Google is changing Chrome browser behaviors related to "Third Party Cookie" availability, which may impact the authentication cookies used in Menlo Security isolation sessions. See this Google Blog for details: https://blog.google/products/chrome/privacy-sandbox-tracking-protection/
To avoid service interruptions, you must add third party cookie exceptions for your isolation appliance’s service domains to your Chrome settings.
Which environments are impacted?
On-Premise (OVA) deployments which use proxy mode isolation will be impacted by this change and the cookie exception must be added to Chrome configurations to prevent service interruptions.
What is changing?
Google will be enabling third party cookie blocking on a 1% of Chrome browsers in January 2024 and progressively expanding it to all Chrome browsers in the second half of 2024.
Where are third party cookies used?
What is the impact of the change?
Without adding a configuration to allow cookies on the appliance domains, the cookies will be stripped and an attempt to isolate a www site will cause an authentication loop resulting in an error page being displayed.
How do I address this change for my users?
Chrome has settings which can be configured to selectively permit third party cookies for domains which require them. These settings can be configured in Chrome or can be applied via a device management tool like Active Directory or Microsoft Intune.
Apply a Windows Configuration Profile for:
Google Chrome Content Settings -> Allow Cookies for these Sites
add an entry for your domain,
Microsoft Active Directory:
Use an Active Directory Group Policy Object (GPO) to set a registry entry of the following type for your corporate domain:
Software\Policies\Google\Chrome\CookiesAllowedForUrls\1 = [*.]menlosecurity.com
Chrome Policy Reference: https://chromeenterprise.google/policies/#CookiesAllowedForUrls
How can I address this manually with Chrome settings?
To open Chrome Settings, click the three vertical dot icon in the upper-right of the Chrome UI, then select "Settings" in the menu.
On the left sidebar, click "Privacy and Security" then click the "Site settings" button.
Select "Additional content settings" then select "On-device site data"
Within the "Allowed to save data on your device" section, add an entry for the isolation platform domain, "[*.]menlosecurity.com".
What domain do I need to configure the exception for?
The third party cookie exception must be created for the domain that is used for the isolation protocol communications.
For users of the Menlo Security primary cloud platform, the domain exception to configure is: "[*.]menlosecurity.com"
For users of the Menlo Security FedRAMP cloud platform, please use "[*.]menlogov.com"
For users of on-premise Menlo Security virtual appliances, the corporate domain name used by the isolation appliances must be configured. This is most commonly your company domain. To verify the domain in use, log into the admin UI of an isolation node and view the value in "Settings -> Service -> Service Settings -> Login name"