27 Replies
      Latest reply: Mar 28, 2017 1:36 AM by eskimo RSS
      xwu Level 1 Level 1 (0 points)

        Hi,

         

        We are using Network Extension entitlement to build a VPN app and extension. The provisioning profile generated for the app extension needs to have com.apple.managed.vpn.shared in the keychain-access-groups entitlements.

         

        This was working for us until couple of days back. However, now any provisioning profile we generate on the developer portal (Development, Ad Hoc or App Store) does not have this entry in the provisioning profile entitlements.

         

        As a result of this, we are not able to read the authentication data from the profile and are stuck.

         

        This seems to be an issue in the provisioning profile generation code as we have not changed anything on the App definition.

         

        Please help.

         

        Thanks,

        XWu.

        • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
          eskimo Apple Staff Apple Staff (6,270 points)

          There’s been recent changes in this space; see Network Extension Framework Entitlements for details.

          Given that you previously had access to com.apple.managed.vpn.shared, I presume you were granted access to Network Extension special entitlements.  If so, are you generating your profile via the new mechanism (enabling the Network Extensions service on your App ID and generating a normal profile from that) or the old mechanism (adding the Network Extension additional entitlements when you generate your provisioning profile)?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
              AppDev20 Level 1 Level 1 (0 points)

              Thanks Eskimo.

               

              We noticed the new Network Extension entitlement in the App ID list and also enabled it for our app. After this, we generated the provisioning profile twice. First we selected Default in the Entitlements dropdown while generating the profile and then selected Network Extension in the Entitlements dropdown. In both cases, we do not see the "com.apple.managed.vpn.shared" entitlement in the generated provisioning profile.

               

              We do see the "com.apple.developer.networking.networkextension" entitlement in the profile in both cases. The issue is the missing "com.apple.managed.vpn.shared" entitlement. Because this entitlement is missing, we are not able to read the certificate and key from the keychain for authenticating with the VPN server. We compared the profile we generated last week to the one that is getting generated this week and the missing entry is the "com.apple.managed.vpn.shared" entitlement from "<key>keychain-access-groups</key>" array.

               

              We also tried to create a brand new App ID with the Network Extension and Personal VPN entitlements selected but using that also the provisioning profile doesn't have the "com.apple.managed.vpn.shared" entitlement.

               

              Please let us know if there is a change for accessing the key chain data too?

               

              Thanks

            • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
              winc03 Level 1 Level 1 (0 points)

              Hi XWu,

               

              I am having the exact problem. My "old" entitlements that were generated from the template work. However, we want to add another developer to the team and cannot re-generate the provisioning profiles. They are missing the shared keychain access.

               

              Let me know if this gets resolved.

               

              BR,

              winc03

              • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                Yathish Murthy Level 1 Level 1 (0 points)

                Even I'm facing the same issue. Created the entitlements as documented in https://forums.developer.apple.com/thread/67613

                 

                com.apple.managed.vpn.shared is missing in newly generated profile and hence I'm not able to read the certificate.

                • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                  ve6yeq Level 1 Level 1 (0 points)

                  I am also encountering the same issue with missing "com.apple.managed.vpn.shared" keychain access which is blocking network extension development on iOS due to not being able to access the client certificate included in the configuration profile.  Is there an existing support ticket that I can add to raise the priority or should I create a new one?

                   

                  In the meantime, here is what I observe. Using the "new" network extension entitlement on the AppID I get a provisioning profile without the "com.apple.managed.vpn.shared" keychain access:

                   

                  <key>Entitlements</key>
                  <dict>
                  <key>com.apple.developer.networking.networkextension</key>
                  <array>
                  <string>app-proxy-provider</string>
                  <string>content-filter-provider</string>
                  <string>packet-tunnel-provider</string>
                  </array>
                  <key>keychain-access-groups</key>
                  <array>
                  <string>Z7N7QHVWT2.*</string>
                  </array>
                  <key>get-task-allow</key>
                  <true/>
                  <key>application-identifier</key>
                  <string>Z7N7QHVWT2.com.vmware.ios-tunnel</string>
                  <key>com.apple.security.application-groups</key>
                  <array>
                  <string>group.com.vmware.ios-tunnel</string>
                  </array>
                  <key>com.apple.developer.team-identifier</key>
                  <string>S2ZMFGQM93</string>
                  </dict>
                  

                   

                  And if I use the old method of adding the Network Extension iOS (Dev) entitlement when creating the development provisioning profile I get a profile without the "com.apple.managed.vpn.shared" keychain access but with a "com.apple.developer.networking.Hotspot" entitlement added:

                   

                  <dict>
                  <key>keychain-access-groups</key>
                  <array>
                  <string>Z7N7QHVWT2.*</string>
                  </array>
                  <key>get-task-allow</key>
                  <true/>
                  <key>application-identifier</key>
                  <string>Z7N7QHVWT2.com.vmware.ios-tunnel</string>
                  <key>com.apple.security.application-groups</key>
                  <array>
                  <string>group.com.vmware.ios-tunnel</string>
                  </array>
                  <key>com.apple.developer.team-identifier</key>
                  <string>S2ZMFGQM93</string>
                  <key>com.apple.developer.networking.networkextension</key>
                  <array>
                  <string>packet-tunnel-provider</string>
                  <string>app-proxy-provider</string>
                  <string>content-filter-provider</string>
                  </array>
                  <key>com.apple.developer.networking.HotspotHelper</key>
                  <true/>
                  </dict>
                  

                   

                  This is close to the previous profile which has both the keychain access and the Hotspot profile:

                   

                  <dict>
                  <key>keychain-access-groups</key>
                  <array>
                  <string>Z7N7QHVWT2.*</string>
                  <string>com.apple.managed.vpn.shared</string>
                  </array>
                  <key>get-task-allow</key>
                  <true/>
                  <key>application-identifier</key>
                  <string>Z7N7QHVWT2.com.vmware.ios-tunnel</string>
                  <key>com.apple.security.application-groups</key>
                  <array>
                  <string>group.com.vmware.ios-tunnel</string>
                  </array>
                  <key>com.apple.developer.team-identifier</key>
                  <string>S2ZMFGQM93</string>
                  <key>com.apple.developer.networking.networkextension</key>
                  <array>
                  <string>packet-tunnel-provider</string>
                  <string>app-proxy-provider</string>
                  <string>content-filter-provider</string>
                  </array>
                  <key>com.apple.developer.networking.HotspotHelper</key>
                  <true/>
                  </dict>
                  
                  • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                    esgbesbuild Level 1 Level 1 (0 points)

                    Hi Eskimo,

                     

                    We are also seeing this issue.

                    After creating new Provisioning Profile from apple portal it is missing "com.apple.managed.vpn.shared" keychain sharing key. We tried it without this string in our entitlements but have no ability to access the client certificate in the configuration profile, so it can’t start a VPN.

                     

                    Do we have a fix or workaround for this?

                     

                    Thanks

                    • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                      mike.ly Level 1 Level 1 (10 points)

                      I'm stuck waiting on the same issue. I filed bug report 30155113. Eagerly looking forward to a solution. Thanks Eskimo for keeping us updated!

                      • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                        eskimo Apple Staff Apple Staff (6,270 points)

                        I just updated my Network Extension Framework Entitlements post with information about how you can get access to the com.apple.managed.vpn.shared keychain access group.  Yay!

                        I appreciate everyone’s patience here.

                        Share and Enjoy

                        Quinn “The Eskimo!”
                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                        let myEmail = "eskimo" + "1" + "@apple.com"

                          • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                            xwu Level 1 Level 1 (0 points)

                            Hi Eskimo,

                             

                            #8 — On the Mac, can Developer ID apps host Network Extension providers?

                            Currently this is not possible; only Mac App Store apps can host Network Extension providers.

                             

                            We are building a Mac VPN app with Packet Tunnel Provider, so how can we debug and test it? can we do it locally, or do we need to submit it to Mac App Store in order to test it?

                             

                            Thanks!

                              • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                                eskimo Apple Staff Apple Staff (6,270 points)

                                We are building a Mac VPN app with Packet Tunnel Provider, so how can we debug and test it?

                                You can test the same way you test any Mac App Store app, by building it with a Mac App Store development profile.  When creating the profile in the Certificates, Identifiers & Profiles page, select Mac App Development.

                                Share and Enjoy

                                Quinn “The Eskimo!”
                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                let myEmail = "eskimo" + "1" + "@apple.com"

                              • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                                mike.ly Level 1 Level 1 (10 points)

                                Thanks very much! I filed a TSI per your instructions.

                                • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                                  Surender Singh Level 1 Level 1 (0 points)

                                  Hi Eskimo, We are facing exactly the same issue and I have been closely following this forum. I didn't post anything untill now becuase enough people had already reported this issue. Now as per your FAQ#9,  We filed a DTS to request this missing entitlement and below is the response we got in return. As per their email I contacted developer program and they pointed me to the new way of generating profiles by enabling the Network Extension service for AppID, Which we did but the new profiles too didnt work becuase ours is the case you mentioned in FAQ#9. Please suggest where do we go from here. We are blocked.

                                   

                                  As always thanks for your awesomeness!

                                  -Surender

                                  -----

                                  Thank you for contacting Apple Developer Technical Support (DTS). We provide support for code-level questions on hardware & software development, and are unable to help you with your question.

                                  For such questions, please contact the Apple Developer Program Support Team. You can contact them directly via web form <Also, when contacting them, be sure to mention that you were referred by DTS.

                                  While a Technical Support Incident (TSI) was initially debited from your Apple Developer Program account for this request, we have assigned a replacement incident back to your account.

                                  We hope this information is helpful to you.

                                  Apple Developer Support

                                  Worldwide Developer Relations

                                  ----

                                    • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                                      eskimo Apple Staff Apple Staff (6,270 points)

                                      I didn't post anything untill now becuase enough people had already reported this issue.

                                      Indeed.

                                      Now as per your FAQ#9,  We filed a DTS to request this missing entitlement and below is the response we got in return.

                                      It seems your request got misidentified.  Please email me (my email address is in my signature, below) the follow-up number and I’ll take a look.

                                      Share and Enjoy

                                      Quinn “The Eskimo!”
                                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                      let myEmail = "eskimo" + "1" + "@apple.com"

                                    • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                                      AppDev20 Level 1 Level 1 (0 points)

                                      Thanks very much Eskimo. We are able to generate the provisioning profile correctly now.

                                    • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                                      onavo Level 1 Level 1 (0 points)

                                      Same issue here. Filed TSI with follow up # 662220389

                                        • Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
                                          eskimo Apple Staff Apple Staff (6,270 points)

                                          Hey hey!  During my one-on-one with my boss last night I told him that these requests have completely dried up, and now you’ve made me a liar (-:  Oh well, never mind.

                                          We’ll be in touch shortly via official channels.

                                          Share and Enjoy

                                          Quinn “The Eskimo!”
                                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                          let myEmail = "eskimo" + "1" + "@apple.com"