We're looking to create a packet tunnel provider network extension. Inside this extension we will have some custom client code that runs to check a few things on the device prior to allowing the VPN to connect per enterprise policy. This code will be inside of the startTunnelWithOptions:completionHandler: block and execute prior to fully completing the connection, if something is wrong the connection will not be completed. The initial VPN profile and such will be installed during the first execution of the container app.
My question is around how we can relay to the user why the VPN connection was not allowed. This is an enterprise application where specific artifacts must be present prior to the VPN connection completing (OS version, WiFi vs. Celluar, etc). Our code inside startTunnelWithOptions:completionHandler: determines this. The VPN will be initiated on-demand or per-app, (it could be started from inside the container app but unlikely), therefore our container app may not be running at all when the VPN comes up but the extension will clearly be called when appropriate. This rule's out the use of handleAppMessage:completionHandler: to send some kind of message back to the user if the container app is closed (I thought this was the intention of the handleAppMessage API but maybe not). If the container app is not running this API will not work, correct? Even if it did work, it won't flip the user back to the container app, correct?
Our issues is that the container app provides a dashboard and we need to tell the user why the VPN connection was disallowed. The way I see it we could do this in two ways:
1) If it's allowed for an extension to show a UI elemetn (e.g., deprecated alertView, etc) initiated by the code inside startTunnelWithOptions, but it's unclear to me if we are able to do that as an extension. Idealy we would display a UIAlert window stating that the connection was disallowed and the user needs to open our app to see why.
2) We could call back to our container app via openURL, it would be launched if not running, and we could then have it display the dashboard along with the reason why the VPN connection was disallowed (sent in the openURL payload). The problem with this is that only Today extensions can do this per documentation "Each extension point determines whether to support this method, or under which conditions to support this method." "A Today widget (and no other app extension type) can ask the system to open its containing app by calling the
openURL:completionHandler: method of the
NSExtensionContext class. ". Obviously, there may be work arounds to launch the app still but its clearly not supported to do so as a Network Extension.
Any idea's how a network extension can display a simple message to the user in response to the VPN not starting? This would need to be displayed in any scenario that the VPN starts, via general->settings->VPN, ondemand, etc.