per-App-VPN NEPacketTunnelProvider

I can't load the per-App-VPN config using method: loadAllFromPreferencesWithCompletionHandler, but I can load VPN config with this method.

Does that mean we can't develop per-app-vpn using NEPacketTunnelProvider? Thank you very much.

Up vote post of tanfromhangzhou Down vote post of tanfromhangzhou
3.1k views
Posted by
tanfromhangzhou
Reply
Add a Comment

Accepted Reply

Per-app VPN has to be configured via a configuration profile. If you look at the Per-App VPN Payload section of the Configuration Profile Reference, you’ll see that there’s a 

ProviderType
key that specifies whether the per-app VPN configuration expects a packet tunnel or app proxy provider.

IMPORTANT This value must be inside the 

VPN
dictionary. The documentation says this, but it’s easy to misinterpret it. To be celar, this 
ProviderType
goes alongside the 
RemoteAddress
key.

Once you set this up correctly, the various 

routingMethod
properties will start returning the right value ( 
.sourceApplication
).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Per-app VPN has to be configured via a configuration profile. If you look at the Per-App VPN Payload section of the Configuration Profile Reference, you’ll see that there’s a 

ProviderType
key that specifies whether the per-app VPN configuration expects a packet tunnel or app proxy provider.

IMPORTANT This value must be inside the 

VPN
dictionary. The documentation says this, but it’s easy to misinterpret it. To be celar, this 
ProviderType
goes alongside the 
RemoteAddress
key.

Once you set this up correctly, the various 

routingMethod
properties will start returning the right value ( 
.sourceApplication
).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thank you very much, you help me solved this problem.

IMPORTANT This value must be inside the 

VPN
dictionary. The documentation says this, but it’s easy to misinterpret it. To be celar, this 
ProviderType
goes alongside the 
RemoteAddress
key. --this is the key point.


I have another problem: there is a mdm server for me, I can send the per-App-VPN config profile by MDM command, but I don't know the correct App config profile. When I send the config with payload type:com.apple.vpn.managed.appmapping, it can't be recognized by the iOS10.

How to config the right config profile to specify the app that use the per-App-VPN(packet-tunnel)?

Posted by
tanfromhangzhou
Up vote reply of tanfromhangzhou Down vote reply of tanfromhangzhou
Add a Comment

When I send the config with payload type 

com.apple.vpn.managed.appmapping
, it can't be recognized by the iOS10.

Right. The docs for that payload make it very clear that this is an macOS-only feature. On iOS-based platforms you set the VPNUUID for an app via MDM commands, specifically the 

Settings
command with an 
ApplicationAttributes
entry. If you’re doing your own MDM server, you can look in the MDM docs for info on this. If you’re using a pre-built MDM solution, you’ll have to look at the docs for that solution.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment