This document covers creating the required policy that distributes the proxy configuration and the root CA certificate via the Jamf Pro platform. It does not include steps on any other parts of the Jamf platform including initial Jamf configuration or device enrollment.

The MDM deployment files are available from the Proxy Connector configuration page in the SurePath AI admin interface.

The downloaded ZIP file contains deployment files for both Windows and Apple platforms. For Jamf Pro deployments, the following Apple configuration profiles are available:

SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.

The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can’t be retrieved the current one will continue to be used.

Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI website. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.

Organizations can deploy SurePath AI proxy configurations through standard Apple configuration profiles. However, basic configuration profiles typically set a PAC URL without user-specific identifiers, which means all traffic from a device is associated only with the Proxy Connector itself. This approach is known as Connector authentication, where SurePath AI can identify which connector the traffic came from but cannot distinguish between individual users on shared devices or associate native application traffic with specific users.

The JAMF-specific SurePath AI configuration profiles enhance this capability by including unique identifiers in the PAC URL. These profiles leverage JAMF payload variables to include user email addresses or device UDIDs. Organizations deploying through JAMF should use one of these JAMF-specific profiles rather than the basic profile. When email addresses are included in the PAC URL, SurePath AI can immediately identify users and attribute their traffic without requiring any additional steps. When device UDIDs are used as the unique identifier, SurePath AI can associate traffic with users after they sign in to a GenAI service for the first time, enabling ongoing identification of all traffic from that unique identifier.

This improved user identification provides several operational benefits. First, it significantly reduces instances of Connector authentication in User Activity logs, making it easier for admins to audit and report on individual user behavior. Second, it enables more granular policy application based on user identity rather than just device or connector identity. This is particularly valuable for organizations that need to apply different policies to different users or groups, as SurePath AI can enforce user-specific or group-specific policies even for traffic that would otherwise only be identifiable at the connector level.

SurePath AI provides Apple configuration profile (mobileconfig) files that can be deployed through Jamf Pro to configure proxy settings and certificate trust. These files are available from the Proxy Connector configuration page in the SurePath AI Admin UI.

For organizations using JAMF Pro, SurePath AI provides configuration profiles that leverage JAMF payload variables to include user-specific identifiers in the PAC URL. These profiles enable user-level traffic attribution without requiring users to authenticate.

The following JAMF-specific profiles are available for macOS devices:

When JAMF deploys these profiles, it automatically substitutes the payload variables with actual values:

Organizations should use one of these JAMF-specific profiles rather than the basic profile without variables. The choice between email and UDID depends on organizational requirements. Security-focused organizations may prefer UDID-based identification because it requires users to sign in before their traffic is associated with their identity. Email-based identification provides immediate user recognition and policy application, which can streamline the user experience when user email information is reliably available in JAMF.

For iOS and iPadOS devices, use the standard surepath.ai.ios.mobileconfig profile, which configures proxy settings without user-specific identifiers.

After deploying the configuration profiles to Apple devices, admins can verify that endpoints are properly configured to integrate with SurePath AI by using the Ready tool at ready.surepath.ai. This verification tool checks both certificate trust and network configuration to ensure that GenAI traffic will be properly routed through and governed by the SurePath AI platform.

To verify the integration, navigate to ready.surepath.ai from a configured endpoint. The tool automatically runs tests and displays validation results. If both the Certificate Trust and Network Configuration tests show green Valid results, the endpoint is properly integrated and GenAI traffic originating from that device will be processed by SurePath AI.

If the Certificate Trust test shows a red Invalid result, it means that the SurePath AI root certificate is not trusted by the device or browser. This could be the result of the certificate not being deployed to the device yet. Admins should check the device's local certificate trust store for the SurePath AI Root CA certificate. If the certificate has been deployed and verified as installed, the device might need to be restarted for the browser to read the newly added SurePath AI root CA certificate.

If the Network Configuration test shows a red Invalid result, it means that the SurePath AI platform is not receiving traffic from the endpoint. This is most likely due to the network configuration not being pushed to the device. Some browsers or applications, like Firefox, ignore system-level proxy settings and have internal proxy settings that will need to be configured separately from the system-level settings that are configured in this document.

Please reach out to your SurePath AI account team if you have any questions or issues with the SurePath AI integration.