Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Advisor

https inspection not working on mac machines

Hey guys,

I hope someone might have some experience with this. I have a case with escalation more than a month now and we had not gotten closer to solving this. Here is what happened...we enabled https inspection, created a cert (validity for 10 years), installed it on few windows machines, works like a charm, users are blocked base don accessroles assigned in url rules...BUT, on mac, once we import the cert into keychain system, it works for say few hours, then with no changes, stops the next day. We tried different OS versions, different machines, no luck.

 

I even called Apple support, but they were not much help at all. They did try few things, such as deleting and re-importing the cert, but no dice. 

 

If anyone experiences the same issue before, please be free to share any suggestions. The real issue is that when this happens, pdp monitor command on fw ONLY shows machine identity and NOT the user, though nothing on AD server would have changed at all.

 

Very frustrating...

Andy

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

I vaguely remember something about macOS (and possibly others) not trusting newly created certs that have a validity longer than 13 months.
Turns out, I remember correctly: https://www.theregister.com/2020/02/20/apple_shorter_cert_lifetime/

0 Kudos
the_rock
Advisor

Thanks D. Well, weird thing is that I even called Apple support and asked them about validity and they said its not an issue. Plus, this happens on all browsers, not just Safari. That article only mentions Safari browser, NOT chrome or firefox.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure even in Chrome the Mac still uses the same certificate store.
Also I believe Chrome has or will make a similar requirement.

0 Kudos
the_rock
Advisor

According to senior Apple advisor, its not applicable to any other browser.

0 Kudos
the_rock
Advisor

Also, to add another thing...we did end up using identity agent for mac and fingers crossed, its working for now, but will need to monitor for a while.

0 Kudos