Jamf Nation Community

@AErwin We are using Securly, seeing the same error message on our Teacher iPads that have been updated to iOS 11.2. Do you have your Securly ticket number so I can reference to them it is the same issue.

@andersonb Securly thought that it might be a Jamf thing too, so I did some tests - here is what I sent them:

I took 2 iPads, did a factory reset on both and set them up manually outside of our MDM. I installed Classroom on the instructor iPad and setup the student iPad manually using the instructions provide with the Classroom app. I confirmed Apple Classroom worked correctly and the instructor iPad could see and interact with the student ipad. Then I downloaded the Securly Cert onto instructor ipad and added our PAC file url to the automatic proxy settings. I tested the Internet and was able to access websites correctly after I authenticated with Google. Then I tried Apple Classroom from the instructor iPad. The student showed offline. I tried rebooting just in case but the student still showed offline. I turned the proxy off in the wifi settings from the instructor device and almost immediately the student showed online in Apple Classroom. So I believe we can say this problem is not related to Jamf MDM or Apple Classroom’s MDM settings

@MaciOSNerd My resquest number is with Securly is 38718 and I've been working with Dmitri over there.

we are using lightspeed filtering and using a PAC file, i've gotten a couple reports of this happening as well.

I just spoke to Apple support and they were able to reproduce the issue on their side, so they are escalating it to engineering.

Hi Guys,

Unfortunately, the best I can do is post a redacted pcap (which makes it almost useless), but you should see what I'm seeing. There is a CONNECT to sentitlement2.mobile.att.net:443 (packet 41) which ends up getting shoved through proxy as I have no DIRECT statements set up for mobile.att.net. I have a feeling this is the issue. Take a look below at the TCP stream below. This is likely part of a carrier update with the latest iOS. Can you guys see if you have the same domain? I suspect other carriers will have different domains. We can gather a complete list here and provide them to our PAC file providers so they can add the DIRECT statements.

I don't use Securly but we do use a PAC file on our iPads, and I just started getting this report in. We're going to create a ticket with Apple.

@AErwin Can you send over your ticket number with Apple so we can connect them?

We are currently seeing this issue today with one or more of our teacher users, mainly the Server Session is Invalidated error.

Any suggestions from the field?

Thanks.

James

@btaitt My apple enterprise ticket # is 100372243393. They have been working diligently on it, but so far no fix yet.

The packet capture I posted above was an entitlement check to ensure tethering was allowed. I'm going to dig deeper.

Our initial test to temporarily remove Securly PAC was successful, Apple Classroom resumes operation.

It looks like the presence of any PAC file breaks the Classroom app. I modified mine to have a default statement of return DIRECT and Classroom no longer works. Switch to no PAC, and it works great. Switch back, and its broken. I think this is an Apple issue. Anybody else get the same results?

Confirming same results on JAMF 9.101, iOS 11.2, Apple Classroom 2.1, have seen it a few times now. Removing PAC remedies issue, which obviously is not ideal.

Instructed users not to upgrade to 11.2 if they plan to use Classroom now or in the immediate future.

It would appear that 11.2 is the culprit.

I just applied the following PAC to my iPad manually and it breaks Classroom.

function FindProxyForURL(url, host)
    {
    if(shExpMatch(host, "playboy.com"))       {return "PROXY 1.1.1.1:80";}
        return "DIRECT";
    }

I applied a null route to ensure the PAC is actually applied, but I wanted to send all other traffic direct.

This rules out content filter proxy engines and JAMF. I think the ball is in Apple's court.

Checked with Apple Enterprise (#100378615388), they are aware of the issue, it is repeatable on their end, and were able to recite the same exact errors I was receiving.

According to Apple, this issue has been placed on a high priority for resolution. We'll have to wait and see when the next incremental update occurs.

Advice: Best to either pull the PAC config from the user or not update to iOS 11.2.

UPDATE: IOS update 11.2.1 did not resolve the issue, in case you were wondering.

seems to be fixed in iOS 11.2.5 beta 2

Testing today of beta, will reply back with more info later.

Release notes for iOS 11.2.5 Beta state:

Known Issues
• ClientsofNSURLSessionStreamTaskthatuseanon-secureconnectionfailtoconnect when an error occurs during PAC file evaluation and the system is configured for either Web Proxy Auto Discovery (WPAD) or Proxy Automatic Configuration (PAC). A PAC evaluation failure can occur when the PAC file contains invalid JavaScript or the HTTP host serving the PAC file is unreachable. (33609198)

Workaround: Use startSecureConnection to establish a secure connection.

Confirmed that updating iOS 11.2.1 to 11.2.5 Beta 2 resolved the Apple Classroom issue with PAC config. Classroom resumes normal activity along with the PAC file profile. Very happy about this.

Once a public release is made, then all will be right in the world.

Over and out.

Had a teacher report that updating teacher and student iPads to iOS 11.2.2 (released yesterday) corrected this issue. I haven't had a chance to look myself, hoping this is legit.

I tested 11.2.2 yesterday and had failure. Can anyone else confirm success? or johnstone double-confirm success?

I just tested this myself and ran into the error with 2 iPad Air's (WiFi). However, I didn't get the error on the class I setup for myself, I got the error on another teacher's class I added myself as a teacher to.

The class I setup just showed the student's iPad as offline (which it was not, I tried multiple networks , toggled BT off/on, wifi off/on). The "server session invalidated" never popped up on my test class.

The teacher claims she was able to see the students screens with the same model iPad's. I verified in the JSS that she does indeed have 11.2.2 installed. Having her test again tomorrow for a longer period of time and try other actions. If she claims its working I will add myself to her class and see what I can see.

Hoping she is incorrect so this does not get more complicated in working for some and not others......

We're starting to see this issue, I'll be following this thread. In our environment staff may not get hit by the bug, but I wonder if only students are getting hit by the PAC file if that would break the connection. Will do some testing tomorrow.

Apparently got the same issue for a customer with proxy pac and iOS 11.2.2.
Looking to the EDU profil to be sure it's an issue with iOS 11.2.2 and the proxy PAC before.
We'll keep the post update tomorrow

Receiving he server invalidated error as well on teacher iPad pro running 11.2.2 and we have a proxy PAC file. The issue was not present and still not present on any iPads running 11.2.1. No workaround at the moment as the PAC file is set up for mobile filtering.

We are currently seeing this issue with 11.2.2 I hope Apple can fix soon!!!

Does anybody know if this is impacting student iPads or just Teacher iPads? If I make an exception on the configuration profile for teachers so they do not receive the PAC file, but students still do, will that temporarily solve the problem? Just a thought...not ideal...but could be a workaround until Apple releases an update.

In our tests, Teachers that run Apple Classroom app and meet the criteria are the affected devices, whereas student devices are not.

If you are in the developer group, download the latest beta of 11.2.5 and the problem is resolved, we saw in testing.

Hope that helps.

The official iOS 11.2.5 is out. Just successfully used classroom!

Hi there -

Is anyone experiencing this issue on iPadOS13? We're using the Securlty Smart PAC and often times the teachers are seeing the students "offline".

Experiencing the same issue as "blorenzo" - Securly Samrt PAC and students showing as OFFLINE in teachers apple classroom