Should I open a bug about this issue? Or is it something on my side?

Thanks! I submitted DTS 747436627

Thanks for the reply! I have few questions regarding this approach - It's supported only from OSXApplicationExtension 10.15, what can I use for earlier version? I already have the SecKey - how can I use it as an argument for one of the signing functions? Can I open a DTS for a little help on this one?

No, includeAllNetworks is disabled (unset).

@DreamLordOneiros I didn't try it yet but maybe the reason it's not working for me is that at the Extension I'm not using Extension native API (like createUDPSession() for example), and I'm using BSD sockets/openSSL instead.

Oh, so there's no way for my app to get access to an already installed digital identity. Seems that I'll have to ask the customers to send it via the MDM, and I might also submit an enhancement request about this. Thanks for your time!

Thanks for the answer! And a final question on this - is there any other way my app can read a digital identity which was manually installed? Maybe there's such a permission request for the user? Or is the only way is to open the file picker and let the user choose the digital identity?

Did you try the handleAppMessage() function? I'm using it for the app extension, but I'm not sure if it's relevant to a system extension Summary Handle messages sent by the tunnel provider extension’s containing app Declaration func handleAppMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)? = nil) Discussion Use this method to communicate information between the Tunnel Provider and the Tunnel Provider’s containing app.

Bumping this thread. Is there a way to set the on-demand from the profile for a custom VPN using password (and not certificate)?

But once this rule above activated the tunnel and the VPN is up, what will happen when the request URL will be somethingelse.net - will this go via the VPN? In other words: Once the tunnel is up, it will get all the traffic from that app, or just the traffic matching the rules?

I submitted a DTS: 742146463

Correct, but this is part of the VPN payload - so it sounds weird that you need to set there a password, but the app can't read it. (The field description is "Password for authenticating the connection").

Great, thanks for the quick info! I'll submit a DTS but before that, just to be sure - This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility I want to add support for configuration via configuration profile, and for the connection I need the password for the user (which is really a pre-shared key). Is there any way to get it other than keychain + permissions? I'm asking because of "Many VPN apps don’t need this facility"

Thanks! And if it helps - I can send the Console logs.

Done -  Follow-up: 741742681 Thanks!