VPN payload - password

Privacy & Security General
roee84 OP
Created Jul ’20
Replies 5
Boosts 0
Views 906
Participants 2
At my iOS/MacOS VPN apps (Packet Tunnel Provider), I'm creating the configuration at the containing app, setting all the needed fields, and specifically - the password reference points to the password at the keychain.
But what happens when I'm creating the VPN payload via Apple Configurator (or via some MDM) - I have the Password field, but at the extension I get the password reference - at which keychain I need to search it?

P.S - this is the main part I'm using to save the pass ref at my containing app:
Code Block 
 let attributes: [AnyHashable: Any] = [
                kSecAttrService as AnyHashable : UUID().uuidString,
                kSecValueData as AnyHashable : passwordData,
                kSecAttrAccessible as AnyHashable : kSecAttrAccessibleAlways,
                kSecClass as AnyHashable : kSecClassGenericPassword,
                kSecReturnPersistentRef as AnyHashable : kCFBooleanTrue,
                kSecAttrSynchronizable as AnyHashable : kCFBooleanTrue
            ]
        
            var result: AnyObject?
            status = SecItemAdd(attributes as CFDictionary, &result)

Replies  5
Boosts  0
Views  906
Participants  2
Systems Engineer OP
Apple
Jul ’20
Accepted Answer
In regards to :

But what happens when I'm creating the VPN payload via Apple Configurator (or via some MDM) - I have the Password field, but at the extension I get the password reference - at which keychain I need to search it?

If your passwords or credentials are coming from a MDM configuration profile then these credentials are stored in a system keychain (com.apple.managed.vpn.shared) that your app does not have access to without an entitlement.

Checkout Profile Configuration documentation here.

If your application requires access to this system keychain for VPN credential purposes, please take a look at #9 here to request access.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
1
roee84 OP
Jul ’20
Great, thanks for the quick info!
I'll submit a DTS but before that, just to be sure -

This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility

I want to add support for configuration via configuration profile, and for the connection I need the password for the user (which is really a pre-shared key). Is there any way to get it other than keychain + permissions? I'm asking because of "Many VPN apps don’t need this facility"



0
Systems Engineer OP
Apple
Jul ’20
No problem. You mentioned:

I need the password for the user (which is really a pre-shared key). Is there any way to get it other than keychain + permissions?

This password / pre-shared key is delivered via an MDM profile, correct?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com 

0
roee84 OP
Jul ’20
Correct, but this is part of the VPN payload - so it sounds weird that you need to set there a password, but the app can't read it.
(The field description is "Password for authenticating the connection").

0
roee84 OP
Jul ’20
I submitted a DTS: 742146463
0
VPN payload - password
First post date Last post date
 
 
Q