Managed Preferences for PAC file

Yeah you can do this with a script using the networksetup command:

networksetup -setautoproxyurl <networkservice> <url>

j

Try looking at the networksetup command in /usr/sbin/networksetup. There are several proxy configurations you can set via the command line.

I've used this script which works well but I now need to lock this down so that students can't disable the Automatic Proxy Configuration in System Preferences-->Network even if they know the local admin account password.

Is there a way to do this using a Managed Preference? If not, would you recommend a recurring policy?

@tatiang Glad the scripts working for you. We used to run it daily & had a self service item to re-run it.

What happens when your students change/remove the proxy? Can they still access the Internet?

@bentoms Thank you, it's very handy. I actually am just testing PAC scripts for iBoss filtering this week. If all goes well, I intend to roll it out to our 1:1 students. If students remove the proxy, they have unfiltered access when off-campus. iBoss does not yet have a Yosemite-compatible mobile client but we need something in place that will provide filtered Internet access. The simple answer is "don't let students uncheck that box" but parents often tell their kids the admin password on their computers (why, oh why?!) because they get tired of having to type it in over and over again to install software, printers, etc.

We're also looking for a way to set the PAC file for iBoss mobile filtering. Curious if @tatiang or @brushj came up with a solution for this as I think they're doing the same.

The @bentoms script works great for us set during imaging (our students aren't admins, so they can't modify it once set), but it only sets the PAC file for active network connections (so wifi and thunderbolt eth adapter get set).

If students plug in a USB eth adapter, there's no proxy set. It's stupid Apple doesn't let you set this via Config Profile for all SSIDs, unless I'm missing something. Any help appreciated

@CasperSally we are currently only using the PAC script on our iPads. We haven't updated to 10.10 yet, I assume that is what you are on since you aren't using the mobile client?

I hadn't considered that they would be able to use an adapter and get around that. I will have to test that out tomorrow and see what I can come up with. I spoke with iBoss the other day about the mobile client and they are looking into coming up with another mobile client, but they don't want to invest dev time into creating something if Apple will deprecate it in 10.11. Apparently iBoss aren't getting a whole lot of cooperation from Apple on this front, so I am hoping they come up with something.

I'll let you know what I come up with tomorrow.

@brushj Yes, I'm talking about 10.10. Let me know if you come up with something, I'll do the same.

" they don't want to invest dev time into creating something if Apple will deprecate it in 10.11" - welcome to the world of Apple, iBoss.

@CasperSally We used to run that script via a policy once a day.. If wanted you could set it to run on "Network State Change"

iBoss says they don't want Apple to deprecate something else in 10.11 ... LOL

The ipfw that was removed from 10.10 (which caused the iBoss mobile client to quit working) was announced as deprecated when 10.7 was released. They just hadn't removed it until 10.10.

And iBoss didn't do anything with that information.

They also told me a couple weeks after the 10.10 release that they didn't know it wasn't going to work with 10.10. He said they still hadn't tested it yet at that point. I asked why they didn't do some testing with the beta and they said that things could change so they don't test the betas (you know, the ones Apple provides to the developers to make sure their programs work).

I'm so frustrated with iBoss because I really like their system (pre-Yosemite). I only found one web filter option that has a mobile client that won't proxy all data back through the device and is Yosemite compatible (Barracuda). Lightspeed keeps saying they will have a release "next week" about every week with nothing so far.

I want to have something ready to replace iBoss ASAP so that laptops can be refreshed near the beginning of summer instead of waiting until closer to August when our students come back mid-August.

I was trying to look at converting the ipfw commands in the agent script of iBoss to the new pf version, but I don't know enough about it. I would hope that if it were that simple that they would have just done it, though.

We use Lightspeed and one option that I am looking into is to filter everything via proxy and using a PAC file to exclude specific sites and protocols that do not work through a proxy. The PAC file then tells the client what to allow and what to not filter at all. If they remove the PAC file they get no internet at all.

Sorry to digress, but just wondering how all the proxy users are able to get APN/config profiles to work over the air?