Connection Settings
Overview
Connection Settings help Team and Enterprise tenants review and configure network trust controls for protected apps. Use this area to manage certificate pinning, trusted certificate behavior, TLS policy, cleartext prevention, and certificate transparency enforcement.
Some settings enforce network policy directly. Others detect risky conditions and let you choose a response action. Roll out network changes carefully because strict transport policy can affect login, API calls, third-party SDKs, and regional infrastructure.
Access Connection Settings
- Log in to the AppTego Portal.
- Select the correct tenant.
- Choose the intended environment.
- Open Connection Settings in the sidebar.
Certificate Pinning
Certificate pinning restricts which certificates or certificate authorities your protected app should trust for selected domains. Use it when your app handles sensitive traffic and your backend certificate lifecycle is well understood.
Certificate pinning is an Enterprise response control for Android and iOS. Configure its response action carefully, because strict enforcement can interrupt app traffic if pins, domains, or certificate rotation are wrong.
Add A Certificate
- Select the certificate management area.
- Add a CA certificate or individual certificate.
- Enter the domains the certificate applies to.
- Review the thumbprint, hash algorithm, source, expiry, and CA/leaf status.
- Add a backup or rotation path before using strict enforcement in Production.
Trusted Root CAs
The Trusted Root Certificate Authorities setting controls whether trusted root CAs are accepted by the protected app. Review this setting with your backend and security teams before tightening trust policy.
Certificate Expiry Warnings
The portal displays visual indicators when pinned certificates are approaching expiration. Plan rotation in advance: add replacement material, validate a protected build, and release before the old certificate expires.
Dual Pinning Modes
- Leaf certificate pinning pins a specific server certificate and requires careful renewal planning.
- CA certificate pinning pins an issuing certificate authority and can be easier to operate across normal certificate renewals.
For detailed certificate pinning configuration, see Certificate Pinning.
Connection Controls
Strict connection controls are Enterprise controls in the catalog:
| Control | Control ID | Platform | Type | Purpose |
|---|---|---|---|---|
| Require TLS 1.3 | TLS13OnlyPrevention | Android API 29+, iOS 13+ | On/off | Require TLS 1.3 where supported. |
| Block Cleartext Traffic | CleartextPrevention | Android | On/off | Block unencrypted HTTP traffic. |
| Certificate Pinning | CertificatePinning | Android, iOS | Response action | Respond when a certificate does not match configured pins. |
| Certificate Transparency Enforcement | CertificateTransparencyPrevention | Android | On/off | Enforce certificate transparency expectations. |
Proxy and VPN detections are configured with the other Detection & Response controls, not as strict connection controls on this page.
Response Actions
When a network threat is detected, you can choose how the app responds:
| Action | Behavior |
|---|---|
| Log | Records the event for review without interrupting the user. |
| Message | Shows a custom security message to the user. |
| Redirect | Sends the user to a support, compliance, or update URL. |
| Terminate | Blocks continued use for the detected condition. |
Best Practices
- Start response controls in Log mode so you can understand real user behavior before enforcement.
- Plan certificate rotation before enabling strict pinning in Production.
- Keep backup pins or a documented recovery path for certificate changes.
- Validate login, API calls, third-party SDKs, and regional endpoints after network changes.
- Use Staging for release-candidate validation before promoting connection policy to Production.