Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Managing Proxies in a complicated environment

Posted: 5/19/17 at 2:39 PM by yves

I'm looking for a way to make this work. In Windows, we use a powershell script that continuously run and monitors for network changes, sets proxy based on your network segment.

I suspect we can achieve this with a script teamed up with an Offline Policy, set on Logon and Network State Change.
Use network segments in the scope to define 'limitations' for which proxy they will get. (we have two)

What I can't figure out is this.
If I use exclusions for those same network segments I'm applying it to, will this remove the proxy, or will I need another script to disable it on a cloned policy (but using exclusion instead of limitations)

We will have users connected through various ethernet adapters to the LAN (Docking stations, USB-C to Ethernet, etc...). There is no real way to predict which will be used. Is there a way we can target ANY network interface that is connected?

CCA Badge

Posted: 5/19/17 at 3:09 PM by charles.hitch

So one way you might be able to address this is to use a auto proxy configuration pac file. This could be hosted on a web server that could have some logic based on the connection to provide the correct proxy configuration settings. That way on network it would grab the proxy file and adjust accordingly. Off network (say at home) it wouldn't be able to connect to the web server and would default to a direct connection. You can set all network adapters to use the auto config script (note this is very different from auto detect proxy). This isn't the way we have done it, but theoretically its possible.

Posted: 6/1/17 at 5:09 PM by yves

I tried the Pac file and no luck. Not sure if it's our PAC file or what but it's not working.

networksetup -listallnetworkservices | grep -v "*" | while read a; do networksetup -setwebproxy "$a" proxyaddress 80 ; networksetup -setsecurewebproxy "$a" proxyaddress 80 ; done

Set up Limitations on the Scope to only target our internal network segments.

Now I just need to figure out trigger turning it off.
networksetup -listallnetworkservices | grep -v "*" | while read s; do networksetup -setwebproxystate "$s" off ; networksetup -setsecurewebproxystate "$s" off ; done

I've tried a smart group with IP Address 'not like' 10.% (using a wildcard in the IP address) as well as another policy with a Network Segment scoped to to Neither of these seem to apply when on a wifi with a 192 address.

Posted: 6/1/17 at 6:27 PM by yves

I had another idea, after reading through another thread on how policies are triggered (alphabetically) I renamed my policies.

Remove Proxy is "P1"
Set proxy is "P2"

Remove proxy is set to run all the time, which in theory it would always run first disabling the proxy on any network state change

p2, set proxy will run only on network state change and the network segment in the limitations.

The problem here is that it appears the P2, Set proxy just runs on any network regardless of what I have defined in the Network Segments and Limitations.

SOLVED Posted: 6/14/17 at 1:32 PM by yves

for anyone interested. I fixed my problem by creating the following script. If I can ping the internal domain then enable proxy, if I can't then disable. Set with an ongoing policy triggered on logon and network state change and available offline. Every time you disconnect or connect to a new network it will run. I will be adding more for geolocating which proxy to set based on different subnets but this is the main function, works like a charm.

#This script will set proxy based on geolocation, or remove proxy settings if outside of the corporate lan.

#Function to return if on the corporate network or not

function network {
                  ping -c 1 "$1" >/dev/null
#if on the corporate network, enable proxy and bypass list on all connections (to ensure maximum coverage with external network dongles all having proprietary names)
#Else, disable set proxy.
if network company.domain;then
    networksetup -listallnetworkservices | grep -v "*" | while read a; do networksetup -setwebproxy "$a" proxyaddress 80 ; networksetup -setsecurewebproxy "$a" proxyaddress 80 ; done
    networksetup -listallnetworkservices | grep -v "*" | while read b; do networksetup -setproxybypassdomains "$b" 10.*; done
    networksetup -listallnetworkservices | grep -v "*" | while read s; do networksetup -setwebproxystate "$s" off ; networksetup -setsecurewebproxystate "$s" off ; done    
CCT Badge CCA Badge

Posted: 6/14/17 at 5:20 PM by bradtchapman

Nice script. Very compact, does the trick.

The only hitch is that a policy triggered by Network State Change will be delayed if another instance of "jamf -policy" is running. There is a -randomDelay 300 flag on that one, so in some cases, it would mean your proxy script is delayed by several minutes.

I did something similar with a LaunchDaemon that uses /var/run/resolv.conf as a "WatchPath" and runs whenever it changes. The resolv.conf file appears, changes, and even disappears as a computer joins / changes / disconnects from networks.

Posted: 6/15/17 at 9:11 AM by yves

Awesome, thanks for the info!

I'll do some more testing at the office with the Lan to Phone Tether and see if it experiences the delay issue. I didn't notice but it worked this morning (working from home until rain quits so I can bike in), but this one I think was triggered by logon (which I also set).

Again, thanks for the valuable information! I'm fresh in the world of Mac and even more so with JAMF so every little bit helps.