Cloud SWG logs do not reflect the AD domain and username for users on macOS
search cancel

Cloud SWG logs do not reflect the AD domain and username for users on macOS


Article ID: 263772


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Users connecting to Cloud SWG via macOS devices using WSS Agent or SEP web traffic redirection are not identified by Cloud SWG by their AD (Active Directory) domain and username (DOMAIN\username).

This may prevent Cloud SWG policies from correctly matching up to traffic generated by macOS users and therefore policies may not be applied as expected.

In addition, unexpected domains may appear in log entries. For example, a macOS user will be identified in logs by username only instead of the usual AD DOMAIN\username format.


WSS Agent version 7.3.5+ (Supports SAML).

SEP 14.3 RU5+ Web and Cloud Access protection tunnel mode client.

MacOS - all versions.

Policies applied to AD users and groups.


Unlike Windows, macOS does not support the concept of a “domain user” that can be read by applications and passed to Cloud SWG by the agent.

Instead, all users on macOS are local users within the operating system and kernel. Because the user information macOS provides is a local username that lacks an AD domain, policies designed around the AD format will fail to match macOS users. 

Additionally, AD usernames synced to Cloud SWG via Auth Connector will also fail to match the usernames passed to Cloud SWG from macOS devices. 


There are three potential workarounds to this macOS limitation:

  1. Integrate or join the MacOS device into the AD. When a device is joined to an AD domain, that domain is prefixed to all local users on the device.

    Note: It is the device that is joined to the domain, and not the user, as macOS doesn’t support AD users.

  2. Use SAML authentication with the agent to log in to a SAML IDP server (such as ADFS or Azure AD). This results in the SAML federated login credentials being passed to Cloud SWG instead of the macOS local user identification. If the assertion is consistent in terms of the user info sent across, then there will be no difference between Windows or macOS users.

  3. If deploying your agents using an MDM, you can leverage the Assigned User (AU) functionality in conjunction with MDM variables to specify a properly-formatted user that is assigned to that device. Only supported if using the WSS Agent or Symantec Enterprise Agent.

    Note: SEP/SES do not support Assigned User (AU) functionality.