Skocz do:nawigacja, szukaj
Wiki

Cloud Shield Profile

Z Securepoint Wiki





























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden









































































































































Configuration of profiles for the Securepoint Cloud Shield

Last adaptation to the version: 2.14(02.2026)

New:

notemptyThis article refers to a Beta version

-
Access: portal.securepoint.cloud Cloud Shield Profile


Overview

Under Cloud Shield Profiles an overview of all current Cloud Shield Profiles is displayed.

Using the  Add profile button, a new profile can be created.
Clicking on a profile allows it to be edited.
Addtionally, a profile can be edited, copied, or deleted via the button.

Profile overview

General Options

Search Filters the display
 Sort Clicking this button opens a menu where tiles can be sorted by specific criteria
Name Name
Ascending/Descending Displays the search results alphabetically ascending/descending

Tile overview

 Managed Devices The profile has the type Managed Devices
 External devices The profile has the type External devices
 Managed by ICS notemptyNew as of: 2.10 The profile has been migrated from Intelligent Cloud Shield (ICS)
  • This profile can be viewed in Cloud Shield Profiles
    Ready-Only
    , it can still be edited in ICS
  • Automatically receives the profile type  External Devices
Allowed hosts: 0 Number of hosts explicitly authorized by this profile
Blocked hosts: 0 Number of hosts blocked by this profile
Filter categories: 3 Number of selected categories in this profile
Filtered countries: 3 Number of countries filtered by this profile
Protocols: Deaktiviert Status of the logs for this profile
MDM profiles:
Only for  Managed devices		 Doku MDM profiles that use this Cloud Shield profile
Number of devices:
Only for  External devices		 10 Number of devices using this Cloud Shield profile.
  • This value is configured and is not determined automatically.
    • UTM-Profiles: Doku UTM profiles using this Cloud Shield profile
    Configuration:  show Opens a dialog in which the setup of the Cloud Shield profile is displayed for all possible devices, as well as the data required in each case (e.g. configuration ID).

    For profiles of type  Verwaltete Geräte, the profile can be added to MDM profiles.

    For profiles of type  External devices, there are explanations for using the Cloud Shield for the following options:

    1. Download the Securepoint Cloud Shield app (PlayStore / AppStore)
    2. Scan the QR code in the portal or alternatively enter the Configuration ID from the portal into the settings of the Cloud Shield App

    notemptyNew as of: 2.8.x
    1. Download the Cloud Shield app from the Microsoft Store
    2. Open Cloud Shield as an administrative user
    3. Optional: Right-click to exclude adapters that are not to be configured
    4. Navigate to the configuration overview
    5. Enter the configuration ID of the Cloud Shield profile displayed
    6. Optional: Specify a name for the device. This makes it easier to identify the device in statistics and logs
    7. Save the configuration

    1. Open the settings of the Android Device
    2. Navigate to Network & Internet
    3. Select Private DNS
    4. Tap on Private DNS provider hostname
    5. Enter the address using the configuration ID from the profile

    1. Download the signed mobileconfig from the portal
    2. Install the mobileconfig on the device

    Chrome:
    1. Open Chrome
    2. Click on the menu icon in the upper right corner
    3. Select Settings
    4. Select Privacy and security
    5. Select Security
    6. Activate Use secure DNS under the menu item Advanced
    7. Under Select DNS provider, select the option Add custom DNS service provider
    8. Enter the address with the configuration ID from the portal

    Firefox:

    1. Open Firefox
    2. Click on the menu icon in the upper right corner
    3. Select Settings
    4. Enter DNS in the search field
    5. Select Maximum protection
    6. Under the Select provider menu item, select the Custom option
    7. Enter the address with the configuration ID from the portal

    Edge:

    1. Open Edge
    2. Click on the menu icon in the upper right corner
    3. Select Settings
    4. Click on Privacy, search and services in the left bar
    5. Scroll down to the Security section
    6. Under the menu item Use secure DNS to specify how to look up the network address for websites, select the option Select a service provider
    7. Enter the address with the configuration ID from the portal

    • Cloud Shield can be set up directly on the router. For this you can use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).
    • The corresponding endpoint URL's along with the Configuration ID must be copied from the portal.

    notemptyNo changes need to be made to existing router configurations.
    • Cloud Shield can be used directly in the network for all connected devices if the router does not support DoH or DoT
    • To do this, the router's IP address must be transmitted to SPDyn via DynDNS
    • The IPv4 and IPv6 addresses displayed here must then be entered as DNS resolvers in the router used
    UDP/TCP before setup
    • After setup, the current configuration is displayed in SPDyn with the host name and the IPv4/IPv6 address
    UDP/TCP after setup
    notemptyNew as of: 2.10

    Tile Options

    Using the button at the top right of each profile tile, the following options are available:
     Edit View and edit profile settings. For details, see Create/Edit
     Copy Copies this profile
     Deactivate blocking The blocklist and external lists of the profile is disabled for a configuration period of time
    • The duration can be freely set
      default is 5
    • The time unit can be selected from seconds minutes
      default
      and hours
    • Confirm the process by clicking the  save button
    • A label showing the deactivation duration is displayed on the profile tile
    • After the time expires, blocking is automatically re-enabled. Alternatively, you can manually re-enable is via  Enable blocking
     Delete Deletes the profile from the portal. The deletion must be confirmed withOK

    notemptyProfiles can only be deleted if they are not assigned to any MDM or UTM profile.
    notemptyOnly for Cloud Shield profiles of the type external devices
    When a Cloud Shield Profile is deleted, a push notification is sent to the device indicating that the Cloud Shield configuration has been removed.
    An appropriate error message is displayed in the Cloud Shield app.

    Create/Edit

    Using the  Create profile button
    under Cloud Shield Profiles
    a new profile can be crated. The same configuration options are available during both, creation and editing.
    Caption Value Description

    General

    General
    Name TTT-Point extern The name of the configuration
    Create profiles General tab
    Type Managed Devices Type of the Cloud Shield profile
    External devices
    license
    Only for: External devices    		 TTT-Point AG [Mobile Security] (16/5000) License for the Cloud Shield Profile. When this Cloud Shield Profile is saved, the devices are assigned to this license. Depending on the agreed license model, this may incur costs.
    Number of devices
    Only for: External devices    		 10 devices Number of devices using this Cloud Shield Profile

    Filter

    Filter
    Allowed categories Updates and important services Selection of permitted categories
    Create profiles General filter
    Blocked categories Threat Intelligence Feed Hacking Spam domains Selection of categories to be blocked. For the selected categories, you can also define which scores (0-23) should trigger blocking.

    Additionally, all available categories can be selected or deselected at once using the corresponding buttons.

     Select all  Deselect all
    Blocked services notemptyNew as of: 2.10
    Name Description
    Name of the blocked service Description of the blocked service
    		This service list
    maintained by Securepoint
    can be used to block or re-enable the services listed there
    •  Manage services opens a dialog box displaying the service list
    •  Block blocks the desired service
    •  Allow re-enables a blocked service
     Manage services
    Blocked countries Russia China Belarus Selection of countries whose IP addresses should be blocked. Below, an overview of the current selection is also displayed in the form of a map.

    You can select or deselect all countries using the corresponding buttons.

     Select all  Deselect all

    Security

    Security
    DNS rebinding protection    By enabling this feature, attackers are prevented from gaining control over local devices via the internet by automatically blocking DNS responses that contain private IP addresses. Both private IPv4 and private IPv6 addresses are blocked.
    Create profiles Security tab
    Extended DNS Rebinding Protection    When activated   , IPv6 addresses that are reserved for special network purposes such as documentation, tunneling or packet discarding are blocked. These are not typically used on the internet.
    IDN Homograph Attack protection    By activating this option, domains that pretend to be other domains by misusing the large character encoding that is available with the introduction of Internationalized Domain Names (IDNs) are blocked. With this option, only domains with ASCII characters are permitted.
    Blocking of disguised third-party trackers    The activation blocks third-party trackers that disguise themselves as first-party providers. This attack is also known as CNAME cloaking.
    Safe Search    Activation filters the results in all major search engines, including images and videos.
    Restricted youtube mode    By activating this, YouTube content for adults is filtered. All comments will also be hidden.
    Block Private Relay notemptyNew as of: 2.12   
    • When enabled   , this feature blocks iCloud Private Relay and routes traffic through Cloud Shield
    • This ensures devices remain fully protected—devices with Private Relay enabled bypass protection
    • It is therefore recommended to enable this function

    AI Filter

    AI Filter  Experimental
    The AI-based filter detects previously unknown threats through real-time risk analysis. Only domains that are not already classified by our content filter are checked.
    Create profiles AI filter tab
    notemptyNo data transfer: All analyses take place in the Securepoint infrastructure - there is no transmission to third parties!


    Own AI development: The filter is based on Securepoint's own machine learning model - specifically trained on current threat patterns on the web.

    Activate AI Filter    When activated   , malicious domains are blocked with the Securepoint machine learning model, which has been trained with tens of thousands of benign and malicious domains.
    Rating Adjust the threshold individually to the security needs. The lower the threshold, the more potentially harmful pages will be blocked - even if this can lead to some false positives.
    50% A page is blocked with a probability of 50%.


    This setting offers the highest possible protection, but increases the likehood of false positives.

    70% Blocks pages that are classified as threatening with a probability of least 70%.


    Good balance between security and surfing comfort.

    90% Ideal for uasers who want maximum freedom on the web while still being protected from clearly malicious pages.


    With this setting, the risk of false positives is low, but potentially more threats remain undetected.

    Allow list

    Allow list
    Allowed IPs     Explicitly allowed IP addresses (even if they are on the block list)
    Create profiles Allow list tab
    Allowed domains     Domains that should be allowed. A subdomain can also be added to allow this if the associated higher domain is not allowed.

    Block list

    Block list
    Blocked IP's     IP addresses that are to be blocked
    Create profiles tab block list
    Blocked domains     Domains that are to be blocked. This also blocks all associated subdomains. If certain subdomains are to be allowed, they can be explicitly added to the allow list.

    External Lists

    External Lists
    Custom Blocklists  Add Blocklist Adding custom blocklists. All common formats are supported, e.g. hosts and ABP.
    Create profiles External lists tab
    Custom Blocklists
    Activated    When activated   , the blocklist is activated
    Name     Name of the blocklist
    URL     URL of the blocklist
    Authentication notemptyNew as of: 2.12
    Authentication method No authentication Sets the authentication method for accessing the list
    No authentication Access to the list does not require authentication
    Basic-Authentication Access to the list requires Basic Authentication with a username and password
    Bearer-Token Access to the list requires a Bearer-Token
    Username
    For the Basic-Authentication method    		     The username for authentication
    Password
    For the Basic-Authentication method    		    
    Show password
    Hide password     		The password for authentication
    Bearer-Token
    For the Bearer-Token method    		    
    Show password
    Hide password     		Enter the required Bearer-Token
    HTTP-Header notemptyNew as of: 2.12  Add HTTP-Header Add custom HTTP headers for accessing the list
    Header
    Key X-Example-Header The key for the HTTP-Header
    Value 12345 The value for the HTTP-Header key
    Custom Allowlists  Add Blocklist Adding custom allowlists. All common formats are supported, e.g. hosts and ABP.
    Custom Allowlists
    Activated    When activated   , the allowlist is activated
    Name     Name of the allowlist
    URL     URL of the allowlisten
    Authentication notemptyNew as of: 2.12
    Authentication method No authentication Sets the authentication method for accessing the list
    No authentication Access to the list does not require authentication
    Basic-Authentication Access to the list requires Basic Authentication with a username and password
    Bearer-Token Access to the list requires a Bearer-Token
    Username
    For the Basic-Authentication method    		     The username for authentication
    Password
    For the Basic-Authentication method    		    
    Show password
    Hide password     		The password for authentication
    Bearer-Token
    For the Bearer-Token method    		    
    Show password
    Hide password     		Enter the required Bearer-Token
    HTTP-Header notemptyNew as of: 2.12  Add HTTP-Header Add custom HTTP headers for accessing the list
    Header
    Key X-Example-Header The key for the HTTP-Header
    Value 12345 The value for the HTTP-Header key

    DNS-Rewrites

    DNS-Rewrites
    DNS-IP-Rewrites  Add IP-Rewrite Define or overwrite the DNS response for any domain. Any IP address can be used as the response.
    Create profiles tab DNS-Rewrites
    DNS-IP-Rewrites
    Domain printer.lan Domain which is to be overwritten
    Answer 192.168.0.42 IPs that are sent in response to the overwritten domain
    DNS-CNAME-Rewrites  Add CNAME rewrites Define or overwrite the DNS response for any domain. Any other domain can be used as the response.
    DNS-CNAME-Rewrites
    Domain ttt-point.de Domain which is to be overwritten
    Answer intern.ttt-point.de Domain that is sent in response to the overwritten domain

    Protocols

    Protocols
    Activate protocols    Activates the recording of DNS logs. This setting is required for evaluating the statistics.
    Create profiles tab Protocols
    Log domains
    is only displayed if Enable protocols is activated    		    If this setting is set, domain names are saved for the statistics and logs. Otherwise, a placeholder is displayed.
    Log device names
    is only displayed if Enable protocols is activated    		    If this setting is set, the device names for the statistics and logs are saved independently of the client setting.

    Others

    Others
    Performance
    Create profiles Tab Other
    Cache-Boost    Reduces the number of DNS queries by enforcing a minimum TTL (Time-To-Live) of 5 minutes. Higher TTLs are not overwritten.
    Behavior for blocked domains
    Behaviour Block page Specifies the action for blocked domains
    0.0.0.0 / ::0 Returns an address that cannot be routed
    Block page Displays a block page as soon as a domain is blocked. In some cases an HTTPS warning may be displayed, this can be avoided by downloading and installing the Securepoint Certification Authority.
    User defines IPs Responds with user-defined IP addresses
    User defined CNAME Responds with a user-defined CNAME
    NXDOMAIN Tells the client that the requested domain does not exist
    REFUSED Tells the client that the DNS server refuses to answer the request

    Assignment

    A Cloud Shield profile can be assigned to an iOS profile under  Mobile Security iOS/iPadOS Profile / Tab Cloud Shield.

    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden























    iOS Cloud Shield

    iOS Cloud Shield

    Caption Value Description
    Cloud Shield settings
    Activate Cloud Shield    Activate Cloud Shield with this profile. This allows the profile to be linked with a Cloud Shield profile
    • If Cloud Shield is active   , enable Security under Security / VPN (link to the wiki article) cannot be activated at the same time
    • If enable Security under Security / VPN is activated, Cloud Shield will automatically be deactivated and cannot be reactivated
    • For profiles created before version 2.3, where both Enable Security and Cloud Shield are active, these buttons will be displayed as inactive
      This can be resolved by removing one of the two apps under Applications

      If the iOS/iPad device is integrated into a VPN configuration (ASC), Cloud Shield can still be used if

    split DNS is used in the VPN configuration (ASC).
    notemptyNew as of: 2.12A corresponding message will be displayed if no VPP license is available: To use the Cloud Shield feature, you need a VPP license for the Securepoint Cloud Shield app from Apple Business Manager

    Profile TTT-Point DNS Select Cloud Shield profile whose Cloud Shield configuration should be used.


    The profile must be created in advance in the Cloud Shield Profile menu item, see the following Wiki article.

    Name Device Custom name Choose which attribute should be used as the device name to identify the devices in Cloud Shield statistics and logs
    Not specified Do not set a device name. This means the device cannot be identified in the statistics and logs.
    Device Custom name Uses the default device name as device name
    Device alias Uses the device alias as the device name
    Device ID Uses the device ID as the device name
    Username Uses the assigned username as devicename
    Install CA for block page    When enabled    the CA certificate for the block page is installed on the device, so that no certificate warnings are shown when a page is blocked.
    Allow Cloud Shield deactivation notemptyNew as of: 2.13   
    • Allows the user to temporarily disable Cloud Shield in the app
    • Even if this option is disabled, Cloud Shield can still be manually turned off in the device settings
    • When the switch is disabled, all SSIDs excluded by the user in the app will be deleted, and only the settings defined in the portal will remain effective
    Exclude SSIDs notemptyNew as of: 2.13 Add SSIDs Enter the Wi-Fi SSIDs where the Cloud Shield service should be disabled

    A Cloud Shield profile can be assigned to an Android profile under  Mobile Security Android Profile / Tab Cloud Shield.


    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden
















    Android Cloud Shield

    Android Cloud Shield

    Caption Value Description
    Settings Cloud Shield
    Activate Cloud Shield    After enabling    a Cloud Shield Profile can be selected, and the Cloud Shield App for Android will be installed automatically.
    In the Applications tab, the Securepoint Cloud Shield app is automatically added
    • If Cloud Shield is active   , Securepoint Mobile Security can be activated in Security / VPN (link to wiki article) until not activated
    • If Securepoint Mobile Security is activated under Security / VPN, Cloud Shield is automatically deactivated and cannot be activated until not is activated
    • For profiles that were created before version 2.3 and where Securepoint Mobile Security and Cloud Shield are active, these buttons are displayed as inactive
      Can be solved if one of the two apps is removed under Applications
      notemptyCloud Shield technically uses the Android VPN service. Only one (1) VPN service (Mobile Security or Cloud Shield) can be active on Android devices at the same time.
    Profile Select Profile The Cloud Shield profile to be used for the Cloud Shield configuration.


    The profile must be created in advance in the Cloud Shield Profile menu item, see the following Wiki article.

    Install CA for block page    If    is activated, the CA certificate for the block page is installed on the device so that certificate warnings are no longer displayed if a page is blocked.
    In the
    Applications{{{2}}}
    tab, the value Certificate installation is automatically set in the Delegate areas option in the Securepoint Cloud Shield application
    Allow interruption of Cloud Shield notemptyNew as of: 2.13   
    • When enabled   , the user is allowed to temporarily disable Cloud Shield in the app
    • Even if this option is disabled   , Cloud Shield can still be manually turned off in the device settings
    • When the switch is disabled   , all SSIDs and apps excluded by the user in the app will be deleted, and only the settings defined in the portal will remain effective
    Exclude SSIDs notemptyNew as of: 2.13 Add SSIDs
    • Enter the Wi-Fi SSIDs where the Cloud Shield service should be disabled
    • The user must grant the required permission in the app on their device for this feature to function correctly
    Exclude apps notemptyNew as of: 2.13 Add package names Enter the package names of the apps that should bypass the Cloud Shield service
    Źródło: „https://wiki.securepoint.de/index.php?title=Cloud_Shield/Profile&oldid=101010