Question on NEPacketTunnelProvider and NETunnelProviderManager

Question

Created Aug ’22

Replies 3

Boosts 0

Participants 3

I have both of these working but when the NETunnelProviderManager is created it installs a VPN Profile into the Systems Network Interfaces which gives the user the ability to override behaviors of my app that I do not want them to do. This is an Enterprise solution and the authentication and configuration occurs outside of the Network Extension. So my question is a) can I just utilize the NEPacketTunnelProvider which I need to instantiate a utun device (our previous version was using a KExt to do this) by itself? b) if not is there anyway I can make the VPN profile read only so a user cannot modify the contents/settings?

TIA

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’22

a) can I just utilize the NEPacketTunnelProvider which I need to instantiate a utun device … by itself?

I’m not sure I understand this. I think you’re asking whether you can set things up so that the system instantiates your packet tunnel provider without a configuration being visible in System Preferences, in which case the answer is “No.”

b) if not is there anyway I can make the VPN profile read only so a user cannot modify the contents/settings?

If you’re deploying to an enterprise environment your best option is to make your users standard users rather than admin users. A standard user can’t mess with System Preferences > Network. Trying to defend yourself against admin users is a pointless exercise IMO.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

sboanr OP

Aug ’22

Quinn,

Thank you for the response. Just to be clear, there is no other supported way to configure a utun device in newer macOS releases, correct? I want to make sure I haven't missed something.

Scott

0

Answer 3

DTS Engineer OP

Apple

Aug ’22

Just to be clear, there is no other supported way to configure a utun device in newer macOS releases, correct?

It depends on what you mean by “supported”. From a DTS perspective, the answer is “No.” With the advent of NE providers, DTS has stopped supported these sorts of ad hoc VPN solutions [1]. That’s because NE providers offer a path forward that’s likely to be binary compatible in the long term, and our experience with ad hoc VPN solutions is that they are very brittle.

However, the utun device does exist on macOS and there’s nothing stopping you from working with it. If you search the ’net you’ll find plenty of folks who’ve gone down this path. Just be aware that the path leads out into the weeds and there’s no one to officially help you when you break down.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Also, we only support folks using NE providers in their intended role. TN3120 Expected use cases for Network Extension packet tunnel providers discusses that in more detail.

1