Hoping this might peak someones interest regarding proxy authorisation handling specifically during a device's SetupAssistant phase.
Our problem in this instance relies with the AuthBroker's handling of proxy authorisation challenges. With Apple's devices proxy auth is handled through AuthBroker which will make subsequent calls to GSS/ keychain if applicable to handle proxy Auth with CFNetwork.
Whilst this process functions quite well in the large part it's functionality around prompt suppression causes issues during the setupAssistant phase.
To avoid prompt fatigue AuthBroker Agent has a flag for a given proxy authorisation host (combination of host + port) that's responsible for reporting if a system prompt has been raised in the past. If it has AuthBroker will suppress prompting for the active session.
This creates a problem with SetupAssistant in that AuthBroker agent is not allowed to raise system prompts in this state. As a result it instaed triggers a default not now handling:
default 2026-04-27 20:34:43.565424 -0700 AuthBrokerAgent [0x100a7ee60] activating connection: mach=false listener=false peer=true name=com.apple.cfnetwork.AuthBrokerAgent.peer[119].0x100a7ee60
default 2026-04-27 20:34:43.565608 -0700 AuthBrokerAgent [0x100a80350] activating connection: mach=false listener=false peer=true name=com.apple.cfnetwork.AuthBrokerAgent.peer[158].0x100a80350
default 2026-04-27 20:34:43.565924 -0700 AuthBrokerAgent Fetching proxy credential for query <private>
default 2026-04-27 20:34:43.566135 -0700 AuthBrokerAgent Request <private> 0x65a873860
default 2026-04-27 20:34:43.567245 -0700 AuthBrokerAgent Not internal release, disabling SIRL
default 2026-04-27 20:34:43.576369 -0700 AuthBrokerAgent CFNetwork Diagnostics [3:1] 20:34:43.575 {
CopyDefaultCredential: (null)
Store: shared credential storage 0x100a7d320, session 0xad7010040, persistent 0x100a7d3e0
Space: https://someproxy.example.com:3128/, NTLM (Hash 774a6617a1f9d1ae)
Result: null
} [3:1]
default 2026-04-27 20:34:43.576451 -0700 AuthBrokerAgent Prompting user 0x65a873860
default 2026-04-27 20:34:43.578299 -0700 AuthBrokerAgent Cache loaded with 6300 pre-cached in CacheData and 69 items in CacheExtra.
default 2026-04-27 20:34:43.606794 -0700 AuthBrokerAgent User selected alternate response, won't prompt again 0x65a873860
default 2026-04-27 20:34:43.606820 -0700 AuthBrokerAgent Not sending a credential 0x65a873860
default 2026-04-27 20:34:43.606829 -0700 AuthBrokerAgent Fetching proxy credential complete result (null)
This flows onto Authbroker requests executed after setupAssistant and prevents the device from prompting until an effective restart:
default 2026-04-28 13:37:46.710956 +1000 Setup Buddy exiting...
default 2026-04-28 13:38:06.658658 +1000 AuthBrokerAgent [0xad6864000] activating connection: mach=false listener=false peer=true name=com.apple.cfnetwork.AuthBrokerAgent.peer[278].0xad6864000
default 2026-04-28 13:38:06.659238 +1000 AuthBrokerAgent Fetching proxy credential for query <private>
default 2026-04-28 13:38:06.661957 +1000 AuthBrokerAgent Request <private> 0xa4eccc760
default 2026-04-28 13:38:06.662597 +1000 AuthBrokerAgent SecSecurityClientGet new thread!
default 2026-04-28 13:38:06.813050 +1000 AuthBrokerAgent CFNetwork Diagnostics [3:7] 13:38:06.809 {
CopyDefaultCredential: (null)
Store: shared credential storage 0x100a7d320, session 0xad7010040, persistent 0x100a7d3e0
Space: https://someproxy.example.com:3128/, NTLM (Hash 774a6617a1f9d1ae)
Result: null
} [3:7]
default 2026-04-28 13:38:06.813088 +1000 AuthBrokerAgent Will not prompt since user previously dismissed prompt 0xa4eccc760
default 2026-04-28 13:38:06.813091 +1000 AuthBrokerAgent Not sending a credential 0xa4eccc760
default 2026-04-28 13:38:06.814867 +1000 AuthBrokerAgent Fetching proxy credential complete result (null)
Is there any chance to get this handling updated so that SetupAssistant reset AuthBroker's prompting state on conclusion to allow for system prompt exposure to the user without requiring a device restart.
DevForums is primarily a place to help third-party developers with their API level questions, so…
Is there any chance to get this handling updated …
None of your code is involved here, right? If so, then the best way to request a change to the Apple side of things is to file a bug in Feedback Assistant.
Please post your bug number, just for the record.
ps Thanks for applying the GSS tag. Its tag landing page has been very empty in recent years [1], so it’s glad to have something there again.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Due to a misfeature in the forums, the tag landing pages only show threads that are newer than a certain time limit. I hope to get that fixed at some point (r. 175332842).