I have setup a Network Extension as Per-App NEAppProxyProviderManager. I use a .mobileconfig setup (See bellow)
I do get Safari traffic but not other Apps traffic, at this moment I'm trying Chrome (com.google.Chrome)
I do get Safari traffic in the (BOOL)handleNewFlow:(NEAppProxyFlow *)flow {}
I have set some Safari domains like .com .net .org, and these domains are redirected successfully to the NE.
I want extend the proxy to get Chrome traffic as well. For that I create the section "AppLayerVPNMapping" with the bundle IDs and DesignatedRequirement of Chrome.
The interesting thing is that I get the UDP traffic redirected to (BOOL)handleNewUDPFlow:(NEAppProxyUDPFlow *)flow initialRemoteEndpoint:(NWEndpoint *)remoteEndpoint {}
which is promising. I do reject it by returning NO, because I'm interesting in the TCP protocol. Returning YES is not possible in my test scenario.
It is known that if rejected, Chrome passes to use TCP instead of UDP, I have tested it with another type of Proxy (transparent Proxy).
The result is that the TCP flow is not redirected to the NE and Chrome does not navigate.
Chrome is based in many processes so I have added the "helper" it uses to the list of apps.
I have used "NETestAppMapping" in info.plist but doesn't help.
This is the mobileconfig I'm using.
Anyone has succeeded to get complex apps traffic ?
Thanks !
?xml version="1.0" encoding="UTF-8"?
!DOCTYPE plist PUBLIC "-..."
plist version="1"
dict
keyPayloadUUID/key
stringDF2B6E99-2857-474B-B98A-3FF2E71E90C6/string
keyPayloadType/key
stringConfiguration/string
keyPayloadOrganization/key
stringmyorg/string
keyPayloadIdentifier/key
stringDF2B6E99-2857-474B-B98A-3FF2E71E90C6/string
keyPayloadDisplayName/key
stringNC1/string
keyPayloadDescription/key
string/
keyPayloadVersion/key
integer1/integer
keyPayloadEnabled/key
true/
keyPayloadRemovalDisallowed/key
true/
keyPayloadScope/key
stringSystem/string
keyPayloadContent/key
array
dict
keyPayloadUUID/key
stringA7F5A3B5-7E12-4E9D-8F9A-0355E9338F97/string
keyPayloadType/key
stringcom.apple.vpn.managed.applayer/string
keyPayloadOrganization/key
stringmyorg/string
keyPayloadIdentifier/key
stringA7F5A3B5-7E12-4E9D-8F9A-0355E9338F97/string
keyPayloadDisplayName/key
stringVPN/string
keyPayloadDescription/key
string/
keyPayloadVersion/key
integer1/integer
keyPayloadEnabled/key
true/
keyIPSec/key
dict
keyOnDemandEnabled/key
integer0/integer
keyPromptForVPNPIN/key
false/
/dict
keyIPv4/key
dict
keyOverridePrimary/key
integer1/integer
/dict
keyProxies/key
dict/
keyUserDefinedName/key
stringTestNC Jon/string
keyVPN/key
dict
keyRemoteAddress/key
stringmyprod/string
keyOnDemandUserOverrideDisabled/key
integer1/integer
keyExcludeLocalNetworks/key
integer0/integer
keyAuthName/key
stringuser/string
keyProviderDesignatedRequirement/key
stringidentifier "com.myprod.ne" and anchor apple generic and certificate leaf[subject.CN] = "Mac Developer: me (xxxxxxxx)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists *//string
keyProviderBundleIdentifier/key
stringcom.myprod.ne/string
keyAuthenticationMethod/key
stringPassword/string
keyProviderType/key
stringapp-proxy/string
keyIncludeAllNetworks/key
integer0/integer
/dict
keyVPNType/key
stringVPN/string
keyVPNSubType/key
stringcom.myprod.ne-app/string
keyVendorConfig/key
dict/
keyVPNUUID/key
string825886EA-BB00-4805-ADD6-1674C531669E/string
keyOnDemandMatchAppEnabled/key
true/
keySafariDomains/key
array
string.com/string
string.net/string
string.org/string
/array
keyOnDemandUserOverrideDisabled/key
integer1/integer
/dict
dict
keyPayloadUUID/key
stringA959CFCB-BABF-4819-B2A6-41F95926AF78/string
keyPayloadType/key
stringcom.apple.vpn.managed.appmapping/string
keyPayloadIdentifier/key
stringcom.apple.vpn.managed.appmapping.663DE2E8-0B7D-46D7-B1AE-331985F4082B/string
keyPayloadDescription/key
stringConfigures TestApp-macOS to use the per-app VPN connection./string
keyPayloadDisplayName/key
stringPer-App VPN App Mappings/string
keyPayloadVersion/key
integer1/integer
keyAppLayerVPNMapping/key
array
dict
keyVPNUUID/key
string825886EA-BB00-4805-ADD6-1674C531669E/string
keyIdentifier/key
stringcom.google.Chrome/string
keySigningIdentifier/key
stringcom.google.Chrome/string
keyDesignatedRequirement/key
string(identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")/string
/dict
dict
keyVPNUUID/key
string825886EA-BB00-4805-ADD6-1674C531669E/string
keyIdentifier/key
stringcom.google.Chrome.helper/string
keySigningIdentifier/key
stringcom.google.Chrome.helper/string
keyDesignatedRequirement/key
string(identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")/string
/dict
dict
keyIdentifier/key
stringorg.mozilla.firefox/string
keyVPNUUID/key
string825886EA-BB00-4805-ADD6-1674C531669E/string
keySigningIdentifier/key
stringorg.mozilla.firefox/string
keyDesignatedRequirement/key
stringanchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"/string
/dict
/array
/dict
/array
/dict
/plist
JonOsoOndo
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Last seen
User for