Cloud Shield Profile

From Securepoint Wiki





























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden





































































































































Configuration of profiles for the Securepoint Cloud Shield

Last adaptation to the version: 2.12(12.2025)

New:
notempty
This article refers to a Beta version
-
Access: portal.securepoint.cloud Cloud Shield Profile


Profile

Overview

Under Cloud Shield Profiles an overview of all current Cloud Shield Profiles is displayed.

Using the  Add profile button, a new profile can be created.
Clicking on a profile allows it to be edited.
Addtionally, a profile can be edited, copied, or deleted via the button.

Profile overview
 Managed Devices
The profile has the type Managed Devices
 External devices
The profile has the type External devices
 Managed by ICS notempty
New as of: 2.10
 The profile has been migrated from Intelligent Cloud Shield (ICS)
  • This profile can be viewed in Cloud Shield Profiles
    Ready-Only
    , it can still be edited in ICS
  • Automatically receives the profile type  External Devices
Allowed hosts: 0 Number of hosts explicitly authorized by this profile
Blocked hosts: 0 Number of hosts blocked by this profile
Filter categories: 3 Number of selected categories in this profile
Filtered countries: 3 Number of countries filtered by this profile
Protocols: Deaktiviert Status of the logs for this profile
MDM profiles:
Only for  Managed devices		 Doku MDM profiles that use this Cloud Shield profile
Number of devices:
Only for  External devices		 10 Number of devices using this Cloud Shield profile.
  • This value is configured and is not determined automatically.
    • UTM-Profiles: Doku UTM profiles using this Cloud Shield profile
    Configuration:
    		 show Opens a dialog in which the setup of the Cloud Shield profile is displayed for all possible devices, as well as the data required in each case (e.g. configuration ID).

    For profiles of type  Verwaltete Geräte, the profile can be added to MDM profiles.

    For profiles of type  External devices, there are explanations for using the Cloud Shield for the following options:

    1. Download the Securepoint Cloud Shield app (PlayStore / AppStore)
    2. Scan the QR code in the portal or alternatively enter the Configuration ID from the portal into the settings of the Cloud Shield App

    notempty
    New as of: 2.8.x
    1. Download the Cloud Shield app from the Microsoft Store
    2. Open Cloud Shield as an administrative user
    3. Optional: Right-click to exclude adapters that are not to be configured
    4. Navigate to the configuration overview
    5. Enter the configuration ID of the Cloud Shield profile displayed
    6. Optional: Specify a name for the device. This makes it easier to identify the device in statistics and logs
    7. Save the configuration

    1. Open the settings of the Android Device
    2. Navigate to Network & Internet
    3. Select Private DNS
    4. Tap on Private DNS provider hostname
    5. Enter the address using the configuration ID from the profile

    1. Download the signed mobileconfig from the portal
    2. Install the mobileconfig on the device

    Chrome:
    1. Open Chrome
    2. Click on the menu icon in the upper right corner
    3. Select Settings
    4. Select Privacy and security
    5. Select Security
    6. Activate Use secure DNS under the menu item Advanced
    7. Under Select DNS provider, select the option Add custom DNS service provider
    8. Enter the address with the configuration ID from the portal

    Firefox:

    1. Open Firefox
    2. Click on the menu icon in the upper right corner
    3. Select Settings
    4. Enter DNS in the search field
    5. Select Maximum protection
    6. Under the Select provider menu item, select the Custom option
    7. Enter the address with the configuration ID from the portal

    Edge:

    1. Open Edge
    2. Click on the menu icon in the upper right corner
    3. Select Settings
    4. Click on Privacy, search and services in the left bar
    5. Scroll down to the Security section
    6. Under the menu item Use secure DNS to specify how to look up the network address for websites, select the option Select a service provider
    7. Enter the address with the configuration ID from the portal

    • Cloud Shield can be set up directly on the router. For this you can use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).
    • The corresponding endpoint URL's along with the Configuration ID must be copied from the portal.

    notempty
    No changes need to be made to existing router configurations.
    • Cloud Shield can be used directly in the network for all connected devices if the router does not support DoH or DoT
    • To do this, the router's IP address must be transmitted to SPDyn via DynDNS
    • The IPv4 and IPv6 addresses displayed here must then be entered as DNS resolvers in the router used
    [[Datei:]]
    UDP/TCP before setup
    • After setup, the current configuration is displayed in SPDyn with the host name and the IPv4/IPv6 address
    [[Datei:]]
    UDP/TCP after setup
    notempty
    New as of: 2.10

    Tile Options

    Using the button at the top right of each profile tile, the following options are available:
     Edit View and edit profile settings. For details, see Create/Edit
     Copy Copies this profile
     Deactivate blocking The blocklist and external lists of the profile is disabled for a configuration period of time
    • The duration can be freely set
      default is 5
    • The time unit can be selected from seconds minutes
      default
      and hours
    • Confirm the process by clicking the  save button
    • A label showing the deactivation duration is displayed on the profile tile
    • After the time expires, blocking is automatically re-enabled. Alternatively, you can manually re-enable is via  Enable blocking
     Delete Deletes the profile from the portal. The deletion must be confirmed withOK notempty
    Profiles can only be deleted if they are not assigned to any MDM or UTM profile.

    notempty
    Only for Cloud Shield profiles of the type external devices

    When a Cloud Shield Profile is deleted, a push notification is sent to the device indicating that the Cloud Shield configuration has been removed.
    An appropriate error message is displayed in the Cloud Shield app.

    Create/Edit

    Using the  Create profile button
    under Cloud Shield Profiles
    a new profile can be crated. The same configuration options are available during both, creation and editing.
    Caption Value Description
    General
    General
    Name Doku-Cloud Shield-Profile The name of the configuration
    Create profiles General tab
    Type Managed Devices Type of the Cloud Shield profile
    External devices
    license
    Only for: External devices    		 TTT-Point AG [Mobile Security] (3/5000) License for the Cloud Shield Profile. When this Cloud Shield Profile is saved, the devices are assigned to this license. Depending on the agreed license model, this may incur costs.
    Number of devices
    Only for: External devices    		 10 Geräte / ca. 2 Millionen Anfragen Number of devices using this Cloud Shield Profile. The number of requests is considered a monthly reference value.
    Filter
    Filter
    Allowed categories Updates and important services Selection of permitted categories
    Create profiles General filter
    Blocked categories Threat Intelligence Feed Hacking Spam domains Selection of categories to be blocked. For the selected categories, you can also define which scores (0-23) should trigger blocking.

    Additionally, all available categories can be selected or deselected at once using the corresponding buttons.

     Select all  Deselect all
    Blocked services notempty
    New as of: 2.10
    Name Description
    Name of the blocked service Description of the blocked service
    		This service list
    maintained by Securepoint
    can be used to block or re-enable the services listed there
    •  Manage services opens a dialog box displaying the service list
    •  Block blocks the desired service
    •  Allow re-enables a blocked service
     Manage services
    Blocked countries Russia China Belarus Selection of countries whose IP addresses should be blocked. Below, an overview of the current selection is also displayed in the form of a map.

    You can select or deselect all countries using the corresponding buttons.

     Select all  Deselect all
    Security
    Security
    DNS rebinding protection    By enabling this feature, attackers are prevented from gaining control over local devices via the internet by automatically blocking DNS responses that contain private IP addresses. Both private IPv4 and private IPv6 addresses are blocked.
    Create profiles Security tab
    Extended DNS Rebinding Protection    When activated   , IPv6 addresses that are reserved for special network purposes such as documentation, tunneling or packet discarding are blocked. These are not typically used on the internet.
    IDN Homograph Attack protection    By activating this option, domains that pretend to be other domains by misusing the large character encoding that is available with the introduction of Internationalized Domain Names (IDNs) are blocked. With this option, only domains with ASCII characters are permitted.
    Blocking of disguised third-party trackers    The activation blocks third-party trackers that disguise themselves as first-party providers. This attack is also known as CNAME cloaking.
    Safe Search    Activation filters the results in all major search engines, including images and videos.
    Restricted youtube mode    By activating this, YouTube content for adults is filtered. All comments will also be hidden.
    Private Relay unterbinden notempty
    New as of: 2.12
    		   
    • Bei Aktivierung    blockiert diese Funktion iCloud Private Relay und leitet den Traffic über Cloud Shield
    • So bleiben Geräte vollständig geschützt – Geräte mit aktiviertem Private Relay umgehen den Schutz
    • Es wird daher empfohlen, diese Funktion zu aktivieren
    AI Filter
    AI Filter  Experimental
    The AI-based filter detects previously unknown threats through real-time risk analysis. Only domains that are not already classified by our content filter are checked.
    Create profiles AI filter tab
    notempty
    No data transfer: All analyses take place in the Securepoint infrastructure - there is no transmission to third parties!
    Own AI development: The filter is based on Securepoint's own machine learning model - specifically trained on current threat patterns on the web.
    Activate AI Filter    When activated   , malicious domains are blocked with the Securepoint machine learning model, which has been trained with tens of thousands of benign and malicious domains.
    Rating Adjust the threshold individually to the security needs. The lower the threshold, the more potentially harmful pages will be blocked - even if this can lead to some false positives.
    50% A page is blocked with a probability of 50%.


    This setting offers the highest possible protection, but increases the likehood of false positives.

    70% Blocks pages that are classified as threatening with a probability of least 70%.


    Good balance between security and surfing comfort.

    90% Ideal for uasers who want maximum freedom on the web while still being protected from clearly malicious pages.


    With this setting, the risk of false positives is low, but potentially more threats remain undetected.

    Allow list
    Allow list
    Allowed IPs     Explicitly allowed IP addresses (even if they are on the block list)
    Create profiles Allow list tab
    Allowed domains     Domains that should be allowed. A subdomain can also be added to allow this if the associated higher domain is not allowed.
    Block list
    Block list
    Blocked IP's     IP addresses that are to be blocked
    Create profiles tab block list
    Blocked domains     Domains that are to be blocked. This also blocks all associated subdomains. If certain subdomains are to be allowed, they can be explicitly added to the allow list.
    External Lists
    External Lists
    Custom Blocklists  Add Blocklist Adding custom blocklists. All common formats are supported, e.g. hosts and ABP.
    Create profiles External lists tab
    Custom Blocklists
    Activated    When activated   , the blocklist is activated
    Name     Name of the blocklist
    URL     URL of the blocklist
    Authentifizierung notempty
    New as of: 2.12
    Authentifizierungsmethode Keine Authentifizierung Legt die Authentifizierungsmethode für den Zugriff auf die Liste fest
    Keine Authentifizierung Der Zugriff auf die Liste erfordert keine Authentifizierung
    Basis-Authentifizierung Der Zugriff auf die Liste erfordert eine Basis-Authentifizierung mit Benutzername und Passwort
    Bearer-Token Der Zugriff auf die Liste erfordert ein Bearer-Token
    Benutzername
    Bei der Methode Basis-Authentifizierung    		     Der Benutzername zur Authentifizierung
    Passwort
    Bei der Methode Basis-Authentifizierung    		    
    Passwort anzeigen
    Passwort verstecken     		Das Passwort zur Authentifizierung
    Bearer-Token
    Bei der Methode Bearer-Token    		    
    Passwort anzeigen
    Passwort verstecken     		Den notwendigen Bearer-Token eintragen
    HTTP-Header notempty
    New as of: 2.12
    		  HTTP-Header hinzufügen Fügen Sie benutzerdefinierte HTTP-Header für den Zugriff auf die Liste hinzu
    Kopfzeile
    Schlüssel X-Example-Header Der Schlüssel für den HTTP-Header
    Value 12345 Der Wert für den Schlüssel des HTTP-Headers
    Custom Allowlists  Add Blocklist Adding custom allowlists. All common formats are supported, e.g. hosts and ABP.
    Custom Allowlists
    Activated    When activated   , the allowlist is activated
    Name     Name of the allowlist
    URL     URL of the allowlisten
    Authentifizierung notempty
    New as of: 2.12
    Authentifizierungsmethode Keine Authentifizierung Legt die Authentifizierungsmethode für den Zugriff auf die Liste fest
    Keine Authentifizierung Der Zugriff auf die Liste erfordert keine Authentifizierung
    Basis-Authentifizierung Der Zugriff auf die Liste erfordert eine Basis-Authentifizierung mit Benutzername und Passwort
    Bearer-Token Der Zugriff auf die Liste erfordert ein Bearer-Token
    Benutzername
    Bei der Methode Basis-Authentifizierung    		     Der Benutzername zur Authentifizierung
    Passwort
    Bei der Methode Basis-Authentifizierung    		    
    Passwort anzeigen
    Passwort verstecken     		Das Passwort zur Authentifizierung
    Bearer-Token
    Bei der Methode Bearer-Token    		    
    Passwort anzeigen
    Passwort verstecken     		Den notwendigen Bearer-Token eintragen
    HTTP-Header notempty
    New as of: 2.12
    		  HTTP-Header hinzufügen Fügen Sie benutzerdefinierte HTTP-Header für den Zugriff auf die Liste hinzu
    Kopfzeile
    Schlüssel X-Example-Header Der Schlüssel für den HTTP-Header
    Value 12345 Der Wert für den Schlüssel des HTTP-Headers
    DNS-Rewrites
    DNS-Rewrites
    DNS-IP-Rewrites  Add IP-Rewrite Define or overwrite the DNS response for any domain. Any IP address can be used as the response.
    Create profiles tab DNS-Rewrites
    DNS-IP-Rewrites
    Domain printer.lan Domain which is to be overwritten
    Answer 192.168.0.42 IPs that are sent in response to the overwritten domain
    DNS-CNAME-Rewrites  Add CNAME rewrites Define or overwrite the DNS response for any domain. Any other domain can be used as the response.
    DNS-CNAME-Rewrites
    Domain ttt-point.de Domain which is to be overwritten
    Answer intern.ttt-point.de Domain that is sent in response to the overwritten domain
    Protocols
    Protocols
    Activate protocols    Activates the recording of DNS logs. This setting is required for evaluating the statistics.
    Create profiles tab Protocols
    Log domains
    is only displayed if Enable protocols is activated    		    If this setting is set, domain names are saved for the statistics and logs. Otherwise, a placeholder is displayed.
    Log device names
    is only displayed if Enable protocols is activated    		    If this setting is set, the device names for the statistics and logs are saved independently of the client setting.
    Others
    Others
    Performance
    Create profiles Tab Other
    Cache-Boost    Reduces the number of DNS queries by enforcing a minimum TTL (Time-To-Live) of 5 minutes. Higher TTLs are not overwritten.
    Behavior for blocked domains
    Behaviour Block page Specifies the action for blocked domains
    0.0.0.0 / ::0 Returns an address that cannot be routed
    Block page Displays a block page as soon as a domain is blocked. In some cases an HTTPS warning may be displayed, this can be avoided by downloading and installing the Securepoint Certification Authority.
    User defines IPs Responds with user-defined IP addresses
    User defined CNAME Responds with a user-defined CNAME
    NXDOMAIN Tells the client that the requested domain does not exist
    REFUSED Tells the client that the DNS server refuses to answer the request

    Assignment

    A Cloud Shield profile can be assigned to an iOS profile under  Mobile Security iOS/iPadOS Profile / Tab Cloud Shield.

    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden




















    iOS Cloud Shield
    iOS Cloud Shield
    Caption Value Description
    Cloud Shield settings
    Activate Cloud Shield
    		    Activate Cloud Shield with this profile. This allows the profile to be linked with a Cloud Shield profile
    • If Cloud Shield is active   , enable Security under Security / VPN (link to the wiki article) cannot be activated at the same time
    • If enable Security under Security / VPN is activated, Cloud Shield will automatically be deactivated and cannot be reactivated
    • For profiles created before version 2.3, where both Enable Security and Cloud Shield are active, these buttons will be displayed as inactive
      This can be resolved by removing one of the two apps under Applications

      If the iOS/iPad device is integrated into a VPN configuration (ASC), Cloud Shield can still be used if
    split DNS is used in the VPN configuration (ASC).
    notempty
    New as of: 2.12
    A corresponding message will be displayed if no VPP license is available: To use the Cloud Shield feature, you need a VPP license for the Securepoint Cloud Shield app from Apple Business Manager
    Profile TTT-Point DNS Select Cloud Shield profile whose Cloud Shield configuration should be used.


    The profile must be created in advance in the Cloud Shield Profile menu item, see the following Wiki article.

    Name Device Custom name Choose which attribute should be used as the device name to identify the devices in Cloud Shield statistics and logs
    Not specified Do not set a device name. This means the device cannot be identified in the statistics and logs.
    Device Custom name Uses the default device name as device name
    Device alias Uses the device alias as the device name
    Device ID Uses the device ID as the device name
    Username Uses the assigned username as devicename
    Install CA for block page    When enabled    the CA certificate for the block page is installed on the device, so that no certificate warnings are shown when a page is blocked.

    A Cloud Shield profile can be assigned to an Android profile under  Mobile Security Android Profile / Tab Cloud Shield.


    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden











    Android Cloud Shield
    Android Cloud Shield
    Caption Value Description
    Settings Cloud Shield
    Activate Cloud Shield    After enabling    a Cloud Shield Profile can be selected, and the Cloud Shield App for Android will be installed automatically.
    In the
    Applications{{{2}}}
    tab, the Securepoint Cloud Shield app is automatically added
    • If Cloud Shield is active   , Securepoint Mobile Security can be activated in Security / VPN (link to wiki article) until not activated
    • If Securepoint Mobile Security is activated under Security / VPN, Cloud Shield is automatically deactivated and cannot be activated until not is activated
    • For profiles that were created before version 2.3 and where Securepoint Mobile Security and Cloud Shield are active, these buttons are displayed as inactive
      Can be solved if one of the two apps is removed under Applications
      notempty
      Cloud Shield technically uses the Android VPN service. Only one (1) VPN service (Mobile Security or Cloud Shield) can be active on Android devices at the same time.
    Profile
    		Select Profile The Cloud Shield profile to be used for the Cloud Shield configuration.


    The profile must be created in advance in the Cloud Shield Profile menu item, see the following Wiki article.

    Install CA for block page    If    is activated, the CA certificate for the block page is installed on the device so that certificate warnings are no longer displayed if a page is blocked.
    In the
    Applications{{{2}}}
    tab, the value Certificate installation is automatically set in the Delegate areas option in the Securepoint Cloud Shield application
    Retrieved from "https://wiki.securepoint.de/index.php?title=Cloud_Shield/Profile&oldid=99925"