So, I am tracing a bug in the iOS involving the "Allow direct connection if PAC is unreachable" checkbox.
When using it, you would assume that the iPad should check the PAC file and if the PAC is reachable, it should use it. We have the box unchecked which should essentially prevent Internet connections if the PAC is unreachable.
Taking that fact, I have confirmed the setting works as advertised in iOS versions 13.4.1 and below. It does not work as advertised in iOS versions 13.5 and above.
Before I went charging to Apple, I needed to rule out a JSS problem, so I tried a simple test. I took an iPad with iOS 13.4.1, supervised it with Apple Configurator 2 (without enrolling it in Jamf) and applied the Global HTTP Proxy payload through Configurator. Everything worked as advertised. When I take a iOS 13.5 (or above) iPad, supervise it, apply the same profile, it does not worked as advertised. Essentially I want the iPads to fail closed if they cannot resolve the PAC file. That worked in iOS 13.4.1 and below and not in iOS 13.5 or higher.
Has anyone else encountered this behavior?
Probably not in iOS 13.x.x I was told. As part of my case, the engineer verified it was also present in iOS 14. beyond that I've heard nothing. I've found a workaround to our unique web filter issue that precipitated finding this bug, BUT, said workaround doesn't fix the bug really...it just tweaks our environment ever so slightly.
If you have an open AppleCare Enterprise case on this issue, tie ours to it: 101165769907