Some applications on IOS devices fail to connect to their servers if decrypt HTTPS using a web proxy is enabled (obviously the Sophos XG CA is imported and enabled). I suspect they may have implemented certificate pinning or another control which prevents the Sophos XG CA certificate from being accepted by the app.
Is there a way to detect in the XG logs that either the TLS handshake between app/client and XG/server or XG/client and originating web server has failed? This would help in identifying which domain the app wants to connect to, since it is not always easy to identify this in the web filter logs.
Note: the solution to this is to add the domain of the originating web server the app wants to connect to to the web exception list and skip the HTTPS decryption there.
from my experience with my iPhones is I gave up, too many apps do not like being decrypted. On the iPad a similar issue, but I also think there are more ports involved, but also gave up.
in mail I made change to the XG while testing a configuration For a thread and broke my mail scanning on the iPad and have not been able to find what broke. The CA is accepted for about an hour and then rejected.
if you end up putting a number of exceptions then you might as well not scan the application.