setTunnelNetworkSettings never gets executed

App & System Services Networking
siiar OP
Created Feb ’23
Replies 6
Boosts 0
Views 638
Participants 2

XCode: 12.4

MacOS: 10.15.7

Signing Certificate: Sign to Run Locally

Provisioning Profile: Xcode Managed Profile

Capabilities: Network Extension, Personal VPN

Issue:

startTunnelWithOptions does get called, and then I call setTunnelNetworkSettings inside it. But it never gets executed. My assumption is that it might be some security policy or something. I am not familiar with App development for Mac systems and apparently it is quite confusing with very scarce documentation. Most of the errors throw in Console, I can't find documentation on them. At least not with simple googling, but ChatGPT has been helpful in explaining some of the errors. I have no intention of distributing the application through App Store.

- (void)startTunnelWithOptions:(NSDictionary *)options completionHandler:(void (^)(NSError *))completionHandler
{

    NEPacketTunnelNetworkSettings* settings = [[NEPacketTunnelNetworkSettings alloc] initWithTunnelRemoteAddress:@"20.21.13.24"];

    NEIPv4Settings* settingsIPV4 = [[NEIPv4Settings alloc] initWithAddresses:@[@"20.21.13.24"] subnetMasks:@[@"255.255.255.255"]];
    NEDNSSettings* settingsDNS = [[NEDNSSettings alloc] initWithServers: @[@"8.8.8.8", @"8.8.4.4"]];
    settings.IPv4Settings = settingsIPV4;
    settings.IPv4Settings.includedRoutes = @[NEIPv4Route.defaultRoute];
    settings.DNSSettings = settingsDNS;
    settings.MTU = [NSNumber numberWithInteger:@1500]; 

    [self setTunnelNetworkSettings:settings completionHandler:^(NSError* _Nullable error)
    {
        NSLog(@"Completion Handler Called");
        completionHandler(nil);
    }];

}

Console Errors:

Here are few of the errors from the console, there are many more and there are different processes throwing them so its hard for me to pin point which ones are related to my extension but these are the ones that look helpful in this case.

CS_PLATFORM_BINARY set but not AppleSigned; prompt policy is Deny.

Failed to add policy: 
    order = 10810
    result = {
        result-type = ip-tunnel
        secondary-result = pass
    }
    conditions = (
        {
            condition-type = effective-application
            application-uuid = AADC77FD-D5E1-3A11-B327-8137FD04C0B5
        },
        {
            condition-type = real-application
            application-uuid = AADC77FD-D5E1-3A11-B327-8137FD04C0B5
        },
        {
            condition-type = all-interfaces
        },
        {
            condition-type = effective-pid
            pid = 1337
        },
    )

Sandbox: nesessionmanager(851) System Policy: deny(1) system-privilege 10006
Answered by siiar in 746730022

The reason for setTunnelNetworkSettings not being called was because I was passing nil as the options argument for startVPNTunnelWithOptions method of the connection object that is available in NETunnelProviderManager.

Replies  6
Boosts  0
Views  638
Participants  2
DTS Engineer OP
Apple
Feb ’23

I’m not exactly sure what’s going wrong here but this:

Signing Certificate: Sign to Run Locally

is a problem. NE apps and providers must be signed with the NE entitlement and that must be authorised by a profile. That can’t happen if the use ad-ho signing. You need to sign with a team. I recommend that you enable “Automatically manage signing” and then select your team in the Team popup. This will enable Apple Development signing, which is what you should be using for day-to-day development.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
siiar OP
Feb ’23

Thanks a lot for quick response, Does that mean I have to be enrolled to Apple Developer Porgram?

The only reason I used Sign to Run Locally was to avoid that and if everything works fine in my local machine, then enroll to the program so I can distribute the application( not through App Store ). I thought that Sign to Run Locally would give me all the capabilities but only to my machine, and if that is not the case I don't know what is preventing Apple to give such option. Because at this moment I am not even sure, if Apple provides all the capabilities that my application would need even with paid developer account and apart from that I don't even know if Apple provides backward compatibility with the release of their new OS, because I have read that some Apps stopped working properly with newer MacOS. My application is a cross platform application written in C++, and the OS specific parts are small and done specifically for that OS. So, the whole idea was whether providing Mac/iOS version of the App would be something feasible or not.

0
DTS Engineer OP
Apple
Feb ’23

So the droid you’re looking for here is Developer Account Help > Reference > Supported capabilities (macOS). The rightmost column, confusingly labelled “Apple Developer”, lists the capabilities available to folks using free provisioning (a Personal Team in Xcode parlance). You’ll note that Network Extension is not listed there so, yes, you’ll need a developer account.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
siiar OP
Mar ’23

So during these weeks I went on to port the application for android and to compare ease of development b/w Android and iOS. Within two weeks I had the application working on Android. Yesterday, I came back for MacOS. Enrolled into developer's program, choose Apple Development as signing certificate, and unfortunately there is no difference. I tried both automatically manage signing and manual.

Other than not seeing CS_PLATFORM_BINARY set but not AppleSigned; prompt policy is Deny, I am getting the same errors. I tried to use Developer ID signing certificate but that requires application notarization which I am not sure how it works, although I figured out -systemexteion addition from one of your replies when using Network Extensions with Developer ID Certificate and at this point I am not sure if using Developer ID signing certificate would eventually solve this issue or most probably create additional hurdles just like figuring out -systemextension suffix.

Any suggestions at this point?

0
siiar OP
Mar ’23

I need to make correction to my previous post, I still see CS_PLATFORM_BINARY set but not AppleSigned; prompt policy is Deny from tccd process

0
siiar OP
Mar ’23
Accepted Answer

The reason for setTunnelNetworkSettings not being called was because I was passing nil as the options argument for startVPNTunnelWithOptions method of the connection object that is available in NETunnelProviderManager.

1
setTunnelNetworkSettings never gets executed
First post date Last post date
 
 
Q