macOS 11.4 was released this week and one issue we have been dealing with and raised with Apple in December 2020 is finally fixed.
The Big Sur 11.4 release notes for Enterprise are as below the one we are interested in for this article is number 5.
- Using MDM to install software updates works more reliably on Mac computers with Apple silicon.
- Resolves an issue where first login with a mobile account does not create a login keychain.
- Setup Assistant no longer skips Location Services when account creation is skipped by MDM.
- App installations from MDM are no longer canceled during setup when the country is changed.
- Resolves an issue where DNS lookups may fail when using an authenticated proxy or a proxy configured with a PAC file.
- Resolves an issue where the Kerberos SSO extension may fail to renew credentials.
- Resolves an issue where iCloud Keychain sync could not be restricted by MDM.
- Resolves an issue where StorNext volumes from fsforeignservers file would not mount automatically.
This item refers to when a Profile is used to set a Proxy using a authenticate PAC URL. This worked fine in Catalina but in Big Sur when the Profile was used this then caused a failure to contact our internal domain name due to the DNS lookup issue it caused. This was easily demonstrated by pinging the domain and then adding and removing the Profile. With the Profile ping failed, without the Profile ping was successful. The same domain is also used for our SSO extension so we could not use a Profile until now to set the proxy.
The workaround was a bash script which was set to run via a Jamf policy at check-in or Network Change. The script ran through every network connection available and entered the PAC URL for the Automatic Proxy Configuration URL box.
As this item was still user editable (we don’t lock Network prefs to users) it could be removed by the user so hence why it was run on Check-in or Network Change and therfore added back in in case the user had taken it out. The reason they take out is the Proxy service we use can be dreadfully slow but it’s there to protect the device so is a Security requirement.
The issue here is the policy can run 100’s of times a day on a single device and each time it runs its recoded to the Jamf database, so it’s not efficient.
Now this is fixed we have gone back to a simple Profile configured in Jamf with a Proxy payload. This is silently deployed to Macs as they upgrade to 11.4 and the current Policy is excluded, this is all done using scoping in jamf to smart groups plus we have a clean-up script that removes the entry from the Network prefs as Profile settings are not shown in GUI. The change is totally seamless and users don’t even realise it’s happening.
It’s great to have this working again but its issues like this and the time to resolve especially when its a regression from a previous OS that slow down the roll out of each macOS release in Enterprise environments. With this fix plus the SSO fixes Big Sur now feels Enterprise ready but 7 months after release and two weeks before WWDC when we will no doubt hear about macOS 12.
