Apple Classroom problems with iOS 11.2 and Securly PAC

AErwin
New Contributor III

We have found that Apple Classroom 2.1 is not functioning if the instructor iPad has iOS 11.2 while using a Securly PAC proxy. The student devices show offline and sometimes the Classroom App ends the class with a pop up saying "Server Session Invalidated." If I pull off the Securly profile from the instructor device, Classroom works fine (even if the student still has Securly.) I have a support ticket in with Securly now. I was wondering if anyone else who uses Securly filtering is experiencing this behavior.

31 REPLIES 31

andersonb
New Contributor

We are experiencing the same issue with Apple Classroom and iOS 11.2 but we are not using Securly. I contacted Apple yesterday but they are saying it's not on their end. They recommended creating a ticket with JAMF so the two sides could investigate it on the back end.

MaciOSNerd
New Contributor II

@AErwin We are using Securly, seeing the same error message on our Teacher iPads that have been updated to iOS 11.2. Do you have your Securly ticket number so I can reference to them it is the same issue.

AErwin
New Contributor III

@andersonb Securly thought that it might be a Jamf thing too, so I did some tests - here is what I sent them:

I took 2 iPads, did a factory reset on both and set them up manually outside of our MDM. I installed Classroom on the instructor iPad and setup the student iPad manually using the instructions provide with the Classroom app. I confirmed Apple Classroom worked correctly and the instructor iPad could see and interact with the student ipad. Then I downloaded the Securly Cert onto instructor ipad and added our PAC file url to the automatic proxy settings. I tested the Internet and was able to access websites correctly after I authenticated with Google. Then I tried Apple Classroom from the instructor iPad. The student showed offline. I tried rebooting just in case but the student still showed offline. I turned the proxy off in the wifi settings from the instructor device and almost immediately the student showed online in Apple Classroom. So I believe we can say this problem is not related to Jamf MDM or Apple Classroom’s MDM settings

@MaciOSNerd My resquest number is with Securly is 38718 and I've been working with Dmitri over there.

jreeves
New Contributor III

we are using lightspeed filtering and using a PAC file, i've gotten a couple reports of this happening as well.

AErwin
New Contributor III

I just spoke to Apple support and they were able to reproduce the issue on their side, so they are escalating it to engineering.

packetguy
New Contributor

Hi Guys,

Unfortunately, the best I can do is post a redacted pcap (which makes it almost useless), but you should see what I'm seeing. There is a CONNECT to sentitlement2.mobile.att.net:443 (packet 41) which ends up getting shoved through proxy as I have no DIRECT statements set up for mobile.att.net. I have a feeling this is the issue. Take a look below at the TCP stream below. This is likely part of a carrier update with the latest iOS. Can you guys see if you have the same domain? I suspect other carriers will have different domains. We can gather a complete list here and provide them to our PAC file providers so they can add the DIRECT statements.

ac049274e40d4c05971d95d27e5d5c24

eaad9f030da6409eb64968f04ba46704

btaitt
Contributor

I don't use Securly but we do use a PAC file on our iPads, and I just started getting this report in. We're going to create a ticket with Apple.

@AErwin Can you send over your ticket number with Apple so we can connect them?

jbutler47
Contributor II

We are currently seeing this issue today with one or more of our teacher users, mainly the Server Session is Invalidated error.

Any suggestions from the field?

Thanks.

James

AErwin
New Contributor III

@btaitt My apple enterprise ticket # is 100372243393. They have been working diligently on it, but so far no fix yet.

packetguy
New Contributor

The packet capture I posted above was an entitlement check to ensure tethering was allowed. I'm going to dig deeper.

jbutler47
Contributor II

Our initial test to temporarily remove Securly PAC was successful, Apple Classroom resumes operation.

packetguy
New Contributor

It looks like the presence of any PAC file breaks the Classroom app. I modified mine to have a default statement of return DIRECT and Classroom no longer works. Switch to no PAC, and it works great. Switch back, and its broken. I think this is an Apple issue. Anybody else get the same results?

jbutler47
Contributor II

Confirming same results on JAMF 9.101, iOS 11.2, Apple Classroom 2.1, have seen it a few times now. Removing PAC remedies issue, which obviously is not ideal.

Instructed users not to upgrade to 11.2 if they plan to use Classroom now or in the immediate future.

It would appear that 11.2 is the culprit.

packetguy
New Contributor

I just applied the following PAC to my iPad manually and it breaks Classroom.

function FindProxyForURL(url, host)
    {
    if(shExpMatch(host, "playboy.com"))       {return "PROXY 1.1.1.1:80";}
        return "DIRECT";
    }

I applied a null route to ensure the PAC is actually applied, but I wanted to send all other traffic direct.

This rules out content filter proxy engines and JAMF. I think the ball is in Apple's court.

jbutler47
Contributor II

Checked with Apple Enterprise (#100378615388), they are aware of the issue, it is repeatable on their end, and were able to recite the same exact errors I was receiving.

According to Apple, this issue has been placed on a high priority for resolution. We'll have to wait and see when the next incremental update occurs.

Advice: Best to either pull the PAC config from the user or not update to iOS 11.2.

jbutler47
Contributor II

UPDATE: IOS update 11.2.1 did not resolve the issue, in case you were wondering.

AB4581
New Contributor II

seems to be fixed in iOS 11.2.5 beta 2

jbutler47
Contributor II

Testing today of beta, will reply back with more info later.

Release notes for iOS 11.2.5 Beta state:

Known Issues
• ClientsofNSURLSessionStreamTaskthatuseanon-secureconnectionfailtoconnect when an error occurs during PAC file evaluation and the system is configured for either Web Proxy Auto Discovery (WPAD) or Proxy Automatic Configuration (PAC). A PAC evaluation failure can occur when the PAC file contains invalid JavaScript or the HTTP host serving the PAC file is unreachable. (33609198)

Workaround: Use startSecureConnection to establish a secure connection.

jbutler47
Contributor II

Confirmed that updating iOS 11.2.1 to 11.2.5 Beta 2 resolved the Apple Classroom issue with PAC config. Classroom resumes normal activity along with the PAC file profile. Very happy about this.

Once a public release is made, then all will be right in the world.

Over and out.

johnstone
New Contributor III

Had a teacher report that updating teacher and student iPads to iOS 11.2.2 (released yesterday) corrected this issue. I haven't had a chance to look myself, hoping this is legit.

AB4581
New Contributor II

I tested 11.2.2 yesterday and had failure. Can anyone else confirm success? or johnstone double-confirm success?

johnstone
New Contributor III

I just tested this myself and ran into the error with 2 iPad Air's (WiFi). However, I didn't get the error on the class I setup for myself, I got the error on another teacher's class I added myself as a teacher to.

The class I setup just showed the student's iPad as offline (which it was not, I tried multiple networks , toggled BT off/on, wifi off/on). The "server session invalidated" never popped up on my test class.

The teacher claims she was able to see the students screens with the same model iPad's. I verified in the JSS that she does indeed have 11.2.2 installed. Having her test again tomorrow for a longer period of time and try other actions. If she claims its working I will add myself to her class and see what I can see.

Hoping she is incorrect so this does not get more complicated in working for some and not others......

david_yenzer
Contributor II

We're starting to see this issue, I'll be following this thread. In our environment staff may not get hit by the bug, but I wonder if only students are getting hit by the PAC file if that would break the connection. Will do some testing tomorrow.

bdelamarche
New Contributor III

Apparently got the same issue for a customer with proxy pac and iOS 11.2.2.
Looking to the EDU profil to be sure it's an issue with iOS 11.2.2 and the proxy PAC before.
We'll keep the post update tomorrow

rsmith
New Contributor II

Receiving he server invalidated error as well on teacher iPad pro running 11.2.2 and we have a proxy PAC file. The issue was not present and still not present on any iPads running 11.2.1. No workaround at the moment as the PAC file is set up for mobile filtering.

tzimmerman
New Contributor

We are currently seeing this issue with 11.2.2 I hope Apple can fix soon!!!

rsmith
New Contributor II

Does anybody know if this is impacting student iPads or just Teacher iPads? If I make an exception on the configuration profile for teachers so they do not receive the PAC file, but students still do, will that temporarily solve the problem? Just a thought...not ideal...but could be a workaround until Apple releases an update.

jbutler47
Contributor II

In our tests, Teachers that run Apple Classroom app and meet the criteria are the affected devices, whereas student devices are not.

If you are in the developer group, download the latest beta of 11.2.5 and the problem is resolved, we saw in testing.

Hope that helps.

johnstone
New Contributor III

The official iOS 11.2.5 is out. Just successfully used classroom!

blorenzo
New Contributor

Hi there -

Is anyone experiencing this issue on iPadOS13? We're using the Securlty Smart PAC and often times the teachers are seeing the students "offline".

pmckeehan
New Contributor II

Experiencing the same issue as "blorenzo" - Securly Samrt PAC and students showing as OFFLINE in teachers apple classroom