Restricting Cellular Usage on certain apps, force to WiFi only

SOLVED
Lburk
Here to help

Restricting Cellular Usage on certain apps, force to WiFi only

I'm attempting to figure out if there is a way to force certain apps to WiFi only and not use cellular data. We are experiencing over the top cellular data usage on some of our devices. I would rather restrict them instead of removing the apps and punishing everyone for not following company protocols. Any help is greatly appreciated! Thanks.

1 ACCEPTED SOLUTION
PaulF
Meraki Employee
Meraki Employee

It won't show you who is abusing data. It will just prevent it.

View solution in original post

11 REPLIES 11
alemabrahao
Kind of a big deal
Kind of a big deal

I think it is not possible to configure via MDM only by changing directly on the smartphone.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you talking about the case of blocking the apps if there is only cellular available, so they can only work over WiFi?

 

I agree with @alemabrahao , this would be an MDM function, if available.

 

Some phones have the concept of a "data saver" function.  So you might be able to configure this per phone, by getting the user's phone and configuring it, but you won't be able to automate this without an MDM.

PhilipDAth
Kind of a big deal
Kind of a big deal

Going sideways - you could consider using something like Cisco Umbrella, and installing that onto all your mobile devices.  Then you can see which apps are chewing the data, and out right block non-company apps.  The block would be on cellular and WiFi.

PhilipDAth
Kind of a big deal
Kind of a big deal

This would be a lot of work - but you might be able to do this with AnyConnect.  Configure AnyConnect on mobile in full tunnel mode.  Use trusted network detection to turn the VPN off when on company WiFi, and back on otherwise.

 

Create firewall rules on your MX blocking traffic from the AnyConnect subnet to the apps the users are not allowed to use when not on company WiFi.

PaulF
Meraki Employee
Meraki Employee

So, I see that you have iOS tagged, which makes this relatively straightforward. You'll need the Network Usage Rules setting

 

Screenshot 2023-05-09 at 10.27.37 AM.png

 This should work perfectly for your use case.

I'm testing this now on a few devices to make sure no other issues crop up, but this does seem to be the way. Thank you!

I've been testing various device and this works PERFECTLY. If the device isn't connected to WiFi the apps in question will not work. Just what I needed. Thankyou. Now though, I have a follow-up question if I may.

 

Take Netflix for example. If I create a security policy and enable Application (System Manager\Policies\Security Policies\ All Devices\Application) and list Netflix.com will this prevent Netflix .com from loading from in Safari or Chrome, will this work?

PaulF
Meraki Employee
Meraki Employee

A security policy doesn't prevent something, it only allows you to show devi cos which are compliant / non compliant against this policy.

 

What you need is a Restrictions profile. Under Show / Hide Apps, you can add your app(s) here

Screenshot 2023-05-10 at 2.23.11 PM.png

So by setting the policy as I stated above, it should then show me if someone is going to certain websites? Is this correct. I setup the network usage as you suggested and it's working perfectly. I'm just trying to cover my bases and curb the abuse we're seeing. Thank you once again.

PaulF
Meraki Employee
Meraki Employee

It won't show you who is abusing data. It will just prevent it.

That's even better. Thanks Paul!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels