Proxy Settings in Profile Manager

It does not answer your specific question but I would say in general that the best way to push proxy settings is as follows.

1. Set up a DHCP option code 252 to define the address of a web server that 'serves' a proxy.pac aka. wpad.dat file
2. Optionally define a DNS record for your internal network, this could be an A record but more typically would be a CNAME and would be for wpad.yourdomain.com
3. Create a proxy.pac aka. wpad.dat file
4. Make the proxy.pac aka. wpad.dat file available via an internal web-server and in view of 2. above ideally via the address http://wpad.yourdomain.com/wpad.dat

Note: the proxy.pac file not only contains the address of your proxy server but also rules about which sites can bypass the proxy server, and sites that can go via the proxy server but bypass authentication.

The above is for a network standard called WPAD - Web Proxy Auto Discovery which was originally devised by Microsoft and originally incorporated in Internet Explorer. The advantage of this approach is that if you take a laptop out of the office it does not need reconfiguring to not use your LAN proxy server any more.

As it happens I got Apple to add support not only for defining DHCP option codes in their own DHCP server and hence being able to define option 252 needed for this purpose, but I also separately got Apple to add support in OS X to act as a client for WPAD to 'learn' what proxy server to use. Apple call this 'Auto Proxy Discovery' in their Proxies tab in Network Settings.

For more details about WPAD see this article - https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

For more details about the actual PAC configuration file see - https://en.wikipedia.org/wiki/Proxy_auto-config the proxy.pac and wpad.dat files are really the exact same thing.

Note: The authentication settings are not provided via WPAD. It is either possible to not use any authentication requirement at all, or if you do what will happen is that the first time the user gets asked a dialog is presented asking for the username/password and this is then saved in the users login keychain - if your using Safari and/or other Apple applications. If your using Firefox it stores it itself. This is a per-user setting so another user even on the same Mac would get asked for their own authentication details.

Hey John,

I'm trying to push out a proxy pac file via DHCP from an Apple server to Apple devices (iOS and OS X) and all I seem to come across is your stuff! Well done getting apple to add support for this on OS X Server. I see from your posts that we need to edit the bootpd.plist and add an option for 252. Here's the problem. I don't know the code and/or syntax to add this to the plist file. We have a pac file hosted on a 3rd party server that's all ready to go, so presumably all I need the DHCP to push out is the URL to the file but I can't find how to write the code into the file, where to add the code into the file, and what the exact syntax should be. I found an old article that looks something like this:

<string>dhcp_option_120</string>

<data>

192.168.210.7

</data>

I tried to add this into the plist file but it did not work:

<string>dhcp_option_252</string>

<data>

"our pac file url"

</data>

I contacted Apple enterprise support and the tier 2 tech said that I can either figure it out on my own or it will cost $700 to escalate it to engineering b/c he did not know how to edit that file either. Any thoughts and/or help will be greatly appreciated.

Thank you!

According to the man page for bootpd it should in many cases auto detect the format of the data in a DHCP Option code and then automatically process it to the right format, e.g. for an IP address it should be sent over the network as four bytes in hexadecimal format. Based on this in theory the following would be used

<key>dhcp_option_120</key>

<string>192.168.210.7</string>

However at least in the early days I found this did not seem to work and the only format that worked was

<key>dhcp_option_120</key>

<data>

wKjSBw==

</data>

Where the value is processed and then encoded in Base64 format.

This is why I ended up writing my DHCP Option Code Utility to do this conversion process for each type of possible value. The above is the encoded version of 192.168.210.7

You would therefore do the same for the URL for accessing the PAC file. Remember you need the PAC file to be available via a web-server - hence the URL.

See http://jelockwood.blogspot.co.uk/2013/06/dhcp-server-on-os-x-server.html

Based on your last message you want to define DHCP Option 120 as type IP Address and DHCP Option 252 as type String - not null terminated string.

Thank you for the quick response! I'm sorry if I rambled on and didn't clearly state what I am trying to do. Ultimately all I need to use is the option 252. I only added the code for the 120 option as an example b/c it was the only line of code I found on the web. So to be clear all I want to do is push out a URL that defines the location of our proxy pac file via DHCP on the apple server.

I will most certainly try and use your utility. After using the utility and get the line(s) of code that I need to enter into the bootpd file, does it matter where in the file I enter the code? We currently have 2 separate sections for 2 VLANS. As of now I only need to add this option 252 to one of the VLANS. So do I just stick the code from your utility amongst the other lines of code for that VLAN?

Thank you!

It would be in one of the subnet sections i.e. the one for the VLAN in question. It would therefore be something like

<key>Subnets</key>
<array>
    <dict>
          <key>allocate</key>
          <true/>
          <key>dhcp_option_252</key>
          <data>
          ??????????????????
          </data>
          <key>dhcp_domain_name_server</key>
          <array>
              <string>192.168.210.7</string>
          </array>

etc.

Fantastic. I will try it later this afternoon after all the students leave campus in case I mess up the DHCP server settings for that VLAN. I will post back asap!

Thank you sir!

Well I entered the code into the bootpd.plist file, restarted the DHCP service on the server, and turned off/on wifi on the ipad and it did not work.

I tried to enter both of these into the file and neither worked. Here's what I entered first using your utility and selecting string:

<key>dhcp_option_252</key>

<data>

aHR0cDovL3VzZWFzdC13d3cuc2VjdXJseS5jb20vcGYvbGVlc2NvdHRfaXBhZC5w

YWM=

</data>

Then I tried to do it using our pac file with out encoding it and this is what I entered:

<key>dhcp_option_252</key>

<string>http://www.XXX.XXX.XXX.pac</string>

Neither of these options worked. I also did a test of another section of our code that we are not using and it had generic info in the code that was already there. Here is what the section I edited turned out like in the bootpd file. Notice that I changed the string value to cory.cory.cory just to test:

<key>dhcp_domain_name</key>

<string>cory.cory.cory</string>

After modifing this section in the bootpd file, and restarting the service the iPad DID get this information. It reported cory.cory.cory under the "search domains" section. So I'm not sure if the option 252 just isn't working or I'm entering something incorrectly. I'm sure it's the latter.

Thank you!

I have not tested this with recent versions of Server.app so it could be Apple have foolishly broken it even though the man page still says it does it. However there is something else that might help and/or explain it as well.

As you will have seen there are various built-in DHCP options like dhcp_domain_server and dhcp_domain_name and in fact DHCP Option 252 is now also a built-in accessible by name option. It could be that because it is available via a specific name it rejects it if using an equivalent generic number option. Therefore try the following format.

<key>dhcp_proxy_auto_discovery_url</key>

<string>http://192.168.16.1/proxy.pac</string>

Not only have I not needed any DHCP Option codes in my current job but I no longer use Apple's DHCP server myself, I use a network firewall which can do this and it has a web interface for simply adding DHCP option codes rather than Apple's unique approach.

For iOS you need to make sure http proxy is set to Auto and leave the URL empty for it to use auto discovery, the default is off. This is done per WiFi network i.e. Work, Guest, Starbucks would be three different WiFi networks each of which needs this setting done if you want to use it on that specific WiFi. It might be worth looking at this WPAD Auto Proxy Discovery - broken on iOS 4.2.1 ? it is old so it may no longer apply but consider it as another possibility. Hmm, another article aimed more at Macs but seems to give more background to what seems to be the same issue. See http://forums.macrumors.com/threads/auto-proxy-config-not-fetching-wpad-dat.9917 81/

Maybe using a null-terminated string from my utility would be an option.

I did actually try to replace the dhcp_option_252 with the full statement of dhcp_proxy_auto_discovery_url and it did not work. I will try it again.

I do have the ios devices set to proxy "auto" and leave it empty. I will also try the other possible solutions listed in the articles as well as trying to use a null-terminated string from your utility.

Thank you for all the help thus far; I'll keep you posted...

Well I could never get any of the commands to push out the proxy pac file. I will keep trying and see if I can figure out anything else. Let me know if you have any other ideas, John! Thank you for the help!

I have seen a problem when proxies are setup in an OSX Network system pref and then Proxies are pushed via Profile Manager and the client's proxy settings are completely screwed up and nothing I tried fixed it apart from reimaging.