MCX To control proxy

jszaszvari
New Contributor III

Hi All

I'm looking for a way to set and lock the proxy settings in Sys Prefs.

I don't want to lock networking as the kids still need to be able to change networks at home, but I want to lock a certain proxy server in place so that it cant be changed.

Anyone done this before?

John

12 REPLIES 12

Not applicable

Mostly. Check out this script:

#!/bin/sh

# To use this script:
# 1. Fill in the values in the next section to match your desired default configuration.
# 2. If you intend to deploy the script using JAMF, make sure the "shift 3" line below is not commented;
# Otherwise, make sure it is commented.
# 3. Run the script as root, with parameters if desired. The parameters are as follows:
# interfaces The network interface to apply the change to
# services A space-separated list of services to apply the change to
# address The address of the proxy server; set to "off" to turn off the proxy
# port The port to use on the proxy server
# username The username to log in to the proxy server; omit if no authentication is needed
# password The password to log in to the proxy server; omit if no authentication is needed
# Note that any parameters that are omitted will use the hardcoded values in the next section. In some
# situations, you may need to enclose the interfaces and services lists in quotes to ensure they are
# interpreted properly.

################################
# Default config to be applied #
################################

# The UNIX name for the network port to apply this setting to
interface="Ethernet"

# A list of services to use this proxy for, separated by spaces
# Available services as of Mac OS X 10.6: ftp web secureweb streaming gopher socksfirewall
services="web secureweb"

# The address of the proxy server; leave blank to turn off proxies
proxyAddr="proxy.yourcompany.com<http://proxy.yourcompany.com>"

# The port of the proxy server
proxyPort="8080"

# The username to authenticate to the proxy server; leave blank for no authentication
proxyUsername=""

# The password to authenticate to the proxy server; leave blank for no authentication
proxyPassword=""

# Skips the first three parameters (which JAMF automatically fills in)
# If you want to run this script without using JAMF, comment out this line by adding a # in front
shift 3

#######################################################
# Script goes here; you shouldn't need to modify this #
#######################################################

# Mac OS X 10.4 and earlier had networksetup in a different location
if [ -x "/usr/sbin/networksetup" ]
then
networksetup="/usr/sbin/networksetup"
else
networksetup="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/networksetup"
fi

if [ "$(whoami)" != "root" ]
then
echo "ERROR: You must be root to run ${0}; try adding 'sudo' in front of the command."
exit 1
fi

if ! [ -x "${networksetup}" ]
then
echo "ERROR: "${networksetup}" was not found or is not executable."
exit 1
fi

# Read parameters and determine desired config

if [ -n "${1}" ]
then
interface=${1}
fi

if [ -n "${2}" ]
then
services=${2}
fi

if [ -n "${3}" ]
then
proxyAddr=${3}
fi

if [ -n "${4}" ]
then
proxyPort=${4}
fi

if [ -n "${5}" ]
then
proxyUsername=${5}
fi

if [ -n "${6}" ]
then
proxyPassword=${6}
fi

# Determine whether authentication is required
if [ -z "${proxyUsername}" ]
then
proxyAuth="off"
else
proxyAuth="on "${proxyUsername}" "${proxyPassword}""
fi

for service in ${services}
do
if [ -n "${proxyAddr}" ]
then
if [ -z "${proxyUsername}" ]
then
echo "Setting ${service} proxy on ${interface} to ${proxyAddr}:${proxyPort}"
else
echo "Setting ${service} proxy on ${interface} to ${proxyAddr}:${proxyPort} with username ${proxyUsername} and password ${proxyPassword}"
fi
"${networksetup}" "-set${service}proxy" "${interface}" "${proxyAddr}" "${proxyPort}" ${proxyAuth}
#if [ "${service}" == "web" ]
#then
# if [ -n "${proxyUsername}" ]
# then
# echo "WARNING: Can't set authenticating web proxy for UNIX programs"
# else
# # NOTE: If ${proxyAddr} or ${proxyPort} contains anything that grep considers special,
# # this will not behave as expected!
# if /usr/bin/grep -q "^setenv http_proxy "${proxyAddr}:${proxyPort}"" /etc/launchd.conf
# then
# echo "Web proxy is already set to ${proxyAddr}:${proxyPort} for UNIX programs"
# else
# echo "Setting web proxy to ${proxyAddr}:${proxyPort} for UNIX programs"
# echo "setenv http_proxy "${proxyAddr}:${proxyPort}"" >> /etc/launchd.conf
# fi
# /bin/launchctl setenv http_proxy "${proxyAddr}:${proxyPort}"
# fi
#elif [ "${service}" == "secureweb" ]
#then
# if [ -n "${proxyUsername}" ]
# then
# echo "WARNING: Can't set authenticating secure web proxy for UNIX programs"
# else
# # NOTE: If ${proxyAddr} or ${proxyPort} contains anything that grep considers special,
# # this will not behave as expected!
# if /usr/bin/grep -q "^setenv HTTPS_PROXY "${proxyAddr}:${proxyPort}"" /etc/launchd.conf
# then
# echo "Secure web proxy is already set to ${proxyAddr}:${proxyPort} for UNIX programs"
# else
# echo "Setting secure web proxy to ${proxyAddr}:${proxyPort} for UNIX programs"
# echo "setenv HTTPS_PROXY "${proxyAddr}:${proxyPort}"" >> /etc/launchd.conf
# fi
# /bin/launchctl setenv HTTPS_PROXY "${proxyAddr}:${proxyPort}"
# fi
#fi
else # Missing address means the proxy should be turned off
echo "Turning off ${service} proxy on ${interface}"
"${networksetup}" "-set${service}proxystate" "${interface}" off
#if [ "${service}" == "web" ]
#then
# echo "Turning off web proxy for UNIX programs"
# if [ -f /etc/launchd.conf ] && grep -q '^setenv http_proxy ' /etc/launchd.conf
# then
# /usr/bin/grep -v '^setenv http_proxy ' /etc/launchd.conf > "/private/tmp/launchd.conf.${$}"
# mv "/private/tmp/launchd.conf.${$}" /etc/launchd.conf
# fi
# /bin/launchctl unsetenv http_proxy
#elif [ "${service}" == "secureweb" ]
#then
# echo "Turning off secure web proxy for UNIX programs"
# if [ -f /etc/launchd.conf ] && grep -q '^setenv HTTPS_PROXY ' /etc/launchd.conf
# then
# /usr/bin/grep -v '^setenv HTTPS_PROXY ' /etc/launchd.conf > "/private/tmp/launchd.conf.${$}"
# mv "/private/tmp/launchd.conf.${$}" /etc/launchd.conf
# fi
# /bin/launchctl unsetenv HTTPS_PROXY
#fi
fi
done

And no, there's no way to do it in MCX. The location for the settings is hardware-specific.

talkingmoose
Moderator
Moderator

I manage proxy settings via Managed Preferences (MCX) in Casper. It
On 7/14/11 8:16 PM, "John J. Szaszvari" <JSzaszvari at monte.nsw.edu.au> wrote:
overrides anything in System Preferences.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

jszaszvari
New Contributor III

William

Would you please be able to send me the settings you have in casper. Im trying to build them now but I think I keep getting them wrong?

If you could maybe screenshot / copy paste all the settings from the MCX screen it would be much appreciated.

Regards
John

talkingmoose
Moderator
Moderator

These should be all the details of my proxy settings as they're defined
Managed Preferences in the JSS:

Name: All Desktops - Proxies
Apply To: System Level Enforced
Key Type: Enter Manually (Array or Dictionary)
Domain: com.apple.SystemConfiguration
Key Name: Proxies
Value:

<dict> <key>ExceptionsList</key> <array> <string>avconsole.stp.internal.com</string> <string>.stp.internal.com</string> <string>10.1.</string> <string>sharepoint.*</string> </array> <key>FTPEnable</key> <integer>0</integer> <key>FTPPassive</key> <integer>0</integer> <key>FTPPort</key> <integer>0</integer> <key>FTPProxy</key> <string></string> <key>GopherEnable</key> <integer>0</integer> <key>GopherPort</key> <integer>0</integer> <key>GopherProxy</key> <string></string>

<key>HTTPEnable</key> <integer>1</integer> <key>HTTPPort</key> <integer>80</integer> <key>HTTPProxy</key> <string>proxyserver</string>

<key>HTTPSEnable</key> <integer>1</integer> <key>HTTPSPort</key> <integer>443</integer> <key>HTTPSProxy</key> <string>proxyserver</string>

<key>ProxyAutoConfigEnable</key> <integer>0</integer> <key>ProxyAutoConfigURLString</key> <string></string> <key>RTSPEnable</key> <integer>0</integer> <key>RTSPPort</key> <integer>0</integer> <key>RTSPProxy</key> <string></string> <key>SOCKSEnable</key> <integer>0</integer> <key>SOCKSPort</key> <integer>0</integer> <key>SOCKSProxy</key> <string></string>
</dict>

Here's the explanation for the various parts:

ExceptionsList is where you list your proxy exceptions. We have more than
I've listed here but I've provided examples of what's acceptable. You can
list full server names, network names with wildcards, IP addresses with
wildcards and server names with wildcards. I have to include a handful of
server names with wildcards to handle how our SharePoint servers are named
on our network. Folks are in the habit of using non-FQDN links such as
"http://server/business/Pages/page.aspx". This makes them resolvable so
long as I have the correct search domains entered as well.

Everything below the ExceptionsList is what you'd find above the proxy
exceptions list in the Network System Preferences pane. We only enable
(using "1") two types of proxy: HTTP and HTTPS. Everything else is
disabled (using "0"). I've singled these out above but my actual settings
don't have the blank lines between any of the lines. Because we have
proxies local to each site named "proxyserver" I don't use a FQDN. This
allows each site to append its site specific settings and computers to use
the local network proxy dynamically. You can, of course, use a FQDN to
always direct traffic to a specific proxy server.

I apply these proxy settings to all desktops in our organization because
they never leave our network. I do not apply any proxy settings to laptops
because they continue to override settings when laptops are offsite.
Instead, I configure those manually and create Locations so that users can
switch between home and company networks.

Hope that all sounds coherent. Let me know if you need more information.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Not applicable

Odd, I thought remembered seeing proxy settings listed by UUID of the network interface in some plist file...

I guess I stand corrected.

talkingmoose
Moderator
Moderator

Thanks but we don't have an internal ASUS because we have many sites with
small pipes in between. If we need to download using Software Update then
we use the local proxy server.

If we did have internal servers then MCX would do a good job too to
redirect Macs to those. I think that's actually a template in the JSS's
Managed Preferences.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

jszaszvari
New Contributor III

Thanks so much for this William.

It works great, Just tested it.

For some reason the settings in System Prefrences don’t show as being set,
but the system is still going through the proxy server regardless of what
I put in the box.

Thanks again

John

talkingmoose
Moderator
Moderator

Two downsides to this from what I've experienced but neither is major:

  1. You've discovered this already. The settings don't appear enabled.
    Instead you must look at System Profiler's "Managed Client" settings to
    see the rules.

  2. Command line tool softwareupdate does not recognize the proxy settings
    when using Casper's Managed Preferences. I use Casper to push updates
    anyway so this isn't a deal breaker for me.

Glad you got it working. :-D

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

bentoms
Release Candidate Programs Tester

I read somewhere that point 2 can be fixed by creating a dns record on uour internal dns that resolves swquery.apple.com to your internal ASUS.

I've not been able to test this yet.

Regards,

Ben.

sean
Valued Contributor

How does locking network preferences prevent users from changing networks?

Set the proxy server and then lock preferences, or use 'networksetup' in the command line (which you could script).

Users change networks with 'Locations' from the drop down Apple menu. System Preferences > Network is for administrators to configure each location, not for users to select the location. Configure Locations appropriately to meet the requirements of your uses and then lock them.

Sean

scharman
New Contributor

hey any tips on how to do this with a pac file or auto proxy URL?

scharman
New Contributor

Scratch my last comment I figured it out.
has anyone run into issue with Safari caching proxy settings, even after this MCX is applied if I change networks and browse then change back, those settings seem to cache and I am still bypassing the proxy somehow.
anyone know if there is a script that I can run to fix this?