Packet tunnel provider on macOS vs Apple Configurator 2

I'm having a couple problems using Apple Configurator 2 profiles with my packet tunnel provider extension. These are specific to macOS; iOS works fine.


1. ProviderBundleIdentifier is a required property on macOS, however there doesn't appear to be any way to specify it in Apple Configurator 2. It seems I have to manually edit the exported .mobileconfig file and add the necessary XML. This gets even trickier with a signed profile; I have to save it from AC2, then edit the XML, then go back into AC2 to do the signing. Am I overlooking something, or should I file a radar?


2. Profiles with client certificate identities trigger a security prompt during login:


<VPN name> wants to sign using key "Configuration Profiles" in your keychain.
Do you want to allow access to this item?

[Always allow]  [Deny] [Allow]


Is this expected behavior? Is there anything that can be done in AC2 to pre-populate the ACL for the private key to allow my VPN app/extension to access it silently? Or is there a special way I can access the identity from my VPN app/extension? I'm currently authenticating via URLSession/URLCredential before establishing the tunnel connection. Maybe that's not the expected approach?


Thanks

Mike

Up vote post of mike.ly Down vote post of mike.ly
1.6k views
Posted by
mike.ly
Reply
Add a Comment

Accepted Reply

1. ProviderBundleIdentifier is a required property on macOS, however there doesn't appear to be any way to specify it in Apple Configurator 2.

Correct. This is definitely bugworthy. Please post your bug number, just for the record.

2. Profiles with client certificate identities trigger a security prompt during login:

Is this expected behavior?

Honestly, I don’t know, but it seems less than ideal. Regardless, if it’s causing you grief you should file a bug about it.

Is there anything that can be done in AC2 to pre-populate the ACL for the private key to allow my VPN app/extension to access it silently?

No. Ultimately Apple Configurator creates configuration profiles, documented in the Configuration Profile Reference, and configuration profiles have no way to specify ACLs.

Or is there a special way I can access the identity from my VPN app/extension?

No.

I'm currently authenticating via URLSession/URLCredential before establishing the tunnel connection. Maybe that's not the expected approach?

It wouldn’t matter. Ultimately your TLS client will need to use the private key, and it’s not possible to use the private key without triggering the access check.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

>Is this expected behavior?


I'd file a bug and see if that is the response.

Posted by
KMT
Up vote reply of KMT Down vote reply of KMT
Add a Comment

1. ProviderBundleIdentifier is a required property on macOS, however there doesn't appear to be any way to specify it in Apple Configurator 2.

Correct. This is definitely bugworthy. Please post your bug number, just for the record.

2. Profiles with client certificate identities trigger a security prompt during login:

Is this expected behavior?

Honestly, I don’t know, but it seems less than ideal. Regardless, if it’s causing you grief you should file a bug about it.

Is there anything that can be done in AC2 to pre-populate the ACL for the private key to allow my VPN app/extension to access it silently?

No. Ultimately Apple Configurator creates configuration profiles, documented in the Configuration Profile Reference, and configuration profiles have no way to specify ACLs.

Or is there a special way I can access the identity from my VPN app/extension?

No.

I'm currently authenticating via URLSession/URLCredential before establishing the tunnel connection. Maybe that's not the expected approach?

It wouldn’t matter. Ultimately your TLS client will need to use the private key, and it’s not possible to use the private key without triggering the access check.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks Quinn. I filed the following bugs:

  • 31545575: Apple Configurator 2 should set ProviderBundleIdentifier for custom VPN profiles
  • 31546610: Packet tunnel providers trigger unwanted security prompts during client cert login
It wouldn’t matter. Ultimately your TLS client will need to use the private key, and it’s not possible to use the private key without triggering the access check.

I noticed the imported private key had ACL entries for several Apple helper apps (such as mdmclient, neagent, etc) and was hoping there might be some API to leverage that somehow. Oh well.

Posted by
mike.ly
Up vote reply of mike.ly Down vote reply of mike.ly
Add a Comment
Hi Mike.ly/Quinn,
We are also facing the second issue where authorisation or security dialog is getting prompted while our AppProxyProvider using the configured client certificate with IdentityReference, please let us know if there is any workaround with config or code changes to solve this issue. Below log messages are seen in console during the issue

Code Block 
19:41:19.378021+0530	securityd	no tag given; looking for all ACL entries
debug	19:41:19.383491+0530	securityd	Bundle: <private>, key: -2147411889, value: -2147411889, table: SecDebugErrorMessages, localizationName: (null), result: CSSMERR_CL_UNKNOWN_TAG
info	19:41:19.383609+0530	securityd	displaying keychain prompt for /Applications/Tunnel.app/Contents/PlugIns/AppProxyProvider.appex


Thanks
Posted by
vmku
Up vote reply of vmku Down vote reply of vmku
Add a Comment
Hi Quinn,
Please let us know if anything we can do for above, like using special entitlements.
Thanks
Posted by
vmku
Up vote reply of vmku Down vote reply of vmku
Add a Comment
I had a look at mike.ly’s bug that covers this (r. 31546610) and it got marked as a dup of another bug that was closed as fixed back in 2017. So I’m not sure why you’re seeing this. Let’s ask Matt…

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Regarding:

We are also facing the second issue where authorisation or security dialog is getting prompted while our AppProxyProvider using the configured client certificate with IdentityReference, please let us know if there is any workaround with config or code changes to solve this issue.
securityd displaying keychain prompt for /Applications/Tunnel.app/Contents/PlugIns/AppProxyProvider.appex

I noticed that you are using a app extension for your Network Extension. This made me wonder if this Network Extension was targeted for iOS or if it was meant for macOS like the original author mentions. I did try this with a Network System Extension, i.e., loading a kSecClassIdentity in identityReference for NETunnelProviderProtocol and did not receive a prompt. For iOS the Network System Extension route would not be available, but on macOS if you are able to test this route, this would be one option. If you get stuck, feel free to open a TSI and I can look into this further.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Thanks Matt/Quinn.

We have been using AppProxyProvider as appex for some time now and as PerAppVPN mainly, it works fine on iOS and on macOS we get this alert. We will try using System Extension for macOS and see it it fix the issue.
Posted by
vmku
Up vote reply of vmku Down vote reply of vmku
Add a Comment