Configuring a global HTTP proxy policy

By imposing a global HTTP proxy policy on supervised iOS 6 through iOS 9.3 devices, you can ensure that HTTP traffic is redirected to the proxy server you specify. You can manually enter the proxy server URL and port number, or the URL for the relevant PAC (proxy auto-configuration) file, which automatically determines the correct proxy server to use for a given URL. If the policy does not include a URL to the PAC file, then the policy uses WPAD (web proxy auto-discovery) to attempt to locate the PAC file.

The global HTTP proxy policy can include two features that provide solutions on-the-fly for when devices cannot access the proxy server:

  • Direct connection: For circumstances where the PAC file is unreachable, you can specify that the policy create a direct connection to the requested URL, bypassing the proxy server altogether. This option applies only to automatic proxy connections.
  • Proxy bypass: You can configure the policy to bypass the proxy server altogether when a device attempts a connection to a captive network such as a wifi hotspot at a coffee shop or a hotel. Selecting this option allows the device to connect directly to the captive network. Device users establish uninterrupted wifi internet access by logging in through the captive portal before the policy redirects them to the proxy server.

If your organization uses a proxy server to provide data leak protection or content filtering, for example, a global HTTP proxy policy allows you to direct HTTP traffic to and from supervised iOS 6 through iOS 9.3 devices to the proxy server of your choice.

The direct connection and proxy bypass features allow supervised iOS 7 through iOS 9.3 devices to continue accessing the internet even if:

  • The PAC file referenced in their global HTTP proxy policy is unavailable

    OR

  • They must first log in to a captive portal before accessing a wifi hotspot.

The direct connection and proxy bypass options apply only to supervised iOS 7 through iOS 9.3 devices.

IMPORTANT: Confirm that you have specified the correct proxy information, and the proxy is reachable. An invalid or unreachable proxy server will make the device unreachable by the network. In this case, physical access is required to reset the device.

Procedure 

  1. Go to Policies & Configs > Policies.
  2. Select Add New > iOS and macOS > iOS Only > Global HTTP Proxy.
  3. In the New Global HTTP Proxy Policy dialog box, use the guidelines in Global HTTP Proxy Policy to complete this form.
  4. Click Save.
  5. Apply the policy to the appropriate labels.

Global HTTP Proxy Policy

Below are the setting definitions for the New Global HTTP Proxy Policy dialog box.

Table 33.  Global HTTP proxy policy

Items

Description

Name

Required. Enter a descriptive name for this policy. This is the text that will be displayed to identify this policy throughout the Admin Portal. This name must be unique within this policy type.

Tip: Though using the same name for different policy types is allowed (e.g., Executive), consider keeping the names unique to ensure clearer log entries.

Status

Select Active to turn on this policy. Select Inactive to turn off this policy.

Why: Use the Status feature to turn a policy on or off across all phones affected by it. The policy definition is preserved in case you want to turn it on again.

Priority

Specifies the priority of this custom policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is associated with a specific device. Select Higher than or Lower than, then select an existing policy from the drop-down list. For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”. Because this priority applies only to custom policies, this field is not enabled when you create the first custom policy of a given type.

Description

Enter an explanation of the purpose of this policy.

Proxy Type: Manual

Manual

If you select Manual, specify the proxy server address and port through which all HTTP traffic will be directed. Optionally, enter values for the username and password used for devices to authenticate with the proxy server. If you do enter a value for the password, go to Settings > System Settings > Users & Devices > Registration > Save User Password Preferences and select Save User Password.

If you do not enter values for the proxy server username and password, supervised device users will need to enter a username and password every time they access the proxy server.

Proxy Server

Enter the network address for the proxy server.

Proxy Server Port

Enter the port number for the proxy server.

User Name

Optional. Enter the user name for authenticating with the proxy server.

You can use any of the following variables for the username value: $USERID$, $EMAIL$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$. You can also combine text with variables, such as $USERID$:$USER_CUSTOM1$ or $USERID$_$USER_CUSTOM1$. Custom attribute variable substitutions are supported.

Proxy Password

Optional. Enter the password for authenticating with the proxy server.

You can use any of the following variables for the password value: $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$. You can also combine text with variables, such as $PASSWORD$:$USER_CUSTOM1$ or $PASSWORD$_$USER_CUSTOM1$. Custom attribute variable substitutions are supported.

Allow bypassing proxy to access captive networks

Selecting this feature allows the device to display the login page for captive networks (such as a LAN at a coffee shop which customers access through wifi), bypassing the proxy server altogether. Deselected by default.

This feature applies only to iOS 7 through iOS 9.3 devices.

Proxy Type: Auto

Auto

If you select Auto, enter the URL of the PAC (proxy auto-configuration) file, which specifies the location of the proxy server. The PAC file enables web browsers and user agents to automatically select the correct proxy server for any requested URL.

Proxy PAC URL

Optional. Enter the URL for the proxy auto-configuration (PAC) file. If you leave this field blank, the device will use the web proxy auto-discovery (WPAD) protocol to guess the location of the PAC file.

Allow direct connection if PAC is unreachable

Selecting this feature allows the supervised device to access the requested URL directly (without the proxy server), if the proxy auto-configuration file cannot be reached. Deselected by default.

This feature applies only to iOS 7 through iOS 9.3 devices.

Allow bypassing proxy to access captive networks

Selecting this feature allows the device to display the login page for captive networks (such as a LAN at a coffee shop which customers access through wifi), bypassing the proxy server altogether. Deselected by default.

This feature applies only to iOS 7 through iOS 9.3 devices.

  • “Impact to tunneling when using a global HTTP proxy” in the AppConnect Guide for EPMM.