Captive Portal Issues

ChrisTech
Contributor

I am having an issue that I think is somehow related to Safari and our proxy. We have had several reports of users traveling off-network and having issues with captive portals. The Captive Network Assistant.app window appears but it's blank and says: "The webpage couldn't be loaded". If I open Chrome or Firefox, and go to https://captive.apple.com then the Captive Portal appears and I can do whatever I need to access the WiFi SSID. If open Safari, I am unable to get to https://captive.apple.com. Has anyone run across this issue? I'm assuming the Captive Network Assistant is using Safari to try to show the Captive Portal... 

14 REPLIES 14

AJPinto
Honored Contributor III

I would suggest opening a ticket with Apple. However Apple is going to tell you the issue is with the providers of the captive portals. In my experiences I have noticed Safari's website compatibility is fairly horrible among modern browsers. I do not restrict Safari but I do discourage its use.

AdamGMain
New Contributor

Are you running Ventura by chance? I am running into the same issue on Ventura. If I deploy a Jamf configuration for our Securly SmartPAC proxy, I can't access captive portals. However, if I set up the proxy and the ssl certificate manually, it works without issue. I noticed under the Mobile Device configuration, under the Global HTTPS Proxy settings, there is an option to  "Allow bypassing proxy to access captive networks" settings that you can check. I'm wondering with Ventura's switch to a mobile settings interface, if the Computer Configurations side of the proxy configuration in Jamf needs to update this switch somehow.

Will you help me with the  Jamf configuration for Securly SmartPAC proxy and specificaly Global HTTPS Proxy

sudoErase
New Contributor III

You should try using http://captive.apple.com instead of https

DaneLG
New Contributor II

I've had the same issue for a while now.  Hoping that someone has found a solution...

Jaykrishna1
Contributor II

I am also having the same issue and additionally, we are also coordinating with our DLP provider DG.

zortmanc
New Contributor II

I'm having the same issue with the securly smart pac via jamf deployment.  The checkbox that once existed in jamf (bypass proxy for captive portals no longer exists). Obviously if i removed the smart pac / captive portal launches without any issues.  Jamf and securly both just point the finger and we are stuck.

I don't think that option ever existed in the Jamf GUI for macOS. It does still exist for iOS/iPadOS.

We dealt with this issue as well. macOS does support the 'Allow Proxy Bypass for Captive Portal Logins' profile key, it's just the Jamf GUI is missing it for whatever reason.

I suggest getting iMazing Profile Editor and building your Securly config profile with that. It does have the option for macOS. This fixed the issue for us.

Hi whiteb,

Can you share the same working configuration profile you configured and created?

Our config profile is specific to us in the sense that it has our web filtering companies certificate + our SmartPAC URL in it. Therefore it's best if you download iMazing Profile Editor and build it to your organizations needs. https://imazing.com/profile-editor/download

The screenshot was just meant to show what is needed for captive portal pop-ups display as expected.

ChrisTech
Contributor

@whiteb I created a config profile with the <key>ProxyCaptiveLoginAllowed</key> option but it didn't work. I opened a ticket with our filtering company... if I remove the proxy, I get the pop up windows. 

Strange. We use Securly, not sure about you.

Screenshot 2024-07-09 at 6.51.19 PM.png

This is what our profile looks like when it's installed on a device. As far as I know captive portals are still working as expected. I know for sure the Starbucks captive portal wouldn't load until 'Fallback Allowed' (the key you mentioned I believe) was set to '1'.

Best of luck. Kind of an annoying issue to deal with. I don't think Securly was any help figuring it out for us, I kinda just had to try different things.

ChrisTech
Contributor

@whiteb I added that to my config profile just now.. I will test it, thanks. 

ChrisTech
Contributor

That did it. So for everyone else, i'll post my XML code for the config profile:

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Proxies</key>
	<dict>
		<key>FallBackAllowed</key>
		<integer>1</integer>
		<key>ProxyAutoConfigEnable</key>
		<integer>1</integer>
		<key>ProxyAutoConfigURLString</key>
		<string>https://yourPACfileHere</string>
		<key>ProxyCaptiveLoginAllowed</key>
		<true/>
	</dict>
</dict>
</plist>

The preference domain is: com.apple.SystemConfiguration