On 20 Sep 2016, at 07:45, Motti Shneor <motti.shn...@me.com> wrote:

> 1. How do other system daemons connect to network web servers silently, using 
> authenticated proxy settings?

If they use NSURL{Session,Connection} then the proxy ‘heavy lifting’ is done by 
another daemon, `networkd`, that contains a bunch of smarts.

> Also, what keychain they use? not the System keychain?

Credentials like this are usually stored in the System keychain, although 
that’s clearly not the case here.  Beyond that, I haven’t looked at how proxies 
work at this level in a while.

> and when I set authentication parameters for, say, the admin user - how do 
> they read it? via some kind of impersonation?

That won’t work because, when a user logs out, their keychain is locked and no 
one, not even root, can unlock it.

This is in stark contrast to the System keychain, which can be unlocked by any 
root process.

> 2. How do preinstalled Safari, Mail, Photos, and other apps  connect silently 
> to the web, and avoid triggering the key-chain access permission dialog?

These apps use NSURLSession and, as such, the proxy work goes via `networkd`.

> 3. All proxy settings seem to be system-wide (actually per 
> network-interface). Why do the credentials reside in the active user’s Login 
> keychain, instead of the “System” keychain? 

It’s hard to answer “why” questions.

> Is there at all a way (except for manually editing the keychains) to set-up 
> proxies for ALL users, including credentials?
> 4. Could I, at the time of installation of my product, ask once for this 
> access, and have this “trust” saved for my installed daemon? That will be 
> acceptable, as IT installs our [tool] on all users machinesl, and have rights 
> for this. If this is possible - where and how could I do it?

If you’re deploying to managed environments then you need to look at 
configuration profiles.

> If the wonderful code within NSURLSession and CFNetwork that negotiates 
> proxies would be exposed via proper APIS - that would be a real blessing.

You should file an enhancement request that describes what you’d like to see 


Please post your bug number, just for the record.

Share and Enjoy
Quinn "The Eskimo!"                    <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (Macnetworkprog@lists.apple.com)
Help/Unsubscribe/Update your Subscription:

This email sent to arch...@mail-archive.com

Reply via email to