identityReference in NEVPNProtocol not found in keychain with User Enrollment

App & System Services Networking
kjbrock OP
Created Apr ’20
Replies 7
Boosts 0
Views 1.3k
Participants 4

We have an SSL VPN app. (NEPacketTunnelProvider)


Per-app VPN with certificate authentication works when the device is enrolled with Device Enrollment. When the MDM uses User Enrollment the certificate isn't found in the keychain.


- The certificate appears in the Management Profile details on the iOS device.

- There is an identityReference in the VPN configuration profile.

- The profile is correctly associated with the provider, and when the app starts the VPN extension starts and attemps authentication.

- SecItemCopyMatching finds nothing in the keychain.


Any ideas on this?


Kevin

Replies  7
Boosts  0
Views  1.3k
Participants  4
kjbrock OP
Apr ’20

My current suspicion is that this is related to the separation between the Managed Apple ID resources and the regular Apple ID resources.


The stuff I've seen says that there are separate keychains for the two, and since the cert is on the system under the managed profile, and yet not in the keychains we're allowed access to, this seems likely to be related.


The problem here is that the system should be handling this for us--we're just a lowly Network Extension provider, and know nothing about Apple IDs of any sort...


Has anyone succeeded in running in this configuration? Did you have to do anything special?

0
DTS Engineer OP
Apple
Apr ’20

Do you have access to the 

com.apple.managed.vpn.shared
keychain access group? If not, see FAQ#9 in Network Extension Framework Entitlements.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
sanaw OP
Apr ’20

We are also facing the same issue with NEAppProxyProvider despite having access to "com.apple.managed.vpn.shared". It works fine in device enrollment but not is user enrollment due to cert lookup failing. This happens only when the VPN app is pushed as VPP. If we install it manually from AppStore then it works fine.

0
kjbrock OP
Apr ’20

Hi Quinn. Yes, we have access to that keychain.


Our app works fine with MDMs in general, and can access the distributed certificates for per-App VPN configurations that specify certificate based authentication when the device is enrolled normally.


The problem is specifically with MDMs doing User Enrollment.


I've verified that there are Managed Apple IDs set up on the devices showing the problem.


SecItemCopyMatching() shows no matching items in any keychains, but since one feature of User Enrollment is separate keychains I'm wondering whether SecItemCopyMatching() is searching the right keychain in this case.

0
DTS Engineer OP
Apple
May ’20

I’m posting a link to sanaw’s thread because they seem to be further along with this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
kjbrock OP
May ’20

Yes, I was on that thread already. The lack of response was why I opened this thread.


I'm assuming that this means there are no known issues with User Enrollment and certificate-based VPN authentication? Or has anyone been using this successfully in the wild?

0
shyamjimishra OP
Nov ’21

Did anyone find a solution for this? We are also having the same issue. I really appreciate any help you can provide.

0
identityReference in NEVPNProtocol not found in keychain with User Enrollment
First post date Last post date
 
 
Q