SurePath AI Proxy Integration for MacOS via Rippling
This document describes how to configure Rippling to distribute the SurePath AI proxy PAC URL and root CA certificate to MacOS devices. These two configurations are covered in the sections below. The configuration needed for Windows is considerably different and is located in this document.
Supported platforms
MacOS 10.15 (Catalina) and later
About this document
This document covers creating the required policy that distributes the proxy configuration and the root CA certificate. It does not include steps on any other parts of the Rippling platform or cover how to enroll devices in Rippling.
The SurePath AI PAC file
SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.
The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can’t be retrieved the current one will continue to be used.
The SurePath AI root CA certificate
Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI website. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.
Configuring Rippling for MacOS devices
All configuration in this section takes place within the Rippling admin dashboard located at https://app.rippling.com/dashboard and unless otherwise stated, all instructions start from this URL. You must ensure you are using an Admin account and not your Employee account. This can be verified by clicking on the user avatar in the upper-right-most area of the dashboard.
Prerequisites
The SurePath AI proxy PAC URL and root CA certificate needed for these steps can be downloaded from https://admin.surepath.ai:
Click the Organization menu, under Configure section, on the left
Select the Integrations tab
The SurePath AI Root CA Certificate is available in the File Downloads section
Download the certificate using the CER option
The SurePath AI Proxy PAC URL is available in the Proxy and Provider URLs section
Copy the URL using the copy icon on the right side of the text box
Creating the Rippling configuration for MacOS proxy PAC URL distribution
In the left menu bar, navigate to IT > Devices
Click the Configurations tab at the top
Click the macOS library tab
In the list, either search or scroll to Global HTTP Proxy
Click the Create button on the right
On the new page, enter the following configuration values:
Enter a Configuration Name, such as SurePath AI Proxy PAC URL
Enter a Configuration description if desired
For Proxy Type, select Auto
Leave the Proxy Username and Proxy Password blank
For Proxy PAC URL, enter the URL retrieved in the prerequisite step above
Leave all other options unchecked
Click Save & continue
In the Deploy configuration modal, select Device
Add the devices that will be receiving this configuration
Click Deploy
Creating the Rippling configuration for MacOS root CA distribution
In the left menu bar, navigate to IT > Devices
Click the Configurations tab at the top
Click the macOS library tab
In the list, either search or scroll to Certificate Root
Click the Create button on the right
On the new page, enter the relevant configurations
Enter a Configuration Name, such as SurePath AI Root CA Certificate
Enter a Configuration description if desired
For Certificate Name, enter a label such as SurePath AI Root CA Certificate
Either drop or select the certificate that was retrieved in the prerequisite step above
Click Save & continue
In the Deploy configuration modal, select Device
Add the devices that will be receiving this configuration
Click Deploy
Verifying the SurePath AI integration
SurePath AI provides a tool for verifying that an endpoint is configured to properly integrate with SurePath AI's platform. After completing the steps above and verifying the configuration has been deployed to the desired devices administrators can verify the integration by visiting https://ready.surepath.ai.
Interpreting results
A test will be run as soon as the page is loaded. If both tests show green Valid results, the endpoint is properly integrated and GenAI traffic originating from that endpoint will be processed by SurePath AI.
If the Certificate Trust test shows a red Invalid result, it means that the SurePath AI root certificate is not trusted by the device or browser. This could be the result of certificate not being deployed to the device yet. Please check the device's local certificate trust store for the SurePath AI Root CA certificate. If the certificate has been deployed (and/or verified installed), it's possible the device might need to be restarted for the browser to read the newly added SurePath AI root CA certificate.
If the Network Configuration test shows a red Invalid result, it means that the SurePath AI platform is not receiving traffic from the endpoint. This is most likely due to the network configuration not being pushed to the device. Some browsers or applications, like Firefox, ignore system-level proxy settings and have internal proxy settings that will need to be configured separately from the system-level settings that are configured in this document.
Please reach out to your SurePath AI account team if you have any questions or issues with the SurePath AI integration.