'Permission denied' error on Network Extension for App Store build

Question

telo42 OP

Created Oct ’20

Replies 4

Boosts 0

Views 2.2k

Participants 2

Hi,
When I try to use my DNS Proxy app from App Store with a supervised device, I have these errors :

Code Block [NEDNSProxyManager saveToPreferencesWithCompletionHandler:]_block_invoke: failed to save the new configuration: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}

Code Block nehelper	myApplication trying to create a DNS proxy configuration through an app. Creating a DNS proxy configuration is only allowed through profile in production version of myApplication.

My entitlements are :

Code Block <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>dns-proxy</string>
	</array>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.myApplication.app</string>
	</array>
	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)com.myApplication.app</string>
	</array>
</dict>
</plist>

Why it says 'permission denied'?

Thanks.

Answered by telo42 in 642382022

I found my problem, the solution is here.

When you create a DNS proxy, it :

Can only be deployed to supervised devices
Must be configured via a configuration profile

I've forgotten the configuration profile. I've written it with imazing-profile-editor on Mac App Store then I push it with Apple Configurator 2.

It works like a charm.

Boost

Answer 1

Systems Engineer OP

Apple

Oct ’20

Can you tell me more about the workflow so I can understand what the role of the App Store is and what the role of MDM are here on iOS?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

telo42 OP

Oct ’20

I download IPA in App Store, unzip it, and run the following command :

Code Block codesign -d --entitlements - myApp.app/myApp

I have this :

Code Block ??qq<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.wifi-info</key>
	<true/>
	<key>keychain-access-groups</key>
	<array>
		<string>........com.myApp.app</string>
	</array>
	<key>com.apple.developer.team-identifier</key>
	<string>........</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>dns-proxy</string>
	</array>
	<key>application-identifier</key>
	<string>.........com.myApp.app</string>
	<key>aps-environment</key>
	<string>production</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.myApp.app</string>
	</array>
</dict>
</plist>

And I also run this command on my DNS proxy extension app :

Code Block ??qq?<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>application-identifier</key>
	<string>..............com.myApp.app.DNSProxyProvider</string>
	<key>keychain-access-groups</key>
	<array>
		<string>.............com.myApp.app</string>
	</array>
	<key>com.apple.developer.team-identifier</key>
	<string>..........</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.myApp.app</string>
	</array>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>dns-proxy</string>
	</array>
</dict>
</plist>

When you look at my IPA entitlements in App Store, there is no problem, I don't understand why I have this problem.

Any suggestions ?

Regards.

0

Answer 3

telo42 OP

Oct ’20

The workflow is simple, user or MDM admin download application from App Store then user open application and enable DNS Proxy.

0

Answer 4

telo42 OP

Oct ’20

Accepted Answer

I found my problem, the solution is here.

When you create a DNS proxy, it :

Can only be deployed to supervised devices
Must be configured via a configuration profile

I've forgotten the configuration profile. I've written it with imazing-profile-editor on Mac App Store then I push it with Apple Configurator 2.

It works like a charm.

1