Skip to main content

Manual Installation of PAC URL and Root CA on macOS (Testing Only)

This guide provides quick steps for manually installing the SurePath AI PAC URL and root CA certificate on a macOS device. For production deployments, organizations should use MDM platforms like Intune, Jamf Pro, or Rippling.

Updated over 3 months ago

Prerequisites

Before beginning, gather these items from the SurePath AI admin console at https://admin.surepath.ai:

Get the PAC URL:

  • Navigate to Connectors in the CONFIGURE section

  • Click ADD CONNECTOR

  • Provide a descriptive name (e.g., "Manual Test - MacOS")

  • Select Proxy as the connector type

  • Click Save to generate your unique PAC file URL

  • Copy the PAC file URL from the connector details

Get the root CA certificate:

  • Click Organization in the CONFIGURE section

  • Select the Integration tab

  • Download the SurePath AI Root CA Certificate from the File Downloads section (use the CER format)

Step 1: Install the root CA certificate

The root CA certificate allows SurePath AI to intercept and apply policy to GenAI traffic.

  • Locate the downloaded certificate file (.cer extension)

  • Double-click the certificate file

  • The Keychain Access application will open

  • In the dialog, select System from the Keychain dropdown

  • Click Add

  • Enter your macOS administrator password when prompted

  • After the certificate is added, locate it in the System keychain (it will be named "SurePath AI Root CA")

  • Double-click the certificate to open its details

  • Expand the Trust section

  • Change When using this certificate to Always Trust

  • Close the certificate details window

  • Enter your administrator password again to save the trust settings

Step 2: Configure the PAC URL

The PAC URL tells macOS which traffic to route through SurePath AI (only GenAI services).

  • Open System Settings (or System Preferences on older macOS versions)

  • Click Network

  • Select your active network connection (typically Wi-Fi or Ethernet)

  • Click Details (or Advanced on older versions)

  • Click the Proxies tab

  • Check the box for Automatic Proxy Configuration

  • In the URL field, paste the SurePath AI Proxy PAC URL from the prerequisites

  • Click OK

  • Click Apply

Step 3: Verify the integration

SurePath AI provides a verification tool to confirm proper configuration.

  • Open a web browser

  • Navigate to https://ready.surepath.ai

  • The page will automatically run tests

  • Verify both tests show green Valid results:

    • Certificate Trust: Confirms the root CA is properly trusted

    • Network Configuration: Confirms traffic is routing through SurePath AI

Important notes

  • This manual configuration is intended for testing only

  • For production deployments, use MDM platforms to distribute configuration at scale

  • The PAC file automatically updates to include new GenAI services, so the URL does not need to change

  • Most operating systems and browsers refresh the PAC file every 1-2 hours

  • Only GenAI traffic is routed through SurePath AI; all other traffic follows normal routing

Removing the configuration

To remove the test configuration:

Remove PAC URL:

  • Open System Settings > Network

  • Select your network connection > Details > Proxies

  • Uncheck Automatic Proxy Configuration

  • Click OK and Apply

Remove root CA certificate:

  • Open Keychain Access

  • Select the System keychain

  • Search for "SurePath AI Root CA"

  • Right-click the certificate and select Delete

  • Enter your administrator password when prompted

Related Articles
Google Workspace - Distributing Configuration to Chrome and ChromeOS
Rippling - Distributing Configuration for MacOS
Microsoft Intune - Distributing configuration for macOS
Overview of SurePath AI PAC Files
Manual Installation of PAC URL and Root CA on Windows (Testing Only)
Did this answer your question?