Once I have a DataFilterExtension how do I begin the filtering?

I have a project that has the DataExtension target installed. In this extension I have a subclass of NEFilterDataProvider (the one that's created alongside the target). However, I don't know how to trigger the actual extension to start working. I have tried adding the following in application:didFinishLaunchingWIthOptions:


[[NEFilterManager sharedManager] loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
        if (error) {
            // This error usually does not happen.
            NSLog(@"%@", error);
        }
     
        NEFilterProviderConfiguration *config = [[NEFilterProviderConfiguration alloc] init];
        config.username = @"Test";
        config.organization = @"Org";
        config.filterBrowsers = YES;
        config.filterSockets = YES;
        config.serverAddress = @"Server to request new rules";
        [NEFilterManager sharedManager].providerConfiguration = config;
        [[NEFilterManager sharedManager] setEnabled:YES];
     
        [[NEFilterManager sharedManager] saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
            if (error) {
                // This always returns:
                // Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}`
                NSLog(@"%@", error);
            }
        }];
    }];


I have a suspicion I'm getting the denied permission because of Entitlements. My entitlements look like this:


DataFilterExtension

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
  <key>com.apple.security.application-groups</key>
  <array>
  <string>group.com.appIdentifier</string>
  </array>
</dict>
</plist>


MainApp

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
  <key>com.apple.developer.networking.vpn.api</key>
  <array>
  <string>allow-vpn</string>
  </array>
</dict>
</plist>


I'm not sure what to do.

Accepted Reply

I have a suspicion I'm getting the denied permission because of Entitlements.

That’s correct. To create a Network Extension provider, you need special entitlements. This was discussed at the end of WWDC 2015 Session 717 What's New in Network Extension and VPN. For more context, see this post.

<key>com.apple.developer.networking.vpn.api</key> 
  <array> 
  <string>allow-vpn</string> 
</array>

This entitlement is for Personal VPN (using NEVPNManager to set up VPN with the built-in VPN transports) and will not help when creating a Network Extension filter provider.

Finally, before deciding on a product plan here please take note of that fact that Network Extension filter providers are only supported on supervised devices.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

I have a suspicion I'm getting the denied permission because of Entitlements.

That’s correct. To create a Network Extension provider, you need special entitlements. This was discussed at the end of WWDC 2015 Session 717 What's New in Network Extension and VPN. For more context, see this post.

<key>com.apple.developer.networking.vpn.api</key> 
  <array> 
  <string>allow-vpn</string> 
</array>

This entitlement is for Personal VPN (using NEVPNManager to set up VPN with the built-in VPN transports) and will not help when creating a Network Extension filter provider.

Finally, before deciding on a product plan here please take note of that fact that Network Extension filter providers are only supported on supervised devices.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo, it was indeed an entitlements issue. I believe we are able to run the Network Extension so I don't have an issue with the product plan.


I am, however, unable to actually debug it. When I run the app, I got the prompt to use the extension but then nothing happened. None of my breakpoints are hit. I see this question on Stack Overflow, but following the answers didn't yield any results.


If I run my extension on device, then try to attach to it via ProcessID (where I input its bundle identifier) I get a waning saying: "No application exists at ~Path/To/Containing.app"


I I run my app on device, then try to attach to it via ProcessID, I get a warning saying: "Waiting for (extension BundleID) to launch". However, I am launching on AppDelegate (with the code on my first post, right?).


Any help? I am finding docs lacking =/

Hi Eskimo.


I have requested to use network extension, and approved to use it.


I have successfully implemented to use NEFilterManager, and could load and save to preferences in devlopment build.


However, in release build (tested in TestFlight), I get an error "Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo=(NSLocalizedDescription=permission denided)" when calling NEFilterManager.sharedManager().saveToPreferencesWithCompletionHandler.

I have followed almost exactly same implementation as Apple's SimpleTunnel sample Code.

I have checked entitlements of Extentions, and also provision profiles for release build. They look fine.

Please let me know how come NEFilterManager.saveToPreferencesWithCompletionHandler does not work in the release build, but woring fine in the development build.

However, in release build (tested in TestFlight), I get an error "Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo=(NSLocalizedDescription=permission denided)" when calling NEFilterManager.sharedManager().saveToPreferencesWithCompletionHandler.

Indeed. This is expected. Filter providers are only supported on supervised devices and thus can only be configured by a configuration profile. For Development builds we have a special feature that allows you to set up the filter provider via the API, but that feature is disabled for Distribution builds.

Note In this case we check for a Development build by looking for the

get-task-allow
entitlement.

If you think about this, it makes sense. In a supervised environment no user of the device should be allowed to change the configuration of the filter, and thus there’s no need for the filter configuration UI within your app.

I recommend that you create a configuration profile to test your filter, install that on a supervised device along with a Distribution-signed version of your app, and then see how things go from there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hello Quinn,


I know there have been some changes to the permissions needed for the NetworkExtension framework. For example, it is no longer need to email Apple to request permission to use content filters. And that brings me to my question. In the NEFilterManager documentation (https://developer.apple.com/reference/networkextension/nefiltermanager), it is mentioned that the configurations for the content filters can only be created in supervised devices or in development. However, in the documenation for NEFilterProvider (https://developer.apple.com/reference/networkextension/nefilterprovider) there is no mention of such restriction.


What I'm hoping is that the filter manager and filter providers can still be used on regular (unsupervised) devices, but to configure them through MDM you need a supervised device. For example, if I want to implement a simple filter, is that still restricted to supervised devices only?


Any help would be appreciated!

Nothing has changed here:

  • Network Extension content filter providers are still restricted to supervised devices.

  • Network Extension per-app VPN (either app proxy providers, or packet tunnel providers in per-app mode) are still restricted to managed devices.

IMPORTANT There’s a difference between supervised and managed devices. A managed device is typically owned by the device’s user, who happens to have opted into the organisation’s management system — think BYOD — and can opt out at any time. A supervised device is typically owned by an organisation and the user can’t opt out of management. A lot of the really intrusive settings, like content filter and global HTTP proxy, can only be applied to supervised devices.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So does it mean that, we can not upload any app with Network Extension content filter providers to App Store?

Can you help me with this question ? Whether Content Filter Providers will be working only in Enterprise / Development Versions. And it wont be working in AppStore / TestFlight Versions?

Can any one confirm this behaviour?

Things have changed a bit since this thread kicked off. The API now has three states:

  • If the app, and its embedded appex, are signed for development, the API doesn’t not enforce the supervised-devices-only policy. Specifically, the API checks for the presence of the get-task-allow entitlement, which you only get with Development signing.

  • Otherwise it requires that the device be supervised. This includes Ad Hoc, Enterprise, and App Store Distribution signing (which includes TestFlight).

  • Except if the app is part of a Screen Time product.

For more about that last bit, see WWDC 2021 Session 10123 Meet the Screen Time API.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"