[GH-ISSUE #1306] [Feature] PAC file proxy auth (inc Jamf support) #1300

New issue

Open

opened 2026-03-03 19:50:13 +03:00 by kerem · 2 comments

kerem commented 2026-03-03 19:50:13 +03:00

Owner

Copy link

Originally created by @rtfmoz2 on GitHub (Jul 24, 2022).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1306

Originally assigned to: @NghiaTranUIT on GitHub.

Summary
PAC file proxy auth capability using provided credentials (typically AD) with option for using keychain for password (key icon next to pw field) so we can use credentials stored by Jamf Connect (Formerly NoMAD).

Implementation
One set of credentials (typically AD) can be specified for the PAC file as a username and password field. Next to the password field is a key icon. Clicking this brings up the dialogue to specify a keychain entry which the user selects and proxyman then tries to read the value and store a hash. Doing this triggers one-off MacOS keychain access prompts which the user should select always allow.

The PAC file is not modified. When proxyman encounters a 401 on the proxy connection it supplies the credentials stored locally or in the keychain case, the username locally and the password directly from the keychain value, updating its local hash as it does. If they fail, it marks the credentials as invalid so no other proxyman thread can use them. The main proxyman ui thread will updated the key icon when it sees this, such as overlaying a red circle with line through the key icon.

The user can unlock the failed password by changing it. In the case of the keychain the user can unlock by clicking the key icon (with a warning) however... the smart handling here is proxyman never stops reading the keychain value. Triggered by 401 authentication it reads the current value, computes the hash as normal but seeing it has been marked invalid will check if the hash value has changed before overwriting the old value. If changed it will attempt to use the new credentials once. If successful, mark it as valid and the processing is done. If not it will ignore the 401 response let go on it way back to the calling application.

Smart handling means proxyman can automatically detect and use any new user password as it is supplied directly from the keychain value. When it comes to invalid credential it wont cause user account lockouts because the first proxyman thread to encounter failed credentials will share that information so no other threads will attempt to authenticate using them. When the credentials are updated it will automatically detect, validate and use them without the need for any user intervention.

Benefits
Adding this feature allows proxyman to automatically pickup any password changes for the user via Jamf so they are never bothered again with proxy passwords. In a word, it's brilliant for Mac SOE enterprise deployments who want to utilise this product. Keep an eye out for other integration opportunities as well as there is more than one AD password management product for Mac environment.

Originally created by @rtfmoz2 on GitHub (Jul 24, 2022). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1306 Originally assigned to: @NghiaTranUIT on GitHub. **Summary** PAC file proxy auth capability using provided credentials (typically AD) with option for using keychain for password (key icon next to pw field) so we can use credentials stored by Jamf Connect (Formerly NoMAD). **Implementation** One set of credentials (typically AD) can be specified for the PAC file as a username and password field. Next to the password field is a key icon. Clicking this brings up the dialogue to specify a keychain entry which the user selects and proxyman then tries to read the value and store a hash. Doing this triggers one-off MacOS keychain access prompts which the user should select always allow. The PAC file is not modified. When proxyman encounters a 401 on the proxy connection it supplies the credentials stored locally or in the keychain case, the username locally and the password directly from the keychain value, updating its local hash as it does. If they fail, it marks the credentials as invalid so no other proxyman thread can use them. The main proxyman ui thread will updated the key icon when it sees this, such as overlaying a red circle with line through the key icon. The user can unlock the failed password by changing it. In the case of the keychain the user can unlock by clicking the key icon (with a warning) however... the smart handling here is proxyman _never stops_ reading the keychain value. Triggered by 401 authentication it reads the current value, computes the hash as normal but seeing it has been marked invalid will check if the hash value has changed before overwriting the old value. If changed it will attempt to use the new credentials once. If successful, mark it as valid and the processing is done. If not it will ignore the 401 response let go on it way back to the calling application. Smart handling means proxyman can automatically detect and use any new user password as it is supplied directly from the keychain value. When it comes to invalid credential it wont cause user account lockouts because the first proxyman thread to encounter failed credentials will share that information so no other threads will attempt to authenticate using them. When the credentials are updated it will automatically detect, validate and use them **_without the need for any user intervention._** **Benefits** Adding this feature allows proxyman to automatically pickup any password changes for the user via Jamf so they are never bothered again with proxy passwords. In a word, it's brilliant for Mac SOE enterprise deployments who want to utilise this product. Keep an eye out for other integration opportunities as well as there is more than one AD password management product for Mac environment.

kerem added the

Feature request

label 2026-03-03 19:50:13 +03:00

kerem commented 2026-03-03 19:50:14 +03:00

Author

Owner

Copy link

@NghiaTranUIT commented on GitHub (Jul 24, 2022):

Thanks, for such a detailed feature request @rtfmoz2 🙇

As a previous conversation, I researched how to tackle this feature, but the effect is enormous and not suitable for the current milestone. I will add this feature to the backlog list and wait for my requests on this feature.

If it's good, our team would consider supporting it 👍

<!-- gh-comment-id:1193262573 --> @NghiaTranUIT commented on GitHub (Jul 24, 2022): Thanks, for such a detailed feature request @rtfmoz2 🙇 As a previous conversation, I researched how to tackle this feature, but the effect is enormous and not suitable for the current milestone. I will add this feature to the backlog list and wait for my requests on this feature. If it's good, our team would consider supporting it 👍

kerem commented 2026-03-03 19:50:14 +03:00

Author

Owner

Copy link

@rtfmoz2 commented on GitHub (Mar 3, 2023):

The password validation was just a concept. The above was an "ideal" scenario. You could do the check at the time of macOS proxy override instead. Then it can be far simpler to implement.

<!-- gh-comment-id:1454176242 --> @rtfmoz2 commented on GitHub (Mar 3, 2023): The password validation was just a concept. The above was an "ideal" scenario. You could do the check at the time of macOS proxy override instead. Then it can be far simpler to implement.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

6.9.0

6.8.0

6.7.0

6.6.0

6.5.0

6.4.0

6.3.0

6.2.0

6.1.0

6.0.2

6.0.0

6.0.1

5.25.0

5.24.0

5.23.0

5.23.1

5.22.0

5.20.0

5.21.0

5.19.0

5.18.0

5.17.0

5.16.0

5.15.0

5.14.0

5.12.2

5.12.1

5.12.0

5.11.0

5.10.0

5.8.0

5.9.0

5.7.0

5.6.1

5.6.0

5.5.0

5.4.0

5.2.0

5.3.0

5.1.1

5.0.0

4.16.0

4.15.0

4.14.0

4.13.0

4.12.0

4.11.0

4.10.0

4.9.1

4.9.0

4.8.2

4.8.1

4.8.0

4.7.1

4.7.0

4.6.1

4.6.0

4.5.0

4.4.0

4.3.1

4.3.0

4.2.1

4.2.0

4.1.0

4.0.0

3.15.0

3.14.0

3.13.0

3.12.0

3.11.0

3.10.0

3.9.0

3.8.0

3.7.0

3.6.2

3.6.1

3.6.0

3.5.2

3.5.1

3.5.0

3.4.0

3.3.0

3.2.0

3.1.0

3.0.0

2.35.4

2.35.3

2.35.2

2.35.1

2.35.0

2.34.1

2.34.0

2.33.0

2.32.1

2.32.0

2.31.0

2.30.0

2.29.0

2.28.0

2.27.0

2.26.0

2.25.0

2.24.0

2.23.0

2.22.0

2.21.1

2.21.0

2.20.0

2.19.0

2.18.0

2.17.0

2.16.1

2.16.0

2.15.2

2.15.1

2.15.0

2.14.2

2.14.1

2.14.0

2.13.0

2.12.0

2.11.1

2.11.0

2.10.0

2.9.1

2.9.0

2.8.0

2.7.0

2.6.0

2.5.3

2.5.2

2.5.1

2.5.0

2.4.2

2.4.1

2.4.0

2.3.0

2.2.0

2.1.1

2.1.0

2.0.1

2.0.0

1.24.0

1.23.0

1.22.0

1.21.0

1.20.0

1.19.0

1.18.1

1.18.0

1.17.1

1.17.0

1.16.0

1.15.0

1.14.1

1.14.0

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.7

1.4.6

1.4.5.1

1.4.5

1.4.4.1

1.4.4

1.4.3

1.4.2

1.4.1.1

1.4.1

1.4

1.3.9

1.3.8

1.3.7

1.3.6

1.3.5

1.3.4.3

1.3.4.2

1.3.4.1

1.3.4

1.3.3

1.3.2

1.3.1

1.3

1.2

1.1.2

1.1.1

1.1

1.0.3

1.0.2

1.0

0.8.1

0.8

0.7

0.6

0.5.1

0.5

v0.4.1

Labels

Clear labels   

Discussion

  

Feature request

  

In Progress...

  

Plugins

  

Waiting response

  

Windows

  

Windows

  

bug

  

duplicate

  

enhancement

  

feature

  

good first issue

  

iOS

  

macOS 10.11

  

question

  

wontfix

  

✅ Done

No labels

Discussion

Feature request

In Progress...

Plugins

Waiting response

Windows

Windows

bug

duplicate

enhancement

feature

good first issue

iOS

macOS 10.11

question

wontfix

✅ Done

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/Proxyman#1300

No description provided.