Missing entry com.apple.managed.vpn.shared in provisioning profile

Hi,


We are using Network Extension entitlement to build a VPN app and extension. The provisioning profile generated for the app extension needs to have com.apple.managed.vpn.shared in the keychain-access-groups entitlements.


This was working for us until couple of days back. However, now any provisioning profile we generate on the developer portal (Development, Ad Hoc or App Store) does not have this entry in the provisioning profile entitlements.


As a result of this, we are not able to read the authentication data from the profile and are stuck.


This seems to be an issue in the provisioning profile generation code as we have not changed anything on the App definition.


Please help.


Thanks,

XWu.

Replies

There’s been recent changes in this space; see Network Extension Framework Entitlements for details.

Given that you previously had access to

com.apple.managed.vpn.shared
, I presume you were granted access to Network Extension special entitlements. If so, are you generating your profile via the new mechanism (enabling the Network Extensions service on your App ID and generating a normal profile from that) or the old mechanism (adding the Network Extension additional entitlements when you generate your provisioning profile)?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Eskimo.


We noticed the new Network Extension entitlement in the App ID list and also enabled it for our app. After this, we generated the provisioning profile twice. First we selected Default in the Entitlements dropdown while generating the profile and then selected Network Extension in the Entitlements dropdown. In both cases, we do not see the "com.apple.managed.vpn.shared" entitlement in the generated provisioning profile.


We do see the "com.apple.developer.networking.networkextension" entitlement in the profile in both cases. The issue is the missing "com.apple.managed.vpn.shared" entitlement. Because this entitlement is missing, we are not able to read the certificate and key from the keychain for authenticating with the VPN server. We compared the profile we generated last week to the one that is getting generated this week and the missing entry is the "com.apple.managed.vpn.shared" entitlement from "<key>keychain-access-groups</key>" array.


We also tried to create a brand new App ID with the Network Extension and Personal VPN entitlements selected but using that also the provisioning profile doesn't have the "com.apple.managed.vpn.shared" entitlement.


Please let us know if there is a change for accessing the key chain data too?


Thanks

In both cases, we do not see the "com.apple.managed.vpn.shared" entitlement in the generated provisioning profile.

Bummer.

Access to this ‘slice’ of the keychain is an interesting edge case in the new Network Extension entitlement story. I don’t have all the details, so I can’t help you out in this context. Please open a DTS tech support incident and I’ll get this sorted out.

ps Once you’ve opened the TSI, email me the follow-up number so that I can make sure I catch it promptly. My email address is in my signature.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Eskimo.


I've opened a DTS. The number is: 652870788.


Thanks

Hi XWu,


I am having the exact problem. My "old" entitlements that were generated from the template work. However, we want to add another developer to the team and cannot re-generate the provisioning profiles. They are missing the shared keychain access.


Let me know if this gets resolved.


BR,

winc03

Let me know if this gets resolved.

I’ve made a note to update this thread once I’ve driven this to a conclusion.

Just FYI, most of Apple is off work this week for the US Thanksgiving holiday, so I’m not likely to make any progress here until early Dec.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I ran into the same issue, but it manifested with my VPN app crashing upon launch and the following error in the Console:


taskgated: killed <VPN app ID> because its use of the com.apple.developer.networking.networkextension entitlement is not allowed (error code -67050)


I went through all the usual entitlements troubleshooting multiple times on multiple systems with no luck. After reading this thread, I removed the "com.apple.managed.vpn.shared" entitlement from both the app and the extension, and now they're both working again.


Just thought I'd share in case anyone else is running into the same thing.

Even I'm facing the same issue. Created the entitlements as documented in https://forums.developer.apple.com/thread/67613


com.apple.managed.vpn.shared is missing in newly generated profile and hence I'm not able to read the certificate.

Hi Eskimo,


Is there any update on this? We need to generate new profiles with the correct entitlements to release our app for testing. Please let us know.


Thanks

I am also encountering the same issue with missing "com.apple.managed.vpn.shared" keychain access which is blocking network extension development on iOS due to not being able to access the client certificate included in the configuration profile. Is there an existing support ticket that I can add to raise the priority or should I create a new one?


In the meantime, here is what I observe. Using the "new" network extension entitlement on the AppID I get a provisioning profile without the "com.apple.managed.vpn.shared" keychain access:


<key>Entitlements</key>
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
</array>
<key>keychain-access-groups</key>
<array>
<string>Z7N7QHVWT2.*</string>
</array>
<key>get-task-allow</key>
<true/>
<key>application-identifier</key>
<string>Z7N7QHVWT2.com.vmware.ios-tunnel</string>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.vmware.ios-tunnel</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>S2ZMFGQM93</string>
</dict>


And if I use the old method of adding the Network Extension iOS (Dev) entitlement when creating the development provisioning profile I get a profile without the "com.apple.managed.vpn.shared" keychain access but with a "com.apple.developer.networking.Hotspot" entitlement added:


<dict>
<key>keychain-access-groups</key>
<array>
<string>Z7N7QHVWT2.*</string>
</array>
<key>get-task-allow</key>
<true/>
<key>application-identifier</key>
<string>Z7N7QHVWT2.com.vmware.ios-tunnel</string>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.vmware.ios-tunnel</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>S2ZMFGQM93</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
</array>
<key>com.apple.developer.networking.HotspotHelper</key>
<true/>
</dict>


This is close to the previous profile which has both the keychain access and the Hotspot profile:


<dict>
<key>keychain-access-groups</key>
<array>
<string>Z7N7QHVWT2.*</string>
<string>com.apple.managed.vpn.shared</string>
</array>
<key>get-task-allow</key>
<true/>
<key>application-identifier</key>
<string>Z7N7QHVWT2.com.vmware.ios-tunnel</string>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.vmware.ios-tunnel</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>S2ZMFGQM93</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
</array>
<key>com.apple.developer.networking.HotspotHelper</key>
<true/>
</dict>

Hi Eskimo,


It has been more than a month since we opened a DTS on this. We are stuck and cannot release our app because the provisioning profile is not correct. It seems to be an issue with the Apple developer portal that generates the provisioning profile. It is critical for us to get a resolution to this issue asap. Can you let us know how long it would take to fix the issue?


Thanks.

Can you let us know how long it would take to fix the issue?

While I understand your frustration here, I’m not going to discuss official DTS business here on DevForums. You should follow up via your DTS incident.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Apple still not fix this issue

Is there an existing support ticket that I can add to raise the priority or should I create a new one?

Creating a new support ticket won’t raise the priority here. Once the folks responsible have decided on a new plan, I’ll update my Network Extension Framework Entitlements. Until then you’re just stuck )-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


Two months is a very long time to be "stuck"! We are facing this issue now in our macOS VPN app too and are not even able to build/test the VPN app because the provisioing profile is not correct. This is not an enhancement that we are asking for, this is a very critical feature that was working and got broken two months back!


Do you have any ETA on when it will be fixed or acknowledged as an issue?


Thanks