Is 'App Proxy Provider' supported only for Apps which are from Mac App Store only

From Documentation page of App Proxy Provider, it says that the flow control is only supported for the Apps which are from Mac App store only. What does it means?

Does it means the dmg file like Firefox, Chrome which we install on Mac outside from App Stores, App Proxy Provider will not intercept these flows?


Doc Link: https://developer.apple.com/documentation/networkextension/app_proxy_provider


Copying statement:

"

......

App proxy providers are supported in iOS on managed devices only, and in macOS for Mac App Store apps only.

......

"


With kext we were able to intercept any flow regardless the source of the installer file for managing traffic, how will it work with new Network extension framework now?

Answered by DTS Engineer in 416069022

From Documentation page of App Proxy Provider, it says that the flow control is only supported for the Apps which are from Mac App store only. What does it means?

The “in macOS for Mac App Store apps only” is referring to the app containing the app proxy provider. You can configure the app proxy provider to see flows from non-Mac App Store apps. Specifically, look at the

com.apple.vpn.managed.appmapping
configuration profile payload, where target apps are identified by designated requirement, bundle ID, path, and signing identifier, all of which are present on both Mac App Store and Developer ID apps.

Having said that, the documentation is incorrect because, as of macOS 10.15, we support Developer ID signed NE providers that run as a system extension.

Please file a bug against the doc and post the number here.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Accepted Answer

From Documentation page of App Proxy Provider, it says that the flow control is only supported for the Apps which are from Mac App store only. What does it means?

The “in macOS for Mac App Store apps only” is referring to the app containing the app proxy provider. You can configure the app proxy provider to see flows from non-Mac App Store apps. Specifically, look at the

com.apple.vpn.managed.appmapping
configuration profile payload, where target apps are identified by designated requirement, bundle ID, path, and signing identifier, all of which are present on both Mac App Store and Developer ID apps.

Having said that, the documentation is incorrect because, as of macOS 10.15, we support Developer ID signed NE providers that run as a system extension.

Please file a bug against the doc and post the number here.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for clariying Quinn, I will file the bug.

So just to summurize, if my Application: ProxyApp (uses AppProxyProvider) is not sourced/installed from 'Mac Apple Store' but signed with a Developer ID, it will still be able to work and register successufully its systemextension with OSX to get the flow for handling, and can be released signed with Developer ID?


Please excuse me here if the terms used are wrong as I am new to Apple development..

if my Application: ProxyApp (uses AppProxyProvider) is not sourced/installed from 'Mac Apple Store' but signed with a Developer ID, it will still be able to work and register successufully its systemextension with OSX to get the flow for handling, and can be released signed with Developer ID?

Yes. Although an app proxy provider is a form of per-app VPN, which not a particularly popular choice for this sort of thing. Most folks use a content filter provider or a transparent proxy provider.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I have created a documentation bug# https://feedbackassistant.apple.com/feedback/7675014

hi eskimo you said :

Yes. Although an app proxy provider is a form of per-app VPN, which not a particularly popular choice for this sort of thing. Most folks use a content filter provider or a transparent proxy provider.


by transparent proxy provider do you mean NEAppProxyProvider ?

Yes, transparent proxy means NEAppProxyProvider. NETransparentProxyManager should be used in your app to configure the proxy.

thank you 🙂

If I understand correctly, you can now, on Mac OS create an app that includes a system-wide NEAppProxyPovider to do flow-based proxying across all system traffic?

Yes, although technically that’s not an app proxy provider but rather a transparent proxy (but they do use a lot of the same infrastructure). An app proxy provider is a form of per-app VPN, and thus it only sees traffic from specific apps that you installed via MDM [1]. macOS supports that, but it also supports a transparent proxy, which sees traffic from all apps, regardless of whether they were installed via MDM or not.

If so, it would be great to support that for iOS as well

Feel free to file an enhancement request along those lines. Please post your bug number, just for the record.

However…

given the apparent VPN Extension memory limit.

This isn’t related to that. NE providers on iOS have strict memory limits because of the nature of macOS. If we added transparent proxy support to iOS, it would also have a strict memory limit.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] On macOS the apps don’t have to be installed via MDM, but you still need to opt it to specific apps.

Is 'App Proxy Provider' supported only for Apps which are from Mac App Store only
 
 
Q