I've update my custom VPN app at the App Store to a newer version (Network Extension, Packet Tunnel Provider, macOS). It seems that the existing apps on the users' Macs can't be updated when they are connected to the VPN. Automatic update failed, and they also tried to go directly to the store, and manually download the new version. It seems that they are able to download the new version, but the installation fails. They are able to update to the new version only after they're disconnecting the VPN. This is probably a relevant log from their Console: pkd: [com.apple.PlugInKit:holds] hold refused. Busy plugins: <private> appstoreagent: (PlugInKit) [com.apple.PlugInKit:holds] <PKManager:0x7fea5e544f50> hold request for [<private>] with flags: 0x2 completed with error: Error Domain=PlugInKit Code=14 UserInfo={busyPlugInUUIDs=<private>, NS&#9;&#9;&#9; LocalizedDescription=<private>} I know that there are some reports here about this problem: https://developer.apple.com/forums/thread/128894?answerId=652178022#652178022 And even on StackOverflow. But I don't know about the status of this bug - are you familiar with it? I also opened FB8938775

The feature of phased release is very useful for our company, but a big minus for us is that the 'Percentage of Users' starts very slow, and at the last two days it's go up very fast. For now what we can do is to start the phased release, pause it after 50% of users get the new version, and after a weak - resume the release. I know it's not the purpose of the pause/resume but we want a better control at the percentages/days of the phase release. Is it possible to change those somehow? Change the percentages per day/ change number of days for the phased release?

My app can be opened using a URL scheme (via the func application(_ app: , url: , options:) -> Bool). I've noticed that on iOS 14, some of the URLs have the char '#' at the end of the URL. It happens only for some of the URLs, but even for those where it happens - trying them on a device with iOS 13 - this extra char doesn't appear. Any explanation for this? Did anyone else see this behaviour?

I've implemented a custom VPN app for macOS (Packet Tunnel Provider, network extension), which is already available at the App Store. For most of the users everything works great. The question here is about some other users who reported a problem - when they use my app, it starts good but after a short time, all traffic is extremely slow. Thos are very suspicious logs from their Console: “kernel: (Sandbox) Sandbox: myAppExtenstion(8025) deny(1) file-read-data /Users/ahale/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist” After the above logs, they get a massive amount (over 42000) of these logs “myAppExtension: (NetworkExtension) NEVirtualInterface processing read event”. What are those logs mean? How can I fix, or at least debug this issue? I can't reproduce it and it happens only for some of the customers. How can I get more helpful information on this issue?

I want to release a beta version for my Mac app, but since it contains a Network Extension (Packet Tunnel Provider), I can't just send a DMG to the testers. I know there are two options here: Change the app to be a System Extension. I do not want to do that. Register the testers devices (UUID) and send them the app. Is there a better way to distribute this beta version?

(This is related to a thread from a year ago - https://developer.apple.com/forums/thread/113252?page=1#637604022) I've implemented a custom VPN app for macOS (Packet Tunnel Provider). If the user configured DNS servers for the tunnel, they should answer all DNS queries. This is done with dnsSettings.matchDomains = [""] This works good except for one combination - if the user enabled split tunnel with include routes + searchDomains, the DNS queries goes to the system DNS server, and not to the tunnel DNS. I found a partial solution - for the above case, if I'm setting dnsSettings.matchDomains with the searchDomains, the tunnel's DNS server will answer queries, but only those which related to a domain on that list. I want the tunnel's DNS servers to answer all queries, so this solution isn't good. Is it a bug or an intentional behaviour?

At my app I have a SecKey which I want to sign some Data with it, and at my sever I need to do the verification process, but this time with openSSL. I didn't find any common key or any steps to achieve this between Apple Security framework and OpenSSL. For example, I've tried the following: Signing (Apple Security): let signedStrCFData = SecKeyCreateSignature(key, .rsaSignatureRaw, plaintextData, &error) Verifying (OpenSSL): ret = RSAverify(NIDrsaSignature, (const unsigned char *)challenge, (unsigned int)strlen(challenge), challengeenc, challengeenc_size, rsa); Which key to choose is not really important to me (as long as it's a reasonable signing key), so I tried multiple types of keys, but I wasn't able to do it. Any idea what I'm missing here?

I've implemented a VPN app for macOS using Packet Tunnel Provider. The user can include routes of IPv4 and IPv6, and also to enable split-tunnel. However there's a combination that's not working well - if the user includes the IPv6 default route, but for IPv4 he enables the split tunnel and including only some routes, it seems that all IPv4 routes are included in the tunnel. A code example: let newSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: serverAddress) newSettings.ipv4Settings = NEIPv4Settings(addresses: [localAddressString], subnetMasks: ["255.255.255.255"]) newSettings.ipv6Settings = NEIPv6Settings(addresses: ["2001:0db8:85a3:0000:0000:8a2e:0370:7334"], networkPrefixLengths: [64]) //fake IPv6 address newSettings.ipv6Settings?.includedRoutes = [NEIPv6Route.default()] let someRoute = NEIPv4Route(destinationAddress: "x.x.x.x", subnetMask: "255.255.255.255") let someOtherRoute = NEIPv4Route(destinationAddress: "y.y.y.y", subnetMask: "255.255.255.255") var routesToIncludeArr = [NEIPv4Route]() routesToIncludeArr.append(someRoute) routesToIncludeArr.append(someOtherRoute) newSettings.ipv4Settings?.includedRoutes = routesToIncludeArr I think that at the Console logs, the tunnel configuration looks good: IPv4Settings = {         configMethod = PPP         addresses = (             <12-char-str>,         )         subnetMasks = (             255.255.255.255,         )         includedRoutes = (             {                 destinationAddress = <13-char-str>                 destinationSubnetMask = 255.255.0.0             },             {                 destinationAddress = <11-char-str>                 destinationSubnetMask = 255.255.255.255             },             {                 destinationAddress = <7-char-str>                 destinationSubnetMask = 255.255.255.255             },             {                 destinationAddress = <7-char-str>                 destinationSubnetMask = 255.255.255.255             },             {                 destinationAddress = <7-char-str>                 destinationSubnetMask = 255.255.255.255             },             {                 destinationAddress = <14-char-str>                 destinationSubnetMask = 255.255.255.255             },         )         overridePrimary = NO     }     IPv6Settings = {         configMethod = automatic         addresses = (             <3-char-str>,         )         networkPrefixLengths = (             128,         )         includedRoutes = (             {                 destinationAddress = <2-char-str>                 destinationNetworkPrefixLength = 0             },         )     } But when testing the VPN I see that all IPv4 traffic goes via the tunnel, and not only the included routes.

I've implemented a VPN app (using Packet Tunnel Provider) for macOS, and one of my users reported a problem - sometimes his app crashes. It's not always reproduces for him, and it might happen mainly after the Mac awakes from sleep. I didn't find any problems so I've asked the Console logs, and there I saw some related prints - this is probably the related log: "Extension remained dirty for too long after trying to exit. Killing." But also a lot of other "weird" prints, like: "com.apple.xpc.launchd[1] (com.apple.mdworker.single.07000000-0300-0000-0000-000000000000[56993]): Service exited due to SIGKILL" "BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7fe30d92c160[source], ident: 5 / 0x5, handler: 0x10413dbfd }" "com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.user.501): Service "com.apple.xpc.launchd.unmanaged.loginwindow.204" tried to register for endpoint "com.apple.tsm.uiserver" already registered by owner: com.apple.TextInputMenuAgent" It seems this error is related to the OS, am I correct? How can I solve this?

I've implemented a VPN app (using Packet Tunnel Provider) for iOS and for macOS. I have the com.apple.managed.vpn.shared keychain access group. Is it possible to read all the digital identities installed on the device? I read the documentation but I didn't understand if I can get only the digital identities installed via MDM and only if it's done with the same profile which installed the VPN payload, or if I can read all the digital identities including those which were installed via mail. see eskimo's reply - https://developer.apple.com/forums/thread/66149?answerId=240279022#240279022 and documentation - https://developer.apple.com/library/archive/qa/qa1745/_index.html If it's possible to read the digital identities, how can I do it should I call something like 'SecItemCopyMatching' (see example code - https://developer.apple.com/forums/thread/66149), or something like 'reading in a PKCS#12-formatted blob and then importing the contents of the blob into the app's keychain using the function SecPKCS12Import' like it's written at the documentation - https://developer.apple.com/library/archive/qa/qa1745/_index.html

Is it possible to implement somehow split tunnel according to domains and not only via IP? The Packet Tunnel Provider is at the IP layer so it's probably not possible, but what about Per App VPN? I found this description - https://developer.apple.com/documentation/networkextension/neapprule/1406488-matchdomains Declaration var matchDomains: [Any]? { get set } Discussion If this property is set to a nonempty array, then only connections to destinations in the domains specified in the array will use the VPN. So is it possible for Per App VPN to split traffic according to domains?

A question regarding Apple Configurator - VPN Payload - Custom SSL: If I'm setting the User Authentication to 'Certificate', I'm able to enable the VPN On-Demand and add rules. But if I'm setting the User Authentication to 'Password', I don't have the option to enable the on-Demand. Is there a way to configure the on-demand if my connection requires just a PSK, and not a certificate?

At my iOS/MacOS VPN apps (Packet Tunnel Provider), I'm creating the configuration at the containing app, setting all the needed fields, and specifically - the password reference points to the password at the keychain. But what happens when I'm creating the VPN payload via Apple Configurator (or via some MDM) - I have the Password field, but at the extension I get the password reference - at which keychain I need to search it? P.S - this is the main part I'm using to save the pass ref at my containing app:  let attributes: [AnyHashable: Any] = [                 kSecAttrService as AnyHashable : UUID().uuidString,                 kSecValueData as AnyHashable : passwordData,                 kSecAttrAccessible as AnyHashable : kSecAttrAccessibleAlways,                 kSecClass as AnyHashable : kSecClassGenericPassword,                 kSecReturnPersistentRef as AnyHashable : kCFBooleanTrue,                 kSecAttrSynchronizable as AnyHashable : kCFBooleanTrue             ]                      var result: AnyObject?             status = SecItemAdd(attributes as CFDictionary, &amp;result)

I've implemented a custom VPN app for macOS (using Packet Tunnel Provider). I set includeAllNetworks at the protocolConfiguration. When this field is set, I can't connect and I can't send traffic even at the extension. Even simple calls at the extension, like getaddrinfo or curl fails. If I'm unsetting this variable (includeAllNetworks = false) then I can connect without a problem. In addition I can see those lines at the Xcode Console: Connection 2: encountered error(1:53) Connection 3: encountered error(1:53) Connection 1: encountered error(1:53) And those lines at the Console: No mDNS_Keepalive for interface en8/IOSkywalkLegacyEthernetInterface kr 0xE00002C0 NetWakeInterface: en8 &lt;private&gt; no WOMP uDNS_CheckCurrentQuestion: host unreachable error for DNS server &lt;private&gt; for question failed to send packet on InterfaceID 0x5 en8/4 to &lt;private&gt;:53 skt 74 error -1 errno 65 (No route to host) 

If I'm creating a VPN profile for my app (custom VPN), set the on-demand to true, and installing it via MDM, and in addition, mark the profile as un-removable. Would the user would be able to turn off the on-demand via the UI? If not (because it's non-removable), he would probably just be able to disconnect the VPN, but then it will be enable again, because of the on-demand, correct? And in addition, if I'm also setting the flag 'include all networks' - when the user disconnects the VPN, will he have traffic (in case profile is unremovable)?