MacOS users running WSS Agent to access internet sites via WSS.
When updating the MacOS Proxy settings (on network card) with our PFMS hosted PAC file, all works well and users can authenticate successfully (via WSS SAML login popup) and access public sites via WSS.
When using Workspace One MDM solution to deploy the same PAC file configuration on MacOS host, users see the following "Page load error: The Internet connection appears to be offline" error in the WSS Agent authentication popup
Workspace One MDM solution
WSS Agents running on MacOS
SAML Authentication enabled for all WSS Agent users
CFNetwork agent cannot download PAC file when MDM setup enabled.
Enable ProxyPACFallbackAllowed parameter in the Global Proxy settings (https://developer.apple.com/documentation/devicemanagement/globalhttpproxy).
This allows the host download the PAC file, and then apply it before sending traffic into WSS.
Our complete solution involved pushing the following profile to host:
<string>Global HTTP Proxy</string>
From the MacOS system logs, we saw the PAC file fetching failing and hence we had no connectivity:
2022-05-09 11:44:54.729322+0200 0xFEC Error 0x0 520 CFNetworkAgent: (CFNetwork) PAC Fetch failed with cached error [NSURLErrorDomain:-1009]
manual versus global proxy are two completely different setups - a proxy configured in the MacOS UI will allow direct connection if it can't be reached but global setup will not by default.
We also saw issues with Safari after applying the MDM change - we addressed this by using the MDM to configure proxy setting on every web browser except SAFARI (Edge, Firefox, Chrome). For SAFARI we developed a custom script to configure proxy setting on network card instead which SAFARI handled fine. If a user attempts to modify the configuration manually, the script puts it back to configured proxy configuration within a second.