Version/OS compatibility of Catalina Network Extension features

We moved our macOS NKE-based VPN over to Network Extensions a while back. Although Network Extensions offered us less control over the system traffic it also let us have a single code base for the core functionality on iOS & macOS, as well as offering the possibilty of MDM.


The talk on Network Extensions for Modern macOS offered us some of the control back. The includeAllNetworks and excludeLocalNetworks flags are great to see. But, the title of the talk said 'for Modern macOS', so:


- Are they only on macOS, or are the Network Extension parts of that talk also applicable to iOS?

- Will those Network Extension flags function if the user is running macOS Mojave?

- iOS 12?


Or are they only going to work on Cataline/iOS13 and later?


Users do tend to upgrade their macOS & iOS versions, but corporate customers upgrade slowly, and they're our market.


One abillity of NKEs that we lost with Network Extensions was the ability to do an 'Always On' VPN which made sure that all traffic from the system was tunneled. Because we could make the NKE load at boot time there was no user dependency. It doesn't sound like this is going to be possible even with the current changes.


The talk referred to Driver Extensions as user-independent, and providing something available at the system level, but not Network Extensions. Is that the case?


Kevin

Unless we said otherwise, everything in that talk is for macOS 10.15 only. Specifically, the

includeAllNetworks
and
excludeLocalNetworks
options are currently only available on the Mac.

Or are they only going to work on [10.15] and later?

… corporate customers upgrade slowly, and they're our market.

Understood, but backporting NE features to previous OS releases is not practical. This is especially true for these new NE providers, as they depend on a key feature (system extensions) that is new in 10.15.

The talk referred to Driver Extensions as user-independent, and providing something available at the system level, but not Network Extensions. Is that the case?

Prior to macOS 10.15, VPN providers were per-user for three reasons:

  • Commonality with iOS.

  • VPNs often require user credentials.

  • They are based on app extensions because there was no alternative.

With the advent of system extensions that last point is no longer the case, so there’s an architectural framework for system-wide VPN. However, 10.15 does not include such an affordance [1].

Currently the NE architecture does not have support for third-party Always-on VPN. We already have an enhancement request (ER) on file requesting that (r. 21363342), but it’d be reasonable for you to file your own bug to document your specific requirements (notably, the existing bug and all its dups are for iOS).

Speaking of ERs, you should feel free to file ERs for any other features you’d like to see (for example, support for

includeAllNetworks
on iOS). If nothing else, this year’s developments are strong evidence that ERs do actually work on occasion (-:

Please post the numbers for any bugs you file, just for the record

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] In fact, if you read the beta release notes you’ll find that the new providers we added in 10.15 don’t actually work as system extensions in the current beta (r. 51186839).

Thanks Quinn.


I'll file some suggestions.


It's been on ongoing problem for us that the official cross-platform VPN support has been shaky, so hopefully more of these issues will get addressed. At least Catalina's showing progress.


I've been pretty happy with both Catalina & iOS 13 (you guys need names for those releases as well :-) so far, even though it's developer beta.


Kevin

It's great to see VPN security improved with the

includeAllNetworks
and
excludeLocalNetworks
properties added to NEVPNProtocol. Would be really great if these same features could be brought to iOS soon as well. My feedback report: FB6970648


Cheers,

Rob

I'm also in need of an"always-on" Network Extension in macOS. I see this topic was posted a year ago now. Any progress on getting this functionality into Catalina?

What about creating a LaunchAgent in /Library to invoke the host app as root? Would the system extension be invoked in root user space? Has anyone else attempted this? If not, I think it's time for a little test app...
Version/OS compatibility of Catalina Network Extension features
 
 
Q