Is 'App Proxy Provider' supported only for Apps which are from Mac App Store only

From Documentation page of App Proxy Provider, it says that the flow control is only supported for the Apps which are from Mac App store only. What does it means?

Does it means the dmg file like Firefox, Chrome which we install on Mac outside from App Stores, App Proxy Provider will not intercept these flows?


Doc Link: https://developer.apple.com/documentation/networkextension/app_proxy_provider


Copying statement:

"

......

App proxy providers are supported in iOS on managed devices only, and in macOS for Mac App Store apps only.

......

"


With kext we were able to intercept any flow regardless the source of the installer file for managing traffic, how will it work with new Network extension framework now?

Up vote post of vishal1kumar Down vote post of vishal1kumar
1.9k views
Posted by
vishal1kumar
Reply
Add a Comment

Accepted Reply

From Documentation page of App Proxy Provider, it says that the flow control is only supported for the Apps which are from Mac App store only. What does it means?

The “in macOS for Mac App Store apps only” is referring to the app containing the app proxy provider. You can configure the app proxy provider to see flows from non-Mac App Store apps. Specifically, look at the 

com.apple.vpn.managed.appmapping
configuration profile payload, where target apps are identified by designated requirement, bundle ID, path, and signing identifier, all of which are present on both Mac App Store and Developer ID apps.

Having said that, the documentation is incorrect because, as of macOS 10.15, we support Developer ID signed NE providers that run as a system extension.

Please file a bug against the doc and post the number here.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • For what it's worth, the documentation still seems really confusing to me. If I understand correctly, you can now, on Mac OS create an app that includes a system-wide NEAppProxyPovider to do flow-based proxying across all system traffic? If so, it would be great to support that for iOS as well given the apparent VPN Extension memory limit.

    As an example use case, imagine creating a custom MASQUE client - if you can't use the flow API, you need to use something like tun2socks which will eat up most of the memory in the extension before you've even sent a packet to the QUIC tunnel. I assume that the capability exists given that it's on MacOS and Private Relay's use of MASQUE, so opening it up to other developers working on new tools would be a huge help. Fingers crossed for iOS 16 :).

    cjhg
Add a Comment

Replies

From Documentation page of App Proxy Provider, it says that the flow control is only supported for the Apps which are from Mac App store only. What does it means?

The “in macOS for Mac App Store apps only” is referring to the app containing the app proxy provider. You can configure the app proxy provider to see flows from non-Mac App Store apps. Specifically, look at the 

com.apple.vpn.managed.appmapping
configuration profile payload, where target apps are identified by designated requirement, bundle ID, path, and signing identifier, all of which are present on both Mac App Store and Developer ID apps.

Having said that, the documentation is incorrect because, as of macOS 10.15, we support Developer ID signed NE providers that run as a system extension.

Please file a bug against the doc and post the number here.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • For what it's worth, the documentation still seems really confusing to me. If I understand correctly, you can now, on Mac OS create an app that includes a system-wide NEAppProxyPovider to do flow-based proxying across all system traffic? If so, it would be great to support that for iOS as well given the apparent VPN Extension memory limit.

    As an example use case, imagine creating a custom MASQUE client - if you can't use the flow API, you need to use something like tun2socks which will eat up most of the memory in the extension before you've even sent a packet to the QUIC tunnel. I assume that the capability exists given that it's on MacOS and Private Relay's use of MASQUE, so opening it up to other developers working on new tools would be a huge help. Fingers crossed for iOS 16 :).

    cjhg
Add a Comment

Thanks for clariying Quinn, I will file the bug.

So just to summurize, if my Application: ProxyApp (uses AppProxyProvider) is not sourced/installed from 'Mac Apple Store' but signed with a Developer ID, it will still be able to work and register successufully its systemextension with OSX to get the flow for handling, and can be released signed with Developer ID?


Please excuse me here if the terms used are wrong as I am new to Apple development..

Posted by
vishal1kumar
Up vote reply of vishal1kumar Down vote reply of vishal1kumar
Add a Comment

if my Application: ProxyApp (uses AppProxyProvider) is not sourced/installed from 'Mac Apple Store' but signed with a Developer ID, it will still be able to work and register successufully its systemextension with OSX to get the flow for handling, and can be released signed with Developer ID?

Yes. Although an app proxy provider is a form of per-app VPN, which not a particularly popular choice for this sort of thing. Most folks use a content filter provider or a transparent proxy provider.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I have created a documentation bug# https://feedbackassistant.apple.com/feedback/7675014

Posted by
vishal1kumar
Up vote reply of vishal1kumar Down vote reply of vishal1kumar
Add a Comment

hi eskimo you said :

Yes. Although an app proxy provider is a form of per-app VPN, which not a particularly popular choice for this sort of thing. Most folks use a content filter provider or a transparent proxy provider.


by transparent proxy provider do you mean NEAppProxyProvider ?

Posted by
jeev2k
Up vote reply of jeev2k Down vote reply of jeev2k
Add a Comment

Yes, transparent proxy means NEAppProxyProvider. NETransparentProxyManager should be used in your app to configure the proxy.

Posted by
anandfrombangalore
Up vote reply of anandfrombangalore Down vote reply of anandfrombangalore
Add a Comment

thank you 🙂

Posted by
jeev2k
Up vote reply of jeev2k Down vote reply of jeev2k
Add a Comment

If I understand correctly, you can now, on Mac OS create an app that includes a system-wide NEAppProxyPovider to do flow-based proxying across all system traffic?

Yes, although technically that’s not an app proxy provider but rather a transparent proxy (but they do use a lot of the same infrastructure). An app proxy provider is a form of per-app VPN, and thus it only sees traffic from specific apps that you installed via MDM [1]. macOS supports that, but it also supports a transparent proxy, which sees traffic from all apps, regardless of whether they were installed via MDM or not.

If so, it would be great to support that for iOS as well

Feel free to file an enhancement request along those lines. Please post your bug number, just for the record.

However…

given the apparent VPN Extension memory limit.

This isn’t related to that. NE providers on iOS have strict memory limits because of the nature of macOS. If we added transparent proxy support to iOS, it would also have a strict memory limit.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] On macOS the apps don’t have to be installed via MDM, but you still need to opt it to specific apps.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment