SurePath AI Proxy Integration for Windows via Microsoft Intune
This article describes how to configure Microsoft Intune to distribute the SurePath AI proxy PAC URL and root CA certificate to Windows devices.
Supported platforms
Windows 10 version 1709 and later
About this document
The configurations in this document cover how to create the Intune policy that distributes the SurePath AI Proxy PAC URL and the SurePath AI trusted root CA certificate on Windows devices. It does not cover how to enroll devices in Microsoft Intune or administer other aspects of the Microsoft Intune platform.
The SurePath AI PAC file
SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.
The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can’t be retrieved the current one will continue to be used.
The SurePath AI root CA certificate
Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI website. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.
Configuring Microsoft Intune
All configuration in this section takes place within the Microsoft Endpoint Manager admin center located at https://endpoint.microsoft.com and unless otherwise stated, all instructions start from this URL.
Prerequisites
The SurePath AI proxy PAC URL and root CA certificate needed for these steps can be downloaded from https://admin.surepath.ai:
Click the Organization menu, under Configure section, on the left
Select the Integrations tab
The SurePath AI Root CA Certificate is available in the File Downloads section
Download the certificate using the CER option
The SurePath AI Proxy PAC URL is available in the Proxy and Provider URLs section
Copy the URL using the copy icon on the right side of the text box
Policy for PAC URL distribution
Navigate to Devices - Configuration
Select Create - New Policy
For Platform select Windows 10 and later
For Profile type select Templates
From the Template name menu select Custom and click Create
On the Basics step, enter a Name (and Description if desired) and click Next
On the Configuration settings step, click Add
For Name, type AutoDetect
For OMA-URI type ./Vendor/MSFT/NetworkProxy/AutoDetect
For Data Type select Integer
For Value type 0
Click Save
Click Add again
For Name, type SetupScriptUrl
For OMA-URI type ./Vendor/MSFT/NetworkProxy/SetupScriptUrl
For Data Type select String
For Value enter the Proxy PAC URL obtained in the prerequisite section
Click Save
Click Add again
For Name, type ProxySettingsPerUser
For OMA-URI type ./Vendor/MSFT/NetworkProxy/ProxySettingsPerUser
For Data Type select Integer
For Value type 0
Click Save
Click Next
On the Assignments step, add all the users and/or groups to which you want to apply the proxy policy and click Next
This is a device-based policy, so assignment should be done via groups of devices
On the Applicability Rules step, create a rule that will affect the desired Windows devices and click Next
As an example, for Rule select Assign profile if and for Property select OS Edition then for Value select all editions of Windows within the organization
On the Review + create step confirm the configuration is correct and click Create
Policy for preventing users from changing the configuration (optional)
Optionally, administrators can choose to block users from changing the proxy settings with an additional policy that is outlined in this section.
Navigate to Devices - Configuration
Select Create - New Policy
For Platform select Windows 10 and later
For Profile type select Settings catalog
Click Create
On the Basics step, enter a Name (and Description if desired) and click Next
On the Configuration settings step, on the left hand side of the menu select User Configuration
In the Search to filter items… search bar type Prevent changing proxy and wait for the search results to update
Select Prevent changing proxy settings and then in the right hand menu, select Enabled and click OK
Click Next
On the Configuration settings step, click + Add settings
In the Settings picker side panel in the Browse by category section, browse to Administrative Templates - Windows Component and then select Internet Explorer
In the Setting name section below, enable the Prevent changing proxy settings (User) setting
Close the Settings picker side panel
The Prevent changing proxy settings (User) should now be visible as a setting
Click the slider to enable the setting
Click Next
On the Scope tags step, select any applicable scope tags and click Next
On the Assignments step, add all the users and/or groups to which you want to apply the proxy policy and click Next
On the Review + create step confirm the configuration is correct and click Create
Policy for distributing the SurePath AI root CA
Navigate to Devices - Configuration
Select Create - New Policy
For Platform select Windows 10 and later
For Profile type select Templates
From the Template name menu select Trusted certificate and click Create
On the Basics step, enter a Name (and Description if desired) and click Next
On the Configuration settings step, click the text box that says Select a valid .cer file and then browse to and select the SurePath AI Root CA Certificate retrieved in the prerequisite section then click Next
On the Assignments step, add all the devices and/or groups to which you want to apply the certificate policy and click Next
This is a device-based policy so the assignment should be done via groups of devices rather than users
On the Applicability Rules step, create a rule that will affect the desired Windows devices and click Next
As an example, for Rule select Assign profile if and for Property select OS Edition then for Value select all editions of Windows within the organization
On the Review + create step confirm the configuration is correct and click Create
Verifying the SurePath AI integration
SurePath AI provides a tool for verifying that an endpoint is configured to properly integrate with SurePath AI's platform. After completing the steps above and verifying the configuration has been deployed to the desired devices administrators can verify the integration by visiting https://ready.surepath.ai.
Interpreting results
A test will be run as soon as the page is loaded. If both tests show green Valid results, the endpoint is properly integrated and GenAI traffic originating from that endpoint will be processed by SurePath AI.
If the Certificate Trust test shows a red Invalid result, it means that the SurePath AI root certificate is not trusted by the device or browser. This could be the result of certificate not being deployed to the device yet. Please check the device's local certificate trust store for the SurePath AI Root CA certificate. If the certificate has been deployed (and/or verified installed), it's possible the device might need to be restarted for the browser to read the newly added SurePath AI root CA certificate.
If the Network Configuration test shows a red Invalid result, it means that the SurePath AI platform is not receiving traffic from the endpoint. This is most likely due to the network configuration not being pushed to the device. Some browsers or applications, like Firefox, ignore system-level proxy settings and have internal proxy settings that will need to be configured separately from the system-level settings that are configured in this document.
Please reach out to your SurePath AI account team if you have any questions or issues with the SurePath AI integration.