Packet tunnel provider on macOS vs Apple Configurator 2

>Is this expected behavior?

I'd file a bug and see if that is the response.

1. ProviderBundleIdentifier is a required property on macOS, however there doesn't appear to be any way to specify it in Apple Configurator 2.

Correct. This is definitely bugworthy. Please post your bug number, just for the record.

2. Profiles with client certificate identities trigger a security prompt during login:

…

Is this expected behavior?

Honestly, I don’t know, but it seems less than ideal. Regardless, if it’s causing you grief you should file a bug about it.

Is there anything that can be done in AC2 to pre-populate the ACL for the private key to allow my VPN app/extension to access it silently?

No. Ultimately Apple Configurator creates configuration profiles, documented in the Configuration Profile Reference, and configuration profiles have no way to specify ACLs.

Or is there a special way I can access the identity from my VPN app/extension?

No.

I'm currently authenticating via URLSession/URLCredential before establishing the tunnel connection. Maybe that's not the expected approach?

It wouldn’t matter. Ultimately your TLS client will need to use the private key, and it’s not possible to use the private key without triggering the access check.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Quinn. I filed the following bugs:

• 31545575: Apple Configurator 2 should set ProviderBundleIdentifier for custom VPN profiles
• 31546610: Packet tunnel providers trigger unwanted security prompts during client cert login

It wouldn’t matter. Ultimately your TLS client will need to use the private key, and it’s not possible to use the private key without triggering the access check.

I noticed the imported private key had ACL entries for several Apple helper apps (such as mdmclient, neagent, etc) and was hoping there might be some API to leverage that somehow. Oh well.

Hi Mike.ly/Quinn,
We are also facing the second issue where authorisation or security dialog is getting prompted while our AppProxyProvider using the configured client certificate with IdentityReference, please let us know if there is any workaround with config or code changes to solve this issue. Below log messages are seen in console during the issue

Code Block 
19:41:19.378021+0530	securityd	no tag given; looking for all ACL entries
debug	19:41:19.383491+0530	securityd	Bundle: <private>, key: -2147411889, value: -2147411889, table: SecDebugErrorMessages, localizationName: (null), result: CSSMERR_CL_UNKNOWN_TAG
info	19:41:19.383609+0530	securityd	displaying keychain prompt for /Applications/Tunnel.app/Contents/PlugIns/AppProxyProvider.appex

Thanks

Hi Quinn,
Please let us know if anything we can do for above, like using special entitlements.
Thanks

I had a look at mike.ly’s bug that covers this (r. 31546610) and it got marked as a dup of another bug that was closed as fixed back in 2017. So I’m not sure why you’re seeing this. Let’s ask Matt…

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Regarding:

We are also facing the second issue where authorisation or security dialog is getting prompted while our AppProxyProvider using the configured client certificate with IdentityReference, please let us know if there is any workaround with config or code changes to solve this issue.
securityd displaying keychain prompt for /Applications/Tunnel.app/Contents/PlugIns/AppProxyProvider.appex

I noticed that you are using a app extension for your Network Extension. This made me wonder if this Network Extension was targeted for iOS or if it was meant for macOS like the original author mentions. I did try this with a Network System Extension, i.e., loading a kSecClassIdentity in identityReference for NETunnelProviderProtocol and did not receive a prompt. For iOS the Network System Extension route would not be available, but on macOS if you are able to test this route, this would be one option. If you get stuck, feel free to open a TSI and I can look into this further.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thanks Matt/Quinn.

We have been using AppProxyProvider as appex for some time now and as PerAppVPN mainly, it works fine on iOS and on macOS we get this alert. We will try using System Extension for macOS and see it it fix the issue.