WSS Agent 8.3.1 on MacOS reports “No Network” message after reboot and will not connect to Cloud SWG successfully until a manual reconnect is performed.
Article ID: 261925
Updated On:
Products
Issue/Introduction
WSS Agent 8.3.1 installed on MacOS hosts (running MacOS 12.x and 13.x).
After a host restart, the WSS Agent cannot connect successfully to the service.
The WSS Agent remains in “No Network” mode while internet access is working from the browser.
WSS Agent will connect successfully after a manual RECONNECT is executed.
The MacOS host can resolve CTC and the DIRECT route to CTC is also there.
The MacOS host is configured with a Proxy PAC file but on the Portal WSS Agent "ignoreProxySettings" is set to True.
This is happening across all the MacOS devices from the office network.
DNS access restricted within the office network and internet traffic sent into ep.threatpulse.net:80.
Environment
Cloud SWG.
MacOS.
All WSS Agent versions.
Cause
Behavior is due to blocking the DNS lookup for captive.apple.com (which Apple uses internal to macOS to determine network connectivity).
Since that is unable to be resolved, the OS cannot "see" that there is a network available.
Resolution
Make sure that the host can resolve captive.apple.com and access a specific endpoint on that server.
The request that needs to succeed is http://captive.apple.com/hotspot-detect.html. The response needs to be exactly as provided by Apple:
<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>
In the scenario where DNS resolution for this domain is not possible, it is possible to resolve that domain to a local Web server hosting the above payload. The OS simply needs to be able to download and resolve the http://captive.apple.com/hotspot-detect.html (and it needs to return "Success") so that the OS can determine its connectivity.
NOTE: It is not possible, from our testing, to add the captive.apple.com domain to the PAC file and proxy it through an on-prem proxies - MacOS host does not appear to honour the PAC file for requests destined for this domain.
Additional Information
When you manually click "Reconnect", the agent is told to try connecting anyway (and stop waiting for a network change event for network to become available).
The WSS Agent just listens for network changes, but by blocking DNS lookup of captive.apple.com, the OS cannot issue those network changes.
NOTE: As long as captive.apple.com is blocked, ANY application which leverages apple's connectivity API will ALSO report no network connectivity. It is not only the WSS Agent that is affected.
Feedback
