search cancel

WSS agent SAML login when deploying PAC file globally through MDM (WorkspaceOne)

book

Article ID: 242901

calendar_today

Updated On:

Products

WSS add-on - Malware Analysis Advanced

Issue/Introduction

MacOS users running WSS Agent to access internet sites via WSS.

When updating the MacOS Proxy settings (on network card) with our PFMS hosted PAC file, all works well and users can authenticate successfully (via WSS SAML login popup) and access public sites via WSS.

When using Workspace One MDM solution to deploy the same PAC file configuration on MacOS host, users see the following "Page load error: The Internet connection appears to be offline" error in the WSS Agent authentication popup

Cause

CFNetwork agent cannot download PAC file when MDM setup enabled.

Environment

Workspace One MDM solution

WSS Agents running on MacOS

SAML Authentication enabled for all WSS Agent users

Resolution

Enable ProxyPACFallbackAllowed parameter in the Global Proxy settings  (https://developer.apple.com/documentation/devicemanagement/globalhttpproxy).

This allows the host download the PAC file, and then apply it before sending traffic into WSS. 

Our complete solution involved pushing the following profile to host:

<key>ProxyType</key>
<string>Auto</string>
<key>ProxyPACURL</key>
<string>whatever.pac</string>
<key>PayloadDisplayName</key>
<string>Global HTTP Proxy</string>
<key>PayloadDescription</key>
<string>GlobalHTTPProxy</string>
<key>ProxyPACFallbackAllowed</key>
<string>True</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.proxy.http.global</string>
<key>PayloadUUID</key>
<string>6fa47787-f578-4137-92b8-2c8e65740a1b</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>

Additional Information

From the MacOS system logs, we saw the PAC file fetching failing and hence we had no connectivity:

2022-05-09 11:44:54.729322+0200 0xFEC Error 0x0 520 CFNetworkAgent: (CFNetwork) PAC Fetch failed with cached error [NSURLErrorDomain:-1009]

manual versus global proxy are two completely different setups - a proxy configured in the MacOS UI will allow direct connection if it can't be reached but global setup will not by default.

 

We also saw issues with Safari after applying the MDM change - we addressed this by using the MDM to configure proxy setting on every web browser except SAFARI (Edge, Firefox, Chrome). For SAFARI we developed a custom script to configure proxy setting on network card instead which SAFARI handled fine. If a user attempts to modify the configuration manually, the script puts it back to configured proxy configuration within a second.

 

Attachments