16 Replies
      Latest reply: Oct 7, 2016 12:49 AM by eskimo RSS
      T Soda Level 1 Level 1 (0 points)

        My app has been successfully passed the app review and was released to App Store already. But when the users download and install my app from the App Store, it shows two lines of log:


        Jun  2 10:58:20 iPhone kernel[0] <Notice>: Sandbox: Lemon VPN(183) deny(1) file-read-metadata /private/var/preferences/com.apple.networkextension.plist

        Jun  2 10:58:20 iPhone Lemon VPN[183] <Error>:  Failed to load configurations: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}

         

        Clearly, it acts as my app has no network extension entitlement.

         

        But the problem is, I have the network extension entitlement. My app included a packet tunnel provider to implement the VPN function and I've created the necessary provisioning profile for it.

         

        It was fine during the developing, all the testing devices were OK to run the app. And the archiving and iTunes Connect uploading were also OK. And my app has been passed the app review. It's now already in App Store for sale.

         

        So, what's wrong with me?

        I've no idea what to do with this issue.

        • Re: NetworkExtension got permission denied after released to App Store
          eskimo Apple Staff Apple Staff (7,190 points)

          Have you downloaded the app from the store and checked that it actually has the entitlement?  You can do this by:

          1. downloading the app using iTunes on your Mac

          2. unpacking the .ipa (it’s a .zip file really)

          3. dumping the entitlements with codesign

          Make sure you dump the entitlements for both the app and the extension nested within the app.  For hints on that, see Debugging Entitlement Issues.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

          WWDC runs Mon, 13 Jun through to Fri, 17 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

            • Re: NetworkExtension got permission denied after released to App Store
              T Soda Level 1 Level 1 (0 points)

              Thank you very much. I've check the entitlements, and my released app is definitely missing the network extension entitlement.

               

              And here is the details to help someone who encounters the same issue:

              After I got the network extension entitlement, I only updated the provisioning profiles to include this entitlement but not updated my project. And maybe the app reviewer didn't find this problem and got my app passed the review. After my app released to App Store it still had no network extension entitlement and hence all the users can't use my VPN service.

               

              To fix this, you should manually add the settings into your entitlement file within your project.

               

              And according to the post: https://forums.developer.apple.com/message/75928#75928

              Remember that, if your app has multiple executables, the main app and an extension say, you’ll have to check the entitlements on each one.  Specifically, if you’re using thecom.apple.developer.networking.networkextension entitlement it must have the same value in both your app and your extension.

              The entitlements should be both set in the container app and the app extension.

               

              Thanks you very much eskimo.

            • Re: NetworkExtension got permission denied after released to App Store
              iOSerKi Level 1 Level 1 (0 points)

              Hi,

              ask a question

               

              I want to use VPN to connect to server under a specific funtion, but the app is not a VPN App. So I gonna create a VPN profile by "Apple Configurator" and host it on website, then jumping to Safari to download the profile.

              So, what should I do to configure my project? like the operation you configed?

                • Re: NetworkExtension got permission denied after released to App Store
                  eskimo Apple Staff Apple Staff (7,190 points)

                  You don’t need any special entitlements to open a URL in Safari.  All apps are allowed to call -openURL:options:completionHandler:.

                  Keep in mind that iOS 8 introduced the NEVPNManager API, which allows you to programmatically configure the built-in IKEv2 and IPsec VPN transports.  You do need an entitlement to use these, but no special approval is required (you just turn it on in Xcode’s Capabilities UI).  So, if your VPN is compatible with one of these built-in VPN transports, that might be the nicest option.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: NetworkExtension got permission denied after released to App Store
                      iOSerKi Level 1 Level 1 (0 points)

                      Thx.

                      It's the first time I realize relevant VPN funtion, so I confuse more... I still have some questions.

                      • If I made a VPN profile, then also should program to confige VPN transports?
                      • Is there any guides or samplecodes of configuring VPN? I can't find in official doc...
                      • The most improtant thing, jumping to Safari to download a profile, which will be approve in review?

                       

                       

                      very very thx for answering !

                        • Re: NetworkExtension got permission denied after released to App Store
                          eskimo Apple Staff Apple Staff (7,190 points)

                          If I made a VPN profile, then also should program to confige VPN transports?

                          The VPN subsystem has two different configuration options:

                          • managed VPN, including configuration profiles and VPN configurations managed by VPN apps with special entitlements (that is, apps that include a Network Extension provider extension)

                          • Personal VPN, that is, VPN set up via NEVPNManager

                          In general these don’t interfere with each other.

                          Is there any guides or samplecodes of configuring VPN?

                          There’s no guide or sample code for this, but the Network Extension framework reference has lots of details on NEVPNManager.

                          Before writing any code I recommend that you start by configuring your VPN with a configuration profile.  That will let you flush out any VPN compatibility problems, after which you can set up the same configuration via the API.

                          The most improtant thing, jumping to Safari to download a profile, which will be approve in review?

                          The only folks who can give you definitive answers about App Review policy are App Review.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: NetworkExtension got permission denied after released to App Store
                              iOSerKi Level 1 Level 1 (0 points)

                              Thx, now I've written a demo of IPSec VPN by using the NEVONManager API, and which works.

                              But...

                              As you said, ``Keep in mind that iOS 8 introduced the NEVPNManager API, which allows you to programmatically configure the built-in IKEv2 and IPsec VPN transports.`` And then, what about the L2TP VPN transport?? I can't find any classes or APIs of it in NE framework....  Whether configuring it only with a configuration profile (made by Apple Configurator 2)?

                                • Re: NetworkExtension got permission denied after released to App Store
                                  eskimo Apple Staff Apple Staff (7,190 points)

                                  what about the L2TP VPN transport?? I can't find any classes or APIs of it in NE framework....

                                  Correct.

                                  Whether configuring it only with a configuration profile (made by Apple Configurator 2)?

                                  Right.

                                  We would like folks to move away from older VPN transports, and thus they are not supported by Personal VPN.  Keep in mind that we removed PPTP from the most recent OS releases because it’s not at all secure.  While L2TP is not that bad, I think you should take the hint (-:

                                  Share and Enjoy

                                  Quinn “The Eskimo!”
                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                    • Re: NetworkExtension got permission denied after released to App Store
                                      iOSerKi Level 1 Level 1 (0 points)

                                      Oh...I guessed correctly. Obviously, the IKEv2 or IPSec will be the best choice for me to programmatically configure VPN. HaHa..

                                       

                                      After using NEVPNManager NEVPNProtocolIPSec to configure andsave twice preferrences successfully, VPN-start triggered by button clicking, I also got a error message in console, like this---- Start error: The operation couldn’t be completed. (NEVPNErrorDomain error 2)


                                      Then I fixed it by selecting the "testVPN" manually in Setting->General->VPN, because I have one more Personal VPN...

                                       

                                      The Screenshot Image : http://upload-images.jianshu.io/upload_images/935058-98d9d8b14b9a943f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240

                                       

                                      So, I confused that how can do for selecting "testVPN" automatically instead of manually when clicking button in app? The User Experience is terrible...

                                      And I found that the "VPN Master"(a VPN app) hasn't the problem above.

                                        • Re: NetworkExtension got permission denied after released to App Store
                                          eskimo Apple Staff Apple Staff (7,190 points)

                                          Just FYI, I edited your post to un-mask the URL; I hope that’s OK.

                                          Start error: The operation couldn’t be completed. (NEVPNErrorDomain error 2)

                                          Error 2 in the NEVPNErrorDomain domain is NEVPNErrorConfigurationDisabled.

                                          Did you set the enabled property of the NEVPNManager before you saved it; that’s usually how the system decides which Personal VPN is active.

                                          Share and Enjoy

                                          Quinn “The Eskimo!”
                                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                          let myEmail = "eskimo" + "1" + "@apple.com"

                                            • Re: NetworkExtension got permission denied after released to App Store
                                              iOSerKi Level 1 Level 1 (0 points)

                                              Yes!

                                              I've set the enabled property since initialize NEVPNManager instance, even I set it again in the handlerBlock while saving successful. But it doesn't work

                                                • Re: NetworkExtension got permission denied after released to App Store
                                                  eskimo Apple Staff Apple Staff (7,190 points)

                                                  First things first, check that your VPN setup works in genreal by configuring it using a configuration profile.  If that works and you can’t figure out how to apply the same settings via NEVPNManager, you should open a DTS tech support incident and I can look into what’s going wrong with your NEVPNManager code.

                                                  Share and Enjoy

                                                  Quinn “The Eskimo!”
                                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                                    • Re: NetworkExtension got permission denied after released to App Store
                                                      iOSerKi Level 1 Level 1 (0 points)
                                                      
                                                      - (void)configVpnAndSavePreferences {
                                                          NSMutableArray *rules = [[NSMutableArray alloc] init];
                                                          NEOnDemandRuleConnect *connectRule = [NEOnDemandRuleConnect new];
                                                          [rules addObject:connectRule];
                                                      
                                                          self.vpnManager = [NEVPNManager sharedManager];
                                                      //    [self.vpnManager setOnDemandEnabled:NO];
                                                          self.vpnManager.enabled = YES;
                                                          [self.vpnManager setOnDemandRules:rules];
                                                      
                                                          [self.vpnManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
                                                      
                                                              NEVPNProtocolIPSec *protocolIPSec = (NEVPNProtocolIPSec *)self.vpnManager.protocol;
                                                              if (!protocolIPSec) {
                                                                  protocolIPSec = [[NEVPNProtocolIPSec alloc] init];
                                                              }
                                                              protocolIPSec.username = @"Mr.x";
                                                      
                                                              protocolIPSec.serverAddress = @"VPN Address";;
                                                      
                                                              _vpnManager.localizedDescription = @"IPSec Demo";
                                                      
                                                              protocolIPSec.passwordReference = [self searchKeychainCopyMatching:@"VPN_PASSWORD"];;
                                                             
                                                              protocolIPSec.authenticationMethod = NEVPNIKEAuthenticationMethodSharedSecret;
                                                      
                                                              protocolIPSec.sharedSecretReference = [self searchKeychainCopyMatching:@"PSK"];
                                                      
                                                              protocolIPSec.useExtendedAuthentication = YES;
                                                      
                                                              protocolIPSec.disconnectOnSleep = NO;
                                                      
                                                              _vpnManager.protocol = protocolIPSec;
                                                      
                                                              [_vpnManager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
                                                                  if (error) {
                                                                      NSLog(@"Save Error: %@",error);
                                                                  }else {
                                                                      NSLog(@"Save!!");
                                                                  }
                                                              }];
                                                          }];
                                                      }
                                                      
                                                      - (IBAction)connectVPN:(id)sender {
                                                          NSError *startError = nil;
                                                          [self.vpnManager.connection startVPNTunnelAndReturnError:&startError];
                                                          if(startError) {
                                                              if (startError.code == 1) { // first start will in
                                                                  [self configVpnAndSavePreferences];  // save again...
                                                              }
                                                          } else {
                                                              NSLog(@"Connection established!"); // after selecting manually in Setting->General->VPN, it will be called.
                                                          }
                                                      }
                                                      
                                                      - (IBAction)stopCennectingVPN:(id)sender {
                                                          [self.vpnManager.connection stopVPNTunnel];
                                                      }
                                                      
                                                      
                                                      

                                                       

                                                      That's my demo code.

                                                        • Re: NetworkExtension got permission denied after released to App Store
                                                          eskimo Apple Staff Apple Staff (7,190 points)

                                                          That's my demo code.

                                                          OK.  And is that still having problems?  If so, I encourage you to follow the steps from my post from Monday, namely:

                                                          • Check that your VPN setup works in general by configuring it using a configuration profile.

                                                          • If that works and you can’t figure out how to apply the same settings via NEVPNManager, you should open a DTS tech support incident and I can look into what’s going wrong with your NEVPNManager code.

                                                          Share and Enjoy

                                                          Quinn “The Eskimo!”
                                                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                          let myEmail = "eskimo" + "1" + "@apple.com"