NEAppProxyProvider VPN does not connect in User Enrollment mode

Question

Created Sep ’19

Replies 7

Boosts 0

Views 2k

Participants 5

HI, We faced an issue where the NEAppProxyProvider based per-app VPN fails to connect when device is enrolled in the User Enrollment mode. This occurs as NEAppProxyProvider can not lookup the client TLS identity based on the persistence reference passed in VPN profile. We are using following code to get the client identity and certificate from the VPN configuration persistence reference and the lookup fails with "-25300" status.

NSDictionary *dict = @{
                           (__bridge id)kSecClass: (__bridge id)kSecClassIdentity,
                           (__bridge id)kSecReturnRef: (id)kCFBooleanTrue,
                           (__bridge id)kSecValuePersistentRef: persistantIdentityRef
                           };
CFTypeRef identityRef = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)dict, &identityRef);

Same logic works fine in Device Enrollment mode.

Anyone faced the similar issue or is this bug on iOS side?

Boost

Answer 1

kjbrock OP

Apr ’20

We're seeing this same behavior with NETunnelProvider per-App VPN. Everything works well in Device Enrollment, but with User Enrollment the cert isn't found.

Looking at the confguration pushed by the MDM we can see the required certificate, but it's not found by SecItemCopyMatching.

Did you ever find a solution?

0

Answer 2

sanaw OP

Apr ’20

No, we have raised feedback on this one and still waiting.

0

Answer 3

DTS Engineer OP

Apple

May ’20

What was the FB number?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

sanaw OP

May ’20

Hi Quinn, FB7303482 is the feedback number. We also have "727754398" TSI open with Apple, I would also follow up on that shortly. But as of now profile for VPN is having right entitlements as was asked to verify in TSI. Please let us know if you need any more info. Regards.

0

Answer 5

kjbrock OP

May ’20

We were told by a customer that Apple told *them* that only App Proxy providers were supported for User Enrollment.

Our understanding was that Tunnel Providers would work as long as the VPN was a per-App VPN, not a device-level VPN. I.e., the VPN type was the issue, not the provider type.

Is there somewhere that this question is explicitly addressed?

0

Answer 6

VLeamons OP

May ’20

I would like to know this information as well. Our packet tunnel does not work using user enrollment, and I have verified that we are indeed being passed an identity cert ref, it just isn't found. We have access to the keychain items in question. In particular, can you verify that this isn't going to work for Packet Tunnels at all, only AppProxyProviders? What is the reasoning behind this?

0

Answer 7

shyamjimishra OP

Nov ’21

Did anyone find a solution for this? We are also having the same issue. I really appreciate any help you can provide.

0