After some trial and error and reading various other posts, I believe that this approach is not possible when the packet tunnel provider is in a System Extension because it will not have access to a shared app group or keychain group. Given that, it seems like the only option is to pass these credentials in the NETunnelProviderProtocol.providerConfiguration property instead. My concern is that this may not be a secure place to put credentials, but the documentation does not specify how it is secured.
So my question is what is the best practice for providing credentials from the host app to a packet tunnel provider in a System Extension if the keychain is not a viable option?
You’re correct that providerConfiguration isn’t really the place to be storing secrets. What you could do instead is:the documentation does not specify how it is secured.
Use XPC to pass the credentials to your sysex.
This would then store them in the keychain and return you a handle of some form.
You could then pass that handle to the provider via providerConfiguration.
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"