Overview
When users appear as "Anonymous" in the Activities feed, it indicates that the filter is seeing traffic but cannot associate it with a specific user email. This is usually due to either Network Configuration or Device/MDM Configuration.
Phase 1: Check Network Policy
Per support standards, rule out these configuration settings first. If these are set incorrectly, "Anonymous" users are the expected result.
1. Forced Login Status
If Forced Login is disabled, users are permitted to browse the internet without authenticating.
The Issue: User Injection (SmartPAC) runs in the background. If it fails or hasn't loaded yet, and Forced Login is OFF, the user browses anonymously.
The Fix: Enable Forced Login for the relevant policy. This ensures that if the SmartPAC fails to identify the user automatically, the browser will pause and force a Google/Azure manual sign-in before allowing internet access.
2. Guest Network Policy
Traffic originating from IP addresses defined in the Guest Network settings will be treated according to the Guest Policy.
The Issue: If 1:1 devices are accidentally connected to a Guest SSID, or if the 1:1 VLAN is listed under Guest IPs, users will appear as Anonymous/Guest.
The Fix: Verify that the devices are not connecting to a Guest network and that their IP range is not listed under Policy Editor > Policy Map > Guest Network Policy > IPs.
Phase 2: Check MDM & User Injection
If the network policy is correct (Forced Login is ON and not on Guest Network), the issue is likely a failure of the MDM to inject the User ID.
1. MDM Profile "Race Condition" (Timing Issue)
Common in new school years or fresh deployments.
The Issue: The MDM pushes the Proxy Profile to the device before the MDM has successfully registered the User Assignment. Consequently, the variable (e.g.,
%Email%) resolves to a null value.The Fix: Re-push the Proxy Profile to the affected devices after confirming the device is assigned to a user in the MDM.
2. Incorrect MDM Variable Syntax
Crucial: Do not assume a generic "Apple" variable. You must use the specific syntax for your MDM vendor.
Using the wrong variable prevents the SmartPAC from capturing the email address.
| MDM Vendor | Correct Email Variable |
|---|---|
| Securly MDM | $email (lowercase) |
| Mosyle | %Email% |
| Jamf Pro | $EMAIL |
| Jamf School (ZuluDesk) | %Email% |
| Meraki | $OWNEREMAIL |
| Lightspeed | %email% |
| Filewave | %email% |
| Airwatch / Workspace ONE | {EmailAddress} |
3. Validating the Device
To confirm if the variable is populating or is null/broken, inspect the device settings:
For iPad/iOS:
Navigate to Settings > General > VPN & Device Management.
Select the MDM Profile > Restrictions.
Check the Global HTTP Proxy URL. It must show the user's actual email address, not the variable name.
For macOS:
Open Terminal.
Run:
scutil --proxyEnsure
ProxyAutoConfigURLStringcontains the full email address.
For Windows (User Injection via GPO/Registry Key):
Open Powershell.
- Run:
Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" Ensure
ProxyURLcontains the full email address.
Comments
Please sign in to leave a comment.