Showing results for 
Search instead for 
Did you mean: 

Anyone Using iPads or iPhones with MWG Explicit Proxy with NTLM Auth?

We are looking at the possibility of supporting iPad clients on our MWGs in explicit proxy mode. If possible we would like to use our existing NTLM authentication to a back end AD.  Based on the experience we had with Macs (had to join them to AD and use MCP to make things work properly) I'm going to assume this is not going to be an easy task.

Is anyone doing this in the field? And if so what were your results?



2 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Anyone Using iPads or iPhones with MWG Explicit Proxy with NTLM Auth?

Hi Matt,

In the past, I've worked with customers and they went the route of x509 or certificate authentication (using time based session with auth server). This meant that they distributed certificates out to the devices using an MDM, and then configured the iPads or iPhones to use MWG on a special proxy port (typically with wpad or proxy.pac).

The special proxy port allowed us to distinguish between normal proxy users (doing proxy auth) and byod or iDevices using x509 auth.

Separate from that, I have worked with some customers using wireless network controllers which allowed the MWG to query to see what users was logged into what IP address.

MWG then cached the information to reduce load on the wireless controller.

Apple devices in general do not play well with NTLM authentication so I tend to stay away from it.

If this is something you're interested in, let me know and we can have a chat!

Best Regards,



Re: Anyone Using iPads or iPhones with MWG Explicit Proxy with NTLM Auth?

Hi Jon,

I'm interested in this as well.

We have a separate CA issuing client certificates that are pushed with our MDM. I'd like to retrieve the CN / SAN information to be able to retrieve the filtering profile to apply (based the AD Group Membership).

I have tried what you suggested here:

I fail to understand why we need to provide the private key of the CA used to issue the client certificates in the Authentication.Authenticate method. Shouldn't the MWG just check if the client certificate is issued by the CA?

Can you help me on this topic?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community