6 Replies
      Latest reply: Feb 8, 2017 2:06 PM by eskimo RSS
      olivaresf Level 1 Level 1 (0 points)

        I have a project that has the DataExtension target installed. In this extension I have a subclass of NEFilterDataProvider (the one that's created alongside the target). However, I don't know how to trigger the actual extension to start working. I have tried adding the following in application:didFinishLaunchingWIthOptions:

         

        [[NEFilterManager sharedManager] loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
                if (error) {
                    // This error usually does not happen.
                    NSLog(@"%@", error);
                }
             
                NEFilterProviderConfiguration *config = [[NEFilterProviderConfiguration alloc] init];
                config.username = @"Test";
                config.organization = @"Org";
                config.filterBrowsers = YES;
                config.filterSockets = YES;
                config.serverAddress = @"Server to request new rules";
                [NEFilterManager sharedManager].providerConfiguration = config;
                [[NEFilterManager sharedManager] setEnabled:YES];
             
                [[NEFilterManager sharedManager] saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
                    if (error) {
                        // This always returns:
                        // Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}`
                        NSLog(@"%@", error);
                    }
                }];
            }];
        

         

        I have a suspicion I'm getting the denied permission because of Entitlements. My entitlements look like this:

         

        DataFilterExtension

        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE plist PUBLIC "-/
        <plist version="1.0">
        <dict>
          <key>com.apple.security.application-groups</key>
          <array>
          <string>group.com.appIdentifier</string>
          </array>
        </dict>
        </plist>
        

         

        MainApp

        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE plist PUBLIC "-/
        <plist version="1.0">
        <dict>
          <key>com.apple.developer.networking.vpn.api</key>
          <array>
          <string>allow-vpn</string>
          </array>
        </dict>
        </plist>
        

         

        I'm not sure what to do.

        • Re: Once I have a DataFilterExtension how do I begin the filtering?
          eskimo Apple Staff Apple Staff (6,685 points)

          I have a suspicion I'm getting the denied permission because of Entitlements.

          That’s correct.  To create a Network Extension provider, you need special entitlements.  This was discussed at the end of WWDC 2015 Session 717 What's New in Network Extension and VPN .  For more context, see this post.

          <key>com.apple.developer.networking.vpn.api</key> 
            <array> 
            <string>allow-vpn</string> 
          </array>
          

          This entitlement is for Personal VPN (using NEVPNManager to set up VPN with the built-in VPN transports) and will not help when creating a Network Extension filter provider.

          Finally, before deciding on a product plan here please take note of that fact that Network Extension filter providers are only supported on supervised devices.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Once I have a DataFilterExtension how do I begin the filtering?
              olivaresf Level 1 Level 1 (0 points)

              Hi Eskimo, it was indeed an entitlements issue. I believe we are able to run the Network Extension so I don't have an issue with the product plan.

               

              I am, however, unable to actually debug it. When I run the app, I got the prompt to use the extension but then nothing happened. None of my breakpoints are hit. I see this question on Stack Overflow, but following the answers didn't yield any results.

               

              If I run my extension on device, then try to attach to it via ProcessID (where I input its bundle identifier) I get a waning saying: "No application exists at ~Path/To/Containing.app"

               

              I I run my app on device, then try to attach to it via ProcessID, I get a warning saying: "Waiting for (extension BundleID) to launch". However, I am launching on AppDelegate (with the code on my first post, right?).

               

              Any help? I am finding docs lacking =/

              • Re: Once I have a DataFilterExtension how do I begin the filtering?
                jkim2332 Level 1 Level 1 (0 points)

                Hi Eskimo.

                 

                I have requested to use network extension, and approved to use it.

                 

                I have successfully implemented to use NEFilterManager, and could load and save to preferences in devlopment build.

                 

                However, in release build (tested in TestFlight), I get an error "Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo=(NSLocalizedDescription=permission denided)" when calling NEFilterManager.sharedManager().saveToPreferencesWithCompletionHandler.


                I have followed almost exactly same implementation as Apple's SimpleTunnel sample Code.


                I have checked entitlements of Extentions, and also provision profiles for release build. They look fine.


                Please let me know how come NEFilterManager.saveToPreferencesWithCompletionHandler does not work in the release build, but woring fine in the development build.

                  • Re: Once I have a DataFilterExtension how do I begin the filtering?
                    eskimo Apple Staff Apple Staff (6,685 points)

                    However, in release build (tested in TestFlight), I get an error "Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo=(NSLocalizedDescription=permission denided)" when calling NEFilterManager.sharedManager().saveToPreferencesWithCompletionHandler.

                    Indeed.  This is expected.  Filter providers are only supported on supervised devices and thus can only be configured by a configuration profile.  For Development builds we have a special feature that allows you to set up the filter provider via the API, but that feature is disabled for Distribution builds.

                    Note In this case we check for a Development build by looking for the get-task-allow entitlement.

                    If you think about this, it makes sense.  In a supervised environment no user of the device should be allowed to change the configuration of the filter, and thus there’s no need for the filter configuration UI within your app.

                    I recommend that you create a configuration profile to test your filter, install that on a supervised device along with a Distribution-signed version of your app, and then see how things go from there.

                    Share and Enjoy

                    Quinn “The Eskimo!”
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"

                      • Re: Once I have a DataFilterExtension how do I begin the filtering?
                        neirar Level 1 Level 1 (0 points)

                        Hello Quinn,

                         

                        I know there have been some changes to the permissions needed for the NetworkExtension framework. For example, it is no longer need to email Apple to request permission to use content filters. And that brings me to my question. In the NEFilterManager documentation (https://developer.apple.com/reference/networkextension/nefiltermanager), it is mentioned that the configurations for the content filters can only be created in supervised devices or in development. However, in the documenation for NEFilterProvider (https://developer.apple.com/reference/networkextension/nefilterprovider) there is no mention of such restriction.

                         

                        What I'm hoping is that the filter manager and filter providers can still be used on regular (unsupervised) devices, but to configure them through MDM you need a supervised device. For example, if I want to implement a simple filter, is that still restricted to supervised devices only?

                         

                        Any help would be appreciated!

                          • Re: Once I have a DataFilterExtension how do I begin the filtering?
                            eskimo Apple Staff Apple Staff (6,685 points)

                            Nothing has changed here:

                            • Network Extension content filter providers are still restricted to supervised devices.

                            • Network Extension per-app VPN (either app proxy providers, or packet tunnel providers in per-app mode) are still restricted to managed devices.

                            IMPORTANT There’s a difference between supervised and managed devices.  A managed device is typically owned by the device’s user, who happens to have opted into the organisation’s management system — think BYOD — and can opt out at any time.  A supervised device is typically owned by an organisation and the user can’t opt out of management.  A lot of the really intrusive settings, like content filter and global HTTP proxy, can only be applied to supervised devices.

                            Share and Enjoy

                            Quinn “The Eskimo!”
                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                            let myEmail = "eskimo" + "1" + "@apple.com"