Many customer environments have proxies enabled in their networks to ensure devices on the company network cannot navigate directly to resources and must use the proxies to reach different internal resources or reach out to the internet. Proxies can inspect traffic to ensure devices don’t navigate to unsafe URLs and there is no sensitive data from devices which leaves the network. Proxy configurations on a device can be of three types -
- Statically defined using a server and port,
- PAC URL based where an auto-config script is hosted on an internal URL and
- DHCP based where the proxy settings are auto-detected on the network
This article describes the challenges with Windows 10 Management in a proxy enabled environment and the solution which has been created to address the challenges.
Windows 10 MDM is designed to manage devices which are directly connected to the internet and can check-in to the MDM Server. Proxy based enrollment is not fully supported as per the documentation from Microsoft available here.
Windows native MDM enrollment runs in the system context. As a result, standard enrollment on a Windows 10 device does not work in a network with WinINET proxy configured on the device. WinINET only applies in the user context and is not available to system apps.
After enrollment is complete, a different Windows component is used for app downloads. The app download component requires the BITS (Background Intelligent Transfer Service) to be configured as it also runs in the system context.
The AirWatch Unified Agent is aware of both the user context and the system context. An enhancement was made in the Agent version 9.4.0 where the agent can use the configurations from the WinINET proxy settings to successfully enroll a device in a proxy enabled environment.
The agent can be made proxy aware by setting the registry key below.
Under the Registry Location [HKEY_LOCAL_MACHINE\SOFTWARE\AIRWATCH\Feature]
Create and set the key "DiscoverProxy"="True"
Please note this setting will be enabled by default in a future release of the agent. When this value is set the agent will look for the proxy configurations and use them if a setting is found. This will not have an impact if the proxy settings are not configured.
For applications to successfully download, customers must configure the Microsoft BITS service as the Agent cannot set proxy for app downloads via the Microsoft BITS service. The recommended tool to set this is using the BitsAdmin tool.
Note: The BitsAdmin tool is maintained and published by Microsoft and is subject to change.
Depending on the kind of proxy configuration required for the customer, admins should run the corresponding command on the devices. The commands are as follows:
To set the bits admin for a specific server address and port:
bitsadmin /Util /SetIEProxy localsystem MANUAL_PROXY http://<ServerAddress>:PORT <BYPASSLIST>
To set the bits admin tool to work for PAC URL:
bitsadmin /Util /SetIEproxy localsystem AUTOSCRIPT http://<PacUrlHostServer>/proxy.js.
To set the bits admin for a DHCP network config:
bitsadmin /Util /SetIEProxy localsystem AUTODETECT
We are working with Microsoft to release automatic support for proxy enabled application downloads in a future version of Windows.
For management to work in a proxy enabled environment, customers should configure the WinINET settings on a device before enrollment is started. Customers should ensure they are on a minimum Agent version of 9.4.0 and set the DiscoverProxy registry setting to True.
Additionally, administrators should run the BitsAdmin tool with one of the commands mentioned above to enable software downloads to work. Once these steps have been completed, all components on the device are proxy aware and can be managed in a proxy enabled environment.
If Microsoft makes any changes to the proxy behavior in future versions of Windows, these instructions are subject to change.
Support Contact Information
The VMware Workspace ONE Team
Other Languages: 日本語