identityReference in NEVPNProtocol not found in keychain with User Enrollment

We have an SSL VPN app. (NEPacketTunnelProvider)


Per-app VPN with certificate authentication works when the device is enrolled with Device Enrollment. When the MDM uses User Enrollment the certificate isn't found in the keychain.


- The certificate appears in the Management Profile details on the iOS device.

- There is an identityReference in the VPN configuration profile.

- The profile is correctly associated with the provider, and when the app starts the VPN extension starts and attemps authentication.

- SecItemCopyMatching finds nothing in the keychain.


Any ideas on this?


Kevin

Up vote post of kjbrock Down vote post of kjbrock
1.1k views
Posted by
kjbrock
Reply
Add a Comment

Replies

My current suspicion is that this is related to the separation between the Managed Apple ID resources and the regular Apple ID resources.


The stuff I've seen says that there are separate keychains for the two, and since the cert is on the system under the managed profile, and yet not in the keychains we're allowed access to, this seems likely to be related.


The problem here is that the system should be handling this for us--we're just a lowly Network Extension provider, and know nothing about Apple IDs of any sort...


Has anyone succeeded in running in this configuration? Did you have to do anything special?

Posted by
kjbrock
Up vote reply of kjbrock Down vote reply of kjbrock
Add a Comment

Do you have access to the 

com.apple.managed.vpn.shared
keychain access group? If not, see FAQ#9 in Network Extension Framework Entitlements.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

We are also facing the same issue with NEAppProxyProvider despite having access to "com.apple.managed.vpn.shared". It works fine in device enrollment but not is user enrollment due to cert lookup failing. This happens only when the VPN app is pushed as VPP. If we install it manually from AppStore then it works fine.

Posted by
sanaw
Up vote reply of sanaw Down vote reply of sanaw
Add a Comment

Hi Quinn. Yes, we have access to that keychain.


Our app works fine with MDMs in general, and can access the distributed certificates for per-App VPN configurations that specify certificate based authentication when the device is enrolled normally.


The problem is specifically with MDMs doing User Enrollment.


I've verified that there are Managed Apple IDs set up on the devices showing the problem.


SecItemCopyMatching() shows no matching items in any keychains, but since one feature of User Enrollment is separate keychains I'm wondering whether SecItemCopyMatching() is searching the right keychain in this case.

Posted by
kjbrock
Up vote reply of kjbrock Down vote reply of kjbrock
Add a Comment

I’m posting a link to sanaw’s thread because they seem to be further along with this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Yes, I was on that thread already. The lack of response was why I opened this thread.


I'm assuming that this means there are no known issues with User Enrollment and certificate-based VPN authentication? Or has anyone been using this successfully in the wild?

Posted by
kjbrock
Up vote reply of kjbrock Down vote reply of kjbrock
Add a Comment

Did anyone find a solution for this? We are also having the same issue. I really appreciate any help you can provide.

Posted by
shyamjimishra
Up vote reply of shyamjimishra Down vote reply of shyamjimishra
Add a Comment