Skip to main content

Manual Installation of PAC URL and Root CA on macOS (Testing Only)

Quick manual installation of proxy PAC URL and root CA on macOS for testing/POC. Production deployments should use MDM (Intune, Jamf Pro, Rippling).

Updated over a month ago

Prerequisites

Before beginning, gather these items from the SurePath AI admin console at https://admin.surepath.ai:

Get the PAC URL:

  • Navigate to Connectors in the CONFIGURE section

  • Click ADD CONNECTOR

  • Provide a descriptive name (e.g., "Manual Test - MacOS")

  • Select Proxy as the connector type

  • Click Save to generate your unique PAC file URL

  • Copy the PAC file URL from the connector details

Get the root CA certificate:

  • Click Organization in the CONFIGURE section

  • Select the Integration tab

  • Download the SurePath AI Root CA Certificate from the File Downloads section (use the CER format)

Step 1: Install the root CA certificate

The root CA certificate allows SurePath AI to intercept and apply policy to GenAI traffic.

  • Locate the downloaded certificate file (.cer extension)

  • Double-click the certificate file

  • The Keychain Access application will open

  • In the dialog, select System from the Keychain dropdown

  • Click Add

  • Enter your macOS administrator password when prompted

  • After the certificate is added, locate it in the System keychain (it will be named "SurePath AI Root CA")

  • Double-click the certificate to open its details

  • Expand the Trust section

  • Change When using this certificate to Always Trust

  • Close the certificate details window

  • Enter your administrator password again to save the trust settings

Step 2: Configure the PAC URL

The PAC URL tells macOS which traffic to route through SurePath AI (only GenAI services).

  • Open System Settings (or System Preferences on older macOS versions)

  • Click Network

  • Select your active network connection (typically Wi-Fi or Ethernet)

  • Click Details (or Advanced on older versions)

  • Click the Proxies tab

  • Check the box for Automatic Proxy Configuration

  • In the URL field, paste the SurePath AI Proxy PAC URL from the prerequisites

  • Click OK

  • Click Apply

Step 3: Verify the integration

SurePath AI provides a verification tool to confirm proper configuration.

  • Open a web browser

  • Navigate to https://ready.surepath.ai

  • The page will automatically run tests

  • Verify both tests show green Valid results:

    • Certificate Trust: Confirms the root CA is properly trusted

    • Network Configuration: Confirms traffic is routing through SurePath AI

Important notes

  • This manual configuration is intended for testing only

  • For production deployments, use MDM platforms such as Jamf Pro or Microsoft Intune to distribute configuration at scale

  • The PAC file automatically updates to include new GenAI services, so the URL does not need to change

  • Most operating systems and browsers refresh the PAC file every 1-2 hours

  • Only GenAI traffic is routed through SurePath AI; all other traffic follows normal routing

Removing the configuration

To remove the test configuration:

Remove PAC URL:

  • Open System Settings > Network

  • Select your network connection > Details > Proxies

  • Uncheck Automatic Proxy Configuration

  • Click OK and Apply

Remove root CA certificate:

  • Open Keychain Access

  • Select the System keychain

  • Search for "SurePath AI Root CA"

  • Right-click the certificate and select Delete

  • Enter your administrator password when prompted

Related Articles
Rippling - Distributing Configuration for MacOS
Rippling - Distributing Configuration for Windows
Microsoft Intune - Distributing configuration for macOS
SurePath AI Traffic Flows
Manual Installation of PAC URL and Root CA on Windows (Testing Only)
Did this answer your question?