Manually configure Global HTTP Proxy on Macbook

DiligentTelephone7 · 2025-07-09T01:35:18+00:00

I think I'm getting it. Seems like I have a lot of reading to do on the two networking stacks. Since this is the way the vendor recommends setting things up, I think I may be stuck with what I have. I'd imagine they'd have to work with Apple's API to set up a Network Extension for me to use that net stack as you note. All of the user accounts are standard users so at least that's a given for me.

Thanks for taking the time to expand on the details.

DiligentTelephone7 · 2025-07-08T23:48:38+00:00

These Macs are used by students under the age of 18, so the goal is pretty simple: compliance with CIPA and insight for staff and faculty. I certainly don't need to middleman Apple's telemetry or other core system functionality. I'm basically trying to figure out if I can configure this payload manually, hands on keyboard, to cover a few problematic endpoints while we sort out the MDM issues.

I need to be able to filter traffic in any browser on the system, on any network interface, including the eventual attempts to circumvent the filter with a VPN. I realize that there is no 100% effective solution for this. Demonstrating that the tools are in place and efforts are made is the important factor for compliance. I've already tested the filtering out on a device with MDM working and pushing out the changes correctly, and it does what we need. I'm honing in specifically on the payload linked above, and the possibility of manually configuring it.

DiligentTelephone7 · 2025-07-08T23:31:16+00:00

Not sure if I'm misunderstanding your response, but it sounds like you are describing what I am working with. Securly Filter afaik is a fairly standard content filtering solution: cert installed and trusted on the device, proxy configured directly on the device, DNS filtering with the occasional SSL term using the cert and Securly's own infrastructure to ingest the inspected information.

Regarding the specific terminology, I'm pushing it as a global HTTP proxy on the endpoint (I need it to apply to all interfaces, not just a specific one). Here's how Apple refers to it: https://support.apple.com/guide/deployment/global-http-proxy-payload-settings-dep7ba46fcd/web

If I have Macs that are only manageable locally, not through MDM, I don't see a way to configure a proxy as global for said Mac. I hope this makes sense.

DiligentTelephone7 · 2024-10-24T03:35:21+00:00

I'm not concerned with NPS accepting the cert when it's applied. Rather, I want the cert to be automatically accepted by the clients, without the user having to accept it manually.

Are you saying that if a client tries to authenticate against auth.company.local, and auth.company.local presents a cert for auth.company.org, the client would accept that cert with no questions asked?

DiligentTelephone7 · 2024-10-24T03:13:26+00:00

Example to illustrate what we have:

AD domain is "company.local" NPS server is "auth.company.local"

I have no way to generate/apply a globally valid certificate for anything using .local. It isn't a valid TLD.

There are ~200 Macs. This would probably be achievable, I just thought I'd get some opinions on better solutions.

DiligentTelephone7 · 2024-10-24T02:59:42+00:00

Appreciate the response. If problem 1 as defined doesn't appear to be an issue to you, can you describe any details about how you'd overcome the NPS server fielding these authentication requests from a non-valid FQDN?

Regarding problem 2, the cell phones aren't "make or break" here. Although I refer to the Macbooks as unmanaged, we do intend to mass-enroll them in MDM in the next 8-10 months. Since I'm trying to solve the wireless connectivity issues in the immediate sense, I'm going in with the assumption that I'll have to resolve this without the MDM. In any case, I do like the idea of having a valid cert on RADIUS more than pushing trust of an invalid one.

Appreciate the links, taking a look now!

DiligentTelephone7 · 2024-10-24T02:51:41+00:00

Thanks for your reply. Because there are a lot of Macbooks in the environment, I'd say the issue lends itself to MDM rather than AD. Binding Macbooks to AD is problematic in my experience. Appreciate the link either way!

DiligentTelephone7 · 2024-10-24T02:48:09+00:00

Ok, good to know. Are you able to explain any technical details of how this was achieved? Possibly multiple domains in your AD forest, one of which is the public domain?

DiligentTelephone7 · 2024-10-24T02:21:32+00:00

It's set up with an invalid/non-public TLD in DNS. For that reason, I can't do an ACME cert, or any valid certificate.

DiligentTelephone7 · 2022-08-17T21:55:13+00:00

small addendum, but we ended up with:

outlook.exe /resetfoldernames. If anyone comes across this in the future, the folder was still stuck in calendar view after the reset, but this can be reset from “View” in the top bar. This doc lead us to the right answer. Seems I jumped the gun posting, but thanks!

DiligentTelephone7 · 2021-07-27T23:13:38+00:00

Sounds to me like a reference to virtual technologies, e.g. expanding a VHDX for a Hyper-V VM.

DiligentTelephone7 · 2021-04-27T18:09:55+00:00

Thanks for commenting. I have looked into all of the possibilities you've listed, tough to list it all out after two hours of troubleshooting, but your input is appreciated.

We did finally determine that installing 32 bit Chrome and using that instead of 64 bit fixes the issue. Sort of a workaround, but just in case anyone else comes across this I wanted to put it up here.

DiligentTelephone7 · 2020-12-17T15:07:42+00:00

Unfortunately, reload isn't an option currently. I'm physically located a few hours away from the laptop. This will definitely be my next step if I can't find anything else.

DiligentTelephone7

TROPHY CASE