10.2 Connection Issues? Here’s a solution!

Seeing this issue with your iPads after the iOS 10.2 upgrade? Read on to find the solution!

We recently worked with several school districts that were seeing “The Internet Connection appears to be offline” error when their iPads updated to 10.2.

Now that we identified the solution, we want to share it to help any other school or district running into the same problem! Here is what we found:

Issue:

10.2 iPads with global proxy produce “The Internet Connection appears to be offline.” error in Classkick. One school district filed a ticket with Apple as “Authentication problems with iOS 10.2 and Global Proxy”

More Information:

Quoted from conversation with Chandler M., AppleCare Enterprise Customer Support Engineering

The -1022 error indicates the TLS connection to the PAC file is not App Transport Security compliant. To confirm I would like for you to run the following Terminal command from a Mac on the same network:

nscurl — ats-diagnostics <url_to_pac_file>

Follow Up Questions:

All of it failed. What does that mean I need to change? Do I just need to go through that web server and make it secure https:// and disable the insecure TLS? Or is this an issue with our Vendors Apps?

Solution From Apple:

Quoted from conversation with Chandler M., AppleCare Enterprise Customer Support Engineering

No, this is not something the developer has any real control over. This is part of an ongoing effort on Apple’s part to improve security for TLS connections. The following video is Apple’s official announcement (transcript at bottom): https://developer.apple.com/videos/play/wwdc2016/706/

In general, the requirements are as follows:

  • 1. The site must be using a trusted root, i.e. not a self-signed cert.
  • 2. The site must support TLS 1.2
  • 3. The negotiated cipher must use ECDHE key exchange.

The supported ciphers and additional details are documented here: https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW57

Solution Rephrased by School District:

Quoted from conversation with Michelle D., Senior Network Engineer, School District

We made our Global Proxy PAC file server compatible with App transport security and then changed our url to the PAC file to HTTPs. For HTTPS to work properly, the web server hosting the pac file has to have a valid SSL cert bound to https on that server.


Thanks to all the teachers, IT coordinators, and Apple engineers who helped us find this solution! If you are having any trouble connecting to Classkick, don’t hesitate to reach out to us at support@classkick.com.