NetworkExtension got permission denied after released to App Store

My app has been successfully passed the app review and was released to App Store already. But when the users download and install my app from the App Store, it shows two lines of log:

Jun 2 10:58:20 iPhone kernel[0] <Notice>: Sandbox: Lemon VPN(183) deny(1) file-read-metadata /private/var/preferences/com.apple.networkextension.plist

Jun 2 10:58:20 iPhone Lemon VPN[183] <Error>: Failed to load configurations: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}


Clearly, it acts as my app has no network extension entitlement.


But the problem is, I have the network extension entitlement. My app included a packet tunnel provider to implement the VPN function and I've created the necessary provisioning profile for it.


It was fine during the developing, all the testing devices were OK to run the app. And the archiving and iTunes Connect uploading were also OK. And my app has been passed the app review. It's now already in App Store for sale.


So, what's wrong with me?

I've no idea what to do with this issue.

Accepted Reply

Have you downloaded the app from the store and checked that it actually has the entitlement? You can do this by:

  1. downloading the app using iTunes on your Mac

  2. unpacking the

    .ipa
    (it’s a
    .zip
    file really)
  3. dumping the entitlements with

    codesign

Make sure you dump the entitlements for both the app and the extension nested within the app. For hints on that, see Debugging Entitlement Issues.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 13 Jun through to Fri, 17 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

Replies

Have you downloaded the app from the store and checked that it actually has the entitlement? You can do this by:

  1. downloading the app using iTunes on your Mac

  2. unpacking the

    .ipa
    (it’s a
    .zip
    file really)
  3. dumping the entitlements with

    codesign

Make sure you dump the entitlements for both the app and the extension nested within the app. For hints on that, see Debugging Entitlement Issues.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 13 Jun through to Fri, 17 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

Thank you very much. I've check the entitlements, and my released app is definitely missing the network extension entitlement.


And here is the details to help someone who encounters the same issue:

After I got the network extension entitlement, I only updated the provisioning profiles to include this entitlement but not updated my project. And maybe the app reviewer didn't find this problem and got my app passed the review. After my app released to App Store it still had no network extension entitlement and hence all the users can't use my VPN service.


To fix this, you should manually add the settings into your entitlement file within your project.


And according to the post: https://forums.developer.apple.com/message/75928#75928

Remember that, if your app has multiple executables, the main app and an extension say, you’ll have to check the entitlements on each one. Specifically, if you’re using the

com.apple.developer.networking.networkextension
entitlement it must have the same value in both your app and your extension.

The entitlements should be both set in the container app and the app extension.


Thanks you very much eskimo.

Hi,

ask a question


I want to use VPN to connect to server under a specific funtion, but the app is not a VPN App. So I gonna create a VPN profile by "Apple Configurator" and host it on website, then jumping to Safari to download the profile.

So, what should I do to configure my project? like the operation you configed?

You don’t need any special entitlements to open a URL in Safari. All apps are allowed to call

-openURL:options:completionHandler:
.

Keep in mind that iOS 8 introduced the NEVPNManager API, which allows you to programmatically configure the built-in IKEv2 and IPsec VPN transports. You do need an entitlement to use these, but no special approval is required (you just turn it on in Xcode’s Capabilities UI). So, if your VPN is compatible with one of these built-in VPN transports, that might be the nicest option.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thx.🙂

It's the first time I realize relevant VPN funtion, so I confuse more... 😕I still have some questions.

  • If I made a VPN profile, then also should program to confige VPN transports?
  • Is there any guides or samplecodes of configuring VPN? I can't find in official doc...
  • The most improtant thing, jumping to Safari to download a profile, which will be approve in review?



very very thx for answering !

If I made a VPN profile, then also should program to confige VPN transports?

The VPN subsystem has two different configuration options:

  • managed VPN, including configuration profiles and VPN configurations managed by VPN apps with special entitlements (that is, apps that include a Network Extension provider extension)

  • Personal VPN, that is, VPN set up via NEVPNManager

In general these don’t interfere with each other.

Is there any guides or samplecodes of configuring VPN?

There’s no guide or sample code for this, but the Network Extension framework reference has lots of details on NEVPNManager.

Before writing any code I recommend that you start by configuring your VPN with a configuration profile. That will let you flush out any VPN compatibility problems, after which you can set up the same configuration via the API.

The most improtant thing, jumping to Safari to download a profile, which will be approve in review?

The only folks who can give you definitive answers about App Review policy are App Review.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thx, now I've written a demo of IPSec VPN by using the NEVONManager API, and which works.

But...

As you said, ``Keep in mind that iOS 8 introduced the NEVPNManager API, which allows you to programmatically configure the built-in IKEv2 and IPsec VPN transports.`` And then, what about the L2TP VPN transport?? I can't find any classes or APIs of it in NE framework.... Whether configuring it only with a configuration profile (made by Apple Configurator 2)?

what about the L2TP VPN transport?? I can't find any classes or APIs of it in NE framework....

Correct.

Whether configuring it only with a configuration profile (made by Apple Configurator 2)?

Right.

We would like folks to move away from older VPN transports, and thus they are not supported by Personal VPN. Keep in mind that we removed PPTP from the most recent OS releases because it’s not at all secure. While L2TP is not that bad, I think you should take the hint (-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Oh...I guessed correctly. Obviously, the IKEv2 or IPSec will be the best choice for me to programmatically configure VPN. 😁 HaHa..


After using NEVPNManager NEVPNProtocolIPSec to configure andsave twice preferrences successfully, VPN-start triggered by button clicking, I also got a error message in console, like this---- Start error: The operation couldn’t be completed. (NEVPNErrorDomain error 2)

Then I fixed it by selecting the "testVPN" manually in Setting->General->VPN, because I have one more Personal VPN...


The Screenshot Image : http://upload-images.jianshu.io/upload_images/935058-98d9d8b14b9a943f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240


So, I confused that how can do for selecting "testVPN" automatically instead of manually when clicking button in app? The User Experience is terrible...

And I found that the "VPN Master"(a VPN app) hasn't the problem above.

Just FYI, I edited your post to un-mask the URL; I hope that’s OK.

Start error: The operation couldn’t be completed. (NEVPNErrorDomain error 2)

Error 2 in the

NEVPNErrorDomain
domain is
NEVPNErrorConfigurationDisabled
.

Did you set the

enabled
property of the NEVPNManager before you saved it; that’s usually how the system decides which Personal VPN is active.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Yes!

I've set the enabled property since initialize NEVPNManager instance, even I set it again in the handlerBlock while saving successful. But it doesn't work

First things first, check that your VPN setup works in genreal by configuring it using a configuration profile. If that works and you can’t figure out how to apply the same settings via NEVPNManager, you should open a DTS tech support incident and I can look into what’s going wrong with your NEVPNManager code.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
- (void)configVpnAndSavePreferences {
    NSMutableArray *rules = [[NSMutableArray alloc] init];
    NEOnDemandRuleConnect *connectRule = [NEOnDemandRuleConnect new];
    [rules addObject:connectRule];

    self.vpnManager = [NEVPNManager sharedManager];
//    [self.vpnManager setOnDemandEnabled:NO];
    self.vpnManager.enabled = YES;
    [self.vpnManager setOnDemandRules:rules];

    [self.vpnManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) {

        NEVPNProtocolIPSec *protocolIPSec = (NEVPNProtocolIPSec *)self.vpnManager.protocol;
        if (!protocolIPSec) {
            protocolIPSec = [[NEVPNProtocolIPSec alloc] init];
        }
        protocolIPSec.username = @"Mr.x";

        protocolIPSec.serverAddress = @"VPN Address";;

        _vpnManager.localizedDescription = @"IPSec Demo";

        protocolIPSec.passwordReference = [self searchKeychainCopyMatching:@"VPN_PASSWORD"];;
       
        protocolIPSec.authenticationMethod = NEVPNIKEAuthenticationMethodSharedSecret;

        protocolIPSec.sharedSecretReference = [self searchKeychainCopyMatching:@"PSK"];

        protocolIPSec.useExtendedAuthentication = YES;

        protocolIPSec.disconnectOnSleep = NO;

        _vpnManager.protocol = protocolIPSec;

        [_vpnManager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
            if (error) {
                NSLog(@"Save Error: %@",error);
            }else {
                NSLog(@"Save!!");
            }
        }];
    }];
}

- (IBAction)connectVPN:(id)sender {
    NSError *startError = nil;
    [self.vpnManager.connection startVPNTunnelAndReturnError:&startError];
    if(startError) {
        if (startError.code == 1) { // first start will in
            [self configVpnAndSavePreferences];  // save again...
        }
    } else {
        NSLog(@"Connection established!"); // after selecting manually in Setting->General->VPN, it will be called.
    }
}

- (IBAction)stopCennectingVPN:(id)sender {
    [self.vpnManager.connection stopVPNTunnel];
}


That's my demo code.

That's my demo code.

OK. And is that still having problems? If so, I encourage you to follow the steps from my post from Monday, namely:

  • Check that your VPN setup works in general by configuring it using a configuration profile.

  • If that works and you can’t figure out how to apply the same settings via NEVPNManager, you should open a DTS tech support incident and I can look into what’s going wrong with your NEVPNManager code.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

It can works by configuration profile.

en... the problem witch I said above that:

The VPN can work after I manually selecting in Setting->General->VPN(Personal VPN) and then goback in app by clicking a button. if not, I will get the NEVPNErrorDomain error 2(Disabled) error message.


Does the code above have any problems?


OK, Thx, I will try. But I best wish the problem can be solved here...