Of course Mr Klier.
In brief...
we have just under 2k users with ipads. These are managed via mdm.
The global proxy is set via mdm so users cannot change or remove it
It points to a proxy.pac file on tinternet.
The proxy server is 1.2.3.4, this obviously does not exist so any web browsing fails with proxy error...
However....
There are exceptions in the pac file that allows direct access (no proxy) to our portals and gateways.
This allows GlobalProtect to bypass global proxy settings and connect as normal..
There is another statement within the pac file that says “ if connected to corporate network then go direct” (no proxy) so users browse as normal when connected via our internal to external firewalls.
This for some reason also works with captive portal wifi connections... it does something clever to allow captive portal auth prior to applying global proxy. Nothing to do with the pac file, its just an ios thing...
Not everyones cup of tea but has proved a winner for us over many years....
Happy to provide an example pac file if needs be...
We also use similar for windoze devices as the force global protect option just does not play with our users and crams helpdesk with calls regarding the captive portal timeout thingy...
