NetworkExtension got permission denied after released to App Store

My app has been successfully passed the app review and was released to App Store already. But when the users download and install my app from the App Store, it shows two lines of log:

Jun 2 10:58:20 iPhone kernel[0] <Notice>: Sandbox: Lemon VPN(183) deny(1) file-read-metadata /private/var/preferences/com.apple.networkextension.plist

Jun 2 10:58:20 iPhone Lemon VPN[183] <Error>: Failed to load configurations: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}


Clearly, it acts as my app has no network extension entitlement.


But the problem is, I have the network extension entitlement. My app included a packet tunnel provider to implement the VPN function and I've created the necessary provisioning profile for it.


It was fine during the developing, all the testing devices were OK to run the app. And the archiving and iTunes Connect uploading were also OK. And my app has been passed the app review. It's now already in App Store for sale.


So, what's wrong with me?

I've no idea what to do with this issue.

Accepted Reply

Have you downloaded the app from the store and checked that it actually has the entitlement? You can do this by:

  1. downloading the app using iTunes on your Mac

  2. unpacking the

    .ipa
    (it’s a
    .zip
    file really)
  3. dumping the entitlements with

    codesign

Make sure you dump the entitlements for both the app and the extension nested within the app. For hints on that, see Debugging Entitlement Issues.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 13 Jun through to Fri, 17 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

Replies

Does the code above have any problems?

Alas, I don’t have the time to do a detailed code review in this context. If you have a configuration profile that works, you should open a DTS tech support incident and I can pick things up there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"