Users connecting to Cloud SWG via macOS devices using WSS Agent or SEP web traffic redirection are not identified by Cloud SWG by their AD (Active Directory) domain and username (DOMAIN\username).
This may prevent Cloud SWG policies from correctly matching up to traffic generated by macOS users and therefore policies may not be applied as expected.
In addition, unexpected domains may appear in log entries. For example, a macOS user will be identified in logs by username only instead of the usual AD DOMAIN\username format.
WSS Agent version 7.3.5+ (Supports SAML).
SEP 14.3 RU5+ Web and Cloud Access protection tunnel mode client.
MacOS - all versions.
Policies applied to AD users and groups.
Unlike Windows, macOS does not support the concept of a “domain user” that can be read by applications and passed to Cloud SWG by the agent.
Instead, all users on macOS are local users within the operating system and kernel. Because the user information macOS provides is a local username that lacks an AD domain, policies designed around the AD format will fail to match macOS users.
Additionally, AD usernames synced to Cloud SWG via Auth Connector will also fail to match the usernames passed to Cloud SWG from macOS devices.
There are three potential workarounds to this macOS limitation: