Allow access to the organization through HTTPS only

2137
6
10-02-2018 06:50 AM
deleted-user-UxcAu2PHrDQp
Occasional Contributor

I am looking at turning the option to only allow access through HTTPS only.  Our AGOL has over 1000 members and hundreds of official products.  It is also federated with Microsoft Azure.  Does anyone have any experience on flipping the switch and recommendations on workflow or best practices?

Site:

https://iowadot.maps.arcgis.com/home/index.html 

Also have Open Data:

https://data.iowadot.gov/ 

Thanks in advance

6 Replies
DanielleKulas
Occasional Contributor III

I am researching this as well and am curious myself, as we currently have a mix of https and non-https items as our Organization was created years ago. Does 'flipping the switch' turn all content to https as well as restricting access or do we need to individually go through our content and update?

Knowing these things up front and having some guidance from ESRI as to the implications would be helpful, especially in coordinating with so many users with individual content. I don't want to break anything!

0 Kudos
KellyGerrow
Esri Frequent Contributor

Hi Danielle and Eric,

Well done on starting to consider the move to https only. There are some tools available to help with this switch. Check out this blog by Chris Whitmore for information about the tools available in web maps for changing the protocol.

https://www.esri.com/arcgis-blog/products/arcgis-online/administration/updating-web-map-layers-to-us... 

When you enable the HTTPS only option in your ArcGIS Online organization, you can go through each web map and use the update layers to HTTPS option. This will update your web map to make HTTPS references to your layers.

If you flip the https only switch before doing this, ArcGIS Online will automatically make https calls to layers hosted by Esri and in ArcGIS Online. As all ArcGIS Online layers support both http and https we can account for this change to make minimal impact for our layers. 

If you are using other layers hosted on local servers, you will want to check if these servers support https. Once you flip the https only switch you won't be able to make calls to http layers. I would suggest checking either all of your maps, your mission critical maps, your most recent maps and/or your most viewed maps for server references without https enabled on the Server. 

You can always try enabling the policy during a low traffic time, check all of your maps and apps and disable the https only setting if a problem comes up if you want to just give it a try without checking every map. 

Another item to be aware of is where you may have made http references to images in web apps or organizational properties. In many cases, images were added without considering http/https, especially if the app was created a couple of years ago. I'd suggest also reviewing references to http images in high traffic apps. 

Below is another blog about moving to https with story maps:

https://www.esri.com/arcgis-blog/products/arcgis-online/uncategorized/an-important-message-about-web... 

Let us know if this helps, if you have any specific questions or share your experiences.

Thanks,

Kelly 

DanielleKulas
Occasional Contributor III

Hi Kelly,

Thank you so much for your thorough and thoughtful response, this is all really informative! I will definitely employ these tactics moving forward.
Danielle
0 Kudos
deleted-user-UxcAu2PHrDQp
Occasional Contributor

Good information.  Based on the info I am going to take it a little slower, a little worried about partners that don't or cant provide HTTPS.  Time to inventory non HTTPS partners first.

MichaelVolz
Esteemed Contributor

Can you flip the switch to https only and then uncheck it if this change causes too many problems?

0 Kudos
KellyGerrow
Esri Frequent Contributor

yes.

There is a time limit before the setting will be hidden from the configuration panel (30 days). If you find that you need to disable https  after the setting is no longer visible, you can get in contact with tech support and they can help reset this setting. 

Also, check out this blog post by Chris Whitmore

Changes to organization security settings 

-Kelly