Skip to main content
Skip table of contents

Secure Web Stack profiles (UI)

Configuring the Secure Web Stack policy

Use an Secure Web Stack profile to set these options with the Secure Web Stack policy. (See Policy profiles for general information about managing policy profiles.)

Click Apps, then Android or iOS, then the app you want to secure. The App details screen appears.

Click the settings gear on the Secure Web Stack panel. The Policy details page appears. 

On the Policy details page, click + Secure Web Stack Profile to create a new profile, or click the View/Edit profile (pencil) icon next to an existing profile to edit it.

Under Policy options, choose the proxy configuration type (None, Automatic, or Manual). If you choose None, you don't need to specify any proxy options. In this case, HTTP connections go directly to the destination. When you choose automatic or manual proxy, the following options appear:

Proxy optionFieldDetails
AutomaticAutomatic Proxy Configuration (.pac) file URL

Enter the URL for the .pac file. A .pac file contains JavaScript functions that define how web browsers and other HTTP-based apps can automatically choose the appropriate proxy server for retrieving contents from a given URL.

Note: PAC files should use system-default encoding: UTF-7 characters (ASCII) are supported, but Unicode is not.

Use static proxy for Android Pre-Lollipop Device

Android pre-Lollipop devices have limited PAC file support for apps that use Android WebViews (for example, Cordova-based apps). To enable proxy support on those devices, you must provide a static proxy as a fallback mechanism. If this configuration is not provided, the secured app cannot run on such devices.

When you select this option, the fields appear for you to enter the host URL and port for this static proxy.


A fully qualified domain name (FQDN) or the IP address of the Secure Web Stack server.

Example: bluecoat.acme.local


The port number of the HTTP proxy server that the app should use.

Example: 8080

Note: You must set both the host name and port number for the proxy server. Otherwise, the HTTP-based app cannot use the proxy server to access HTTP resources.

Single Sign On: Select the checkbox to retrieve single sign-on cookies from the gateway. If this is selected and the gateway supports SSO credentials, then the app can receive the credentials immediately following authentication. See "Configuring Single Sign-On for CA Single Sign-On" in the Gateway IT Administrator's Guide.

Advanced options: Click the triangle next to Advanced to set either of these options:

Advanced optionDetails
WKWebView Interception

Unprotected apps that use WKWebView (an Apple framework object that displays web content) send WKWebView traffic separately from the other app data. When protecting apps that use WKWebView, you can specify whether to protect this separate data:


  • Network Traffic (default): Ensure that network traffic stays in the app's process, inside the secure web stack. Enabling this option protects proxy, client certificates, and tunneling, but does not include cookies.
  • Network and Data Traffic: This option protects the same network traffic as above, and also intercepts and encrypts cookies. However, this option means that local storage and history cannot persist.
  • Disabled. Use this value for compatibility with pre-3.21.0 protection. This option is intended for apps that use WKWebView to display cloud content.

Note: This option has no effect for apps secured with app store support. This means that if you select Enable App Store Compatibility when applying policies, and you enable WKWebView Interception, the data that would be protected by WKWebView Interception is not protected, but your app (secured with other applied policy options) is suitable for the Apple App Store.

Verification URL for Authenticating ProxyIf you have an authenticating proxy and your app is not designed for proxy, enter a URL that requires authentication to the proxy for your configuration. Providing this URL allows the app to immediately test the connection path and thus avoid several potential issues with apps that do not support proxy. By authenticating to the proxy early, you can streamline the proxy authentication requests and verify that the proxy configuration is valid.

Android Pre-Lollipop Device: Apply Fallback Static Proxy for Java API calls

Select this option only if instructed by Blue Cedar support.

For Android pre-Lollipop devices: By default, only Android WebView http requests go through the fallback static proxy (specified in Step 4). This option allows the Secure Web Stack policy to also intercept networking calls from the standard Java APIs (for example, HttpURLConnection, DefaultHttpClient).

For more information about limitations when running an app secured with Secure Web Stack on an Android pre-Lollipop device, see the Blue Cedar knowledge base: log into and search for "pre-lollipop."

When you are done configuring the profile, click Save changes. This profile is now available to use with any app.

Applying the Secure Web Stack policy

Click Apps, then Android or iOS, then the app you want to secure. The App details screen appears.

Under Policies to apply, click the triangle to expand the Secure Web Stack panel. 

Select "Enable Secure Web Stack policy."

Choose the Secure Web Stack profile from the menu.

Click Apply policies.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.