This document describes how to configure Microsoft Intune to distribute the SurePath AI proxy PAC URL and root CA certificate to macOS devices.

This document describes how to configure Microsoft Intune to distribute SurePath AI proxy settings to macOS devices using Custom configuration profiles. The configuration profiles provided by SurePath AI include both the proxy PAC URL and the trusted root CA certificate in a single deployment. This document does not cover how to enroll devices in Microsoft Intune or administer other aspects of the Microsoft Intune platform.

SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.

The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can’t be retrieved the current one will continue to be used.

Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI website. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.

All configuration in this section takes place within the Microsoft Endpoint Manager admin center located at https://endpoint.microsoft.com and unless otherwise stated, all instructions start from this URL.

The SurePath AI configuration profiles for Intune are available from the Proxy Connector configuration page in the SurePath AI admin interface. These mobileconfig files contain both the proxy PAC URL and the trusted root CA certificate.

To download the configuration files:

The downloaded ZIP file contains multiple deployment files for different platforms. For Intune macOS deployments, admins will use one of the following files:

SurePath AI provides two configuration profile variants for Intune macOS deployments. Organizations should choose between the email and UDID variants based on their security requirements and user experience preferences.

The email-based profile (surepath.ai.macos.intune.email.mobileconfig) never prompts for user authentication, providing a completely transparent user experience with no authentication page redirects. For email-based identification to work, the device must have a user assigned with an email address in Intune. This method is appropriate for organizations that prioritize seamless user experience.

The UDID-based profile (surepath.ai.macos.intune.udid.mobileconfig) requires user authentication before attributing traffic to a user. This method is appropriate for security-conscious organizations that prefer explicit authentication steps before user identification occurs.

The configuration profiles provided by SurePath AI contain both the proxy PAC URL and the trusted root CA certificate, allowing admins to deploy both settings in a single policy.

After completing the deployment, verify that the endpoint is properly integrated using the SurePath AI Ready tool.