User Agent no longer present on CONNECT requests starting from iOS 15

It seems the User Agent is no longer included when iOS 15 sends CONNECT requests to a proxy. Is this the expected behaviour? @eskimo?

Still the same behavior on iOS 15 GM, any chance this gets fixed on 15.1 @eskimo?

Still the same behavior on iOS 15 [RC]

Correct. I fully expect that it will also work this way on the final released version of iOS 15.

any chance this gets fixed on 15.1

While I can’t predict the future, more’s the pity, I don’t recommend holding your breath.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Quick update: Still an issue in both 15.0.1 and 15.1 Beta 2.

From @rfan1560's comment:

I received a response to my feedback (FB9605687).

Apple Response: Investigation complete - Works as currently designed Please know that our engineering team has determined that this issue behaves as intended based on the information provided. Ppecifying the user-agent is a "should", not a "must".

So @eskimo, is this now considered "by design" then? There's no chance that this will change in future versions of iOS?

This is Symantec's article letting customers know that the User-Agent policies will no longer work, and that a workaround is not available. https://knowledge.broadcom.com/external/article?articleId=223857 In my opinion it's unfortunate (for admins and users alike) that those required to monitor web traffic are now being forced to decrypt (or block) all network traffic originating from iOS 15+ devices due to a change that (from the early posts in this thread) appears to have been unintentional.

appears to have been unintentional

While it’s true that the change was unintentional at the time, the bugs mentioned in this thread have caused the issue to be carefully reconsidered by the responsible folks at Apple, both from the networking and privacy teams.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Any updates to this original bug report? Mine (Bug # FB9329234) was resolved stating - working as designed.

Can we expect any action to be taken around the additional issue this presents with regards to how iPadOS presents logging information. With the CFNetwork debug profile installed on a device the CFNetworkAgent will advise that the User-Agent Header will be enqueued as part of the request. Without looking at a packet capture collected from an iPadOS device is there any logging information exposed to advise that the user-agent string is not sent as part of the connect request.

@eskimo, we submitted an issue to the feedback assistant with number FB9872194. In general lines, we think that for the most products an alternative to the full user agent could be use the application brand or name inside the user-agent or provide another header field, removing from it the version, the device or another kind of information, that, could be consider a potential risk for the user. In any case, in my opinion, this change affects a large number of companies and should have been done progressively with prior advice.

Thanks for your support @eskimo & @meaton 

This issue also a topic with macOS 12.3 We have a filter at our proxy examing the network traffic for "CFNetwork" or "Macintosh" because macOS generelly sends some requests unauthenticated to identify the requests that are not going to block an ip address. This has worked fine until macOS Big Sur An unauthenticated requests in our company means that the IP address will be blocked for a time for all internet traffic (it is a Cisco recomondation). As far as the user agent is no more present (not only for requests to Apple, also to OneDrive from MS, launchdarkly and opendns/Umbrella) the filter does not work anymore in about 50% of all cases.

User Agent no longer present on CONNECT requests starting from iOS 15
 
 
Q