Post not yet marked as solved
Thanks Quinn.One more follow up on this, can we use this new provider in non-MDM managed devices? If not, do you know any other framework Apple has for non-MDM managed devices to achieve the same?
Post not yet marked as solved
Thanks Quinn. Interesting, is there any sample code how to use it as document is brief as of now. Do we just need to provide the configuration and can use existing "NEAppProxyProvider" extension to tunnel traffic?
Ok thanks Quinn for detailed info.
Thanks Quinn. But this is read only property for inspection purpose right?
Post not yet marked as solved
Hi Quinn, FB7303482 is the feedback number. We also have "727754398" TSI open with Apple, I would also follow up on that shortly. But as of now profile for VPN is having right entitlements as was asked to verify in TSI. Please let us know if you need any more info. Regards.
Ok thanks Quinn, we are trying to changes the buffer sizes in "/etc/sysctl.conf" and see if it causes any improvement. Those settings would be still used by "NWTCPConnection", right?
Post not yet marked as solved
No, we have raised feedback on this one and still waiting.
Post not yet marked as solved
We are also facing the same issue with NEAppProxyProvider despite having access to "com.apple.managed.vpn.shared". It works fine in device enrollment but not is user enrollment due to cert lookup failing. This happens only when the VPN app is pushed as VPP. If we install it manually from AppStore then it works fine.
Thanks Quinn as always.So one more question about the usage and observation of "SecTrustSetAnchorCertificates()" API, one thing which we observed is that if we add the lead certificate of the server certification keychain to the "SecTrustSetAnchorCertificates()" and then run "SecTrustEvaluate()" it always "passes" irrespective of the cert being not self-signed with resultType set to "kSecTrustResultUnspecified".Is this expected behavior? Or "kSecTrustResultUnspecified " indicates some mistrust in this case? As we would expect it to fail as there is no true Anchor certificate added to the list and also there is no CA installed on the device in this case being third party CA.In the Console logs for "trustd" at one point I see :completed: i: >, <cert(0x10100f000) s:="" <issuer=""> i: > > details: (
{
},
{
AnchorTrusted = 0;
}
) result: 5which makes sense but suddenly the result is overriden and set to :completed: i: > > details: (
{
}
) result: 4Thanks.
Post not yet marked as solved
HI Quinn, Can we use "kSecUseDataProtectionKeychain" with launch daemons as well as there is no support for provisioning profiles for launch daemons? thanks.
