Per-App VPN (NEAppProxyProvider) extension fails to start when managed profile specifies certificate based authentication on iOS

Question

Created Sep ’24

Replies 4

Boosts 0

Participants 2

Hi, we have an iOS application that runs a NEAppProxyProvider network extension. The configuration for the extension is delivered by MDM and we've noticed that some MDMs are beginning to force end users to select certificate based authentication as the auth type for the per-app VPN payload. This itself causes no problems, but when a certificate to use for the authentication is also provided in the profile, our extension fails to start. Our application does not use the credentials from the profile, certificate based or otherwise, so we aren't doing anything unusual with them either.

We thought the problem might be caused because we lacked the com.apple.managed.vpn.shared entitlement that would be needed to access the certificate once it was on device (even though we never actually try to access it), but that did not fix the issue.

We have also confirmed that this happens regardless of MDM used to configure the profile.

Here are the relevant logs we are seeing that show the extension never starts:

neagent: NEAgentSession: failed to create the delegate

nesessionmanager:<application>[313]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)"

<application>: Last disconnect error for <application> changed from "none" to "The VPN app used by the VPN configuration is not installed"

STEPS TO REPRODUCE

Create an application that establishes a basic per-app VPN (just a loopback works) using the network extension
Using an MDM, create and deploy a per-app VPN profile with certificate based authentication (include a certificate as well) that uses the test application as a plugin.
Using the MDM, assign another application to the per-app VPN.
Try to connect to the internet using the assigned application, it should fail to connect because the system can't start the extension.

For reference it appears that this issue is similar to ours: https://forums.developer.apple.com/forums/thread/746879

I've tried all the suggestions on that page, including adding a 'first-light' log and that is never seen. There are also no additional clues when adding the VPN debug profile to the device.

Thanks!

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’24

I’m not sure what’s going on here. MDM-provisioned VPN configurations can use client identities, so it’s a bit of mystery as to why the system isn’t starting your extension in this case. Normally I’d suggest that you work with the MDM vendor to see what they’re doing, but you wrote this:

We have also confirmed that this happens regardless of MDM used to configure the profile.

which suggests that it’s more of an Apple thing.

Are you able to reproduce this in house?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

NetworkExtensionFan OP

Sep ’24

Hi Quinn,

Yes, we think it may be an iOS system problem. We've reproduced on our devices by:

Enrolling a test device into one of our end-user's MDM with their permission. The specified identity within the profile was the SCEP certificate.
Deploying a similarly configured profile using a different MDM internally, and the same problem occurred.

It's almost as if iOS thinks our network extension isn't installed with our app, but looking at the installed plugins from the powerlog DB in a sysdiganose indicates that the extension is indeed installed correctly.

I haven't seen anything in the docs but are we missing any override we need to do as a NEAppProxyProvider to handle the fact that we're being given a certificate for authentication?

0

Answer 3

DTS Engineer OP

Apple

Sep ’24

are we missing any override we need to do as a NEAppProxyProvider to handle the fact that we're being given a certificate for authentication?

No. Even if we’re, it’d have to be declarative — so, something in the Info.plist for example — because your code hasn’t been run at the time it fails.

This is quite strange. If you try the same test process with a different third-party app proxy provider, does it have the same problem?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

NetworkExtensionFan OP

Oct ’24

No. Even if we’re, it’d have to be declarative — so, something in the Info.plist for example — because your code hasn’t been run at the time it fails.

True.

It's hard for me to test with another app, but I will continue to try and make that happen.

However, I do know from speaking with our end-user and inspecting their sysdiagnose that they, at one point, had another 3rd-party proxy provider on the device. They say it was working correctly, but I don't see any per-app assignment rules nor Safari domains assigned for that configuration, so I'm not sure how they would have confirmed that it was working.

We did have them remove said configuration to rule out some conflict between the two VPNs using the same identity. It didn't fix the problem.

Does the system determine which extension to launch using LaunchServices? Is there any way that the profile could be corrupting the LS DB? It doesn't seem possible on iOS, but thought maybe it was worth throwing out there.

0