User Profile

We have an SSL VPN app. (NEPacketTunnelProvider)Per-app VPN with certificate authentication works when the device is enrolled with Device Enrollment. When the MDM uses User Enrollment the certificate isn't found in the keychain.- The certificate appears in the Management Profile details on the iOS device.- There is an identityReference in the VPN configuration profile.- The profile is correctly associated with the provider, and when the app starts the VPN extension starts and attemps authentication.- SecItemCopyMatching finds nothing in the keychain.Any ideas on this? Kevin

We've been using remote push notifications from a gateway to allow us to provide auth information. In some cases there's no sound to tell the user that a notification has arrived. In our code we specify UNAuthorizationOptionSounds, and the notification settings on the devices are set to allow notifications and sounds for the application. The client code hasn't changed in a couple of years, so I'm wondering whether something might have happened from the sending side. That's not my strongest area though. Does anyone know whether there could have been a change in the call generating the push notification which cut off the sound, and where I would look for documentation on that?

I'm trying to make sure that we're using the most up-to-date networking code on Apple platforms, and generally moving away from BSD sockets. This is fine for HTTP get <-> response exchanges (URLSession), and for TCP,TLS,UDP,DTLS etc. connections (NWConnection variants). I see nothing other than sockets for handling ICMP though. Is this true, or is there some API which I've missed that would let me deal with ICMP without using BSD sockets?

I've been looking at adding includeAllNetworks to our Network Extension VPN (Packet Tunnel Provider). We do some authentication in the app and then start the VPN. All connections in the VPN extension are done by IP address, so there is no name resolution required. The connection setup in the VPN extension involves some HTTP GETS &amp;amp; responses. I'm seeing a couple of problems. It looks like includeAllNetworks has to be set on the VPN configuration when it's defined. Is that correct? When I try setting it at other points, either in the NEPacketTunnelProvider protocolConfiguration or in the NEVPNManager protocol configuration it has no effect. The protocol itself appears to be inaccessible. When I set it in the NEVPNManager's protocolConfiguration before I start the connection it shows includeAllNetworks as set, but when I start the connection the nesessionmanager debug output shows that it's not set in the protocol and it's not in effect. Is there any way to set this on-the-fly? In our particular VPN interaction the Gateway tells the VPN client whether it wants the client to use includeAllNetworks, so we can't just hard-code it. When I do set this in the VPN configuration I can't reach the Gateway. I see that the nesessionmanager shows it as set, but the initial URLSession call gets a .cfurlErrorNotConnectedToInternet result in didCompleteWithError. I've verified that the URI specifies an IP address, not as a hostname, so for example https://10.0.1.10/someapi There is no network traffic after I start the connection until the connection fails, and transitions from Connecting to Disconnecting. (well, except for things like MDNS and a couple of others that aren't blocked by the setting) Since I'm connecting by IP address I'd expect that this would work. In the console I see default 13:42:57.476293-0700 VPNExtension [C10 Hostname#0a01000a:443 failed path (unsatisfied (Path was denied by NECP policy), interface: en0, ipv4)] event: null:null @4.222s I haven't seen any good examples of VPN setup with the new flags, and the documentation is frustratingly vague. Are there any good resources for this? Kevin

Hi! I've been looking into using fuzzing to test some of the things I'm working on.It looks like libFuzzer is included in the Swift developer snapshot, but not in the official release, and it doesn't look like the version of the compiler used by Xcode has the libFuzzer code available.The compiler does understand the complier flags for turning on fuzzing, but ends up with unresolved symbols--and the library's not in the tree that I've beenn able to find...___sanitizer_cov_8bit_counters_init", referenced from: _sancov.module_ctor in main.o ___sanitizer_cov_pcs_init", referenced from: _sancov.module_ctor in main.oHas anyone been working with fuzzing tools + XCTest? Fuzzing Objective-C code? Fuzzing Swift code?Any recommendations for tools that you've used which perform well? Preferably ones that are relatively mature, but given the apparent dearth of options I might need to waive that part...

I'm using a URLSession, and want to be able to identify the case when I have a bad client certificate. When I get a call to func urlSession(_ session:didReceive challenge:completionHandler) and send a bad certificate in response to the client cert challenge, I would expect an error of .cfurlErrorClientCertificateRejected In func urlSession(_ session: task:didCompleteWithError error:)  What I'm seeing instead is the generic .cfurlErrorSecureConnectionFailed When I was using the SSL APIs directly I was getting back errSSLPeerUnknownCA or errSSLPeerBadCert Which makes it clear where the problem lies. Is there a way to see that it was specifically a problem with the client certificate using the URLSession delegates?

We have a Network Extension app (packet_tunnel), and the development profile has multiple hardware IDs, certs etc. If I build the app on one system and try to run it on a different macOS system which is in the profile I get an initial Gatekeeper error (as expected). I then approve the app to run anyway. It runs, and when I connect to a VPN from that system the VPN extension is loaded, but then exits without calling the entry point. My understanding is that signature verification is done *before* the binary is loaded, so if I'm seeing code in VPN extension writing to a log file, I know the signing as been checked & passed. The class initializer for PacketTunnelProvider runs. There's log output from the class initializer, so we know that the VPN extension has been loaded successfully The entry point (startTunnelWithOptions:completionHandler:) is never called The VPN extension exits There's no crash log On some systems it works fine, and the VPN is fine We initially thought it was a signing problem, but since the binary is loading and running that's really looking like a red herring at the moment.

We have a protocol between our client and our server which Creates a TLS connection Does an HTTP get/response on the connection, where the HTTP headers are specifying characteristics of the session Sends and receives arbitrary amounts of streaming data on the connection Some characteristics of the connection code are None of the data after the initial get/response has any HTTP framing at all. Data has to be using the same TCP connection as the initial HTTP exchange Common code for iOS/macOS. Usable from a Network Extension The original code uses a whole bunch of CF*, including CFHttpMessage, and BSD sockets for the raw connection. It was from quite a while back. For backwards compatibility reasons we couldn't switch to the Network framework or to the NSURLConnection/Session APIs. It looks like we have a chance to update our networking, but from my initial reading it looks like the NSURLSessionStreamTask doesn't handle the initial HTTP exchange we need, and the NSURLSession variants that *do* do an initial HTTP exchange aren't really streaming data without framing later. Q1: Are there APIs that can handle the initial HTTP exchange without assuming they control the whole connection? I.e., handle the HTTP parsing &amp; logic, but over a connection that we've set up separately? Q2: Is there a way to make the upload/download tasks act as a raw data stream? Q3: Any other ideas about how to address this particular problem? WebSockets, or any other solution that requires a server-side change is a non-starter for us... Using the Network framework as a BSD sockets replacement gets us part way there, but we're still relying on CF functions for some HTTP functionality.

We have an NKE which uses some of the sock_* interfaces, which are on the deprecated list. It sure sounded like Apple was going to kill these in Big Sur, yet our NKE installs, loads, and runs in the released build of the macOS 11. Does anyone know which interfaces *are* being killed off in Big Sur? We've spread the news that customers have to migrate away from the NKE version of our product to a more recent version, but a more definite timeframe would help.

I'm seeing a released macOS App Store app crashing with a code signing error. This isn't a beta app, it's been signed by Apple and is available on the App Store. On most systems it installs and runs fine (macOS 10.15, macOS 11 on Intel, macOS 11 on Apple Silicon etc.), but on 10.13 we see a code signing error. This is a Network Extension app. It crashes as soon as the mgmt app is opened, before any load is tried on the Extension. We haven't been able to determine whether this error is widespread or not, but it seems like something that should never be happening with an App Store installed app. The app was uninstalled and reinstalled from scratch, and the error persisted, and the MacBook Pro was rebooted. Still happened. Any ideas? The existing discussions around this error were for beta/development builds, which isn't applicable here. ================================ Process:               Citrix SSO [1388] Path:                 /Applications/Citrix SSO.app/Contents/MacOS/Citrix SSO Identifier:           com.citrix.NetScalerGateway.macos.app Version:              ??? Code Type:            X86-64 (Native) Parent Process:       ??? [1] Responsible:           Citrix SSO [1388] User ID:              501Date/Time:            2020-11-19 16:54:56.702 +0530 OS Version:           Mac OS X 10.13.6 (17G65) Report Version:       12 Anonymous UUID:       D25619E7-F0CC-9BAE-9B9A-57B8890496EE [16:55] Process:               Citrix SSO [1410] Path:                 /Applications/Citrix SSO.app/Contents/MacOS/Citrix SSO Identifier:           com.citrix.NetScalerGateway.macos.app Version:              ??? Code Type:            X86-64 (Native) Parent Process:       ??? [1] Responsible:           Citrix SSO [1410] User ID:              501Date/Time:            2020-11-19 16:55:27.250 +0530 OS Version:           Mac OS X 10.13.6 (17G65) Report Version:       12 Anonymous UUID:       D25619E7-F0CC-9BAE-9B9A-57B8890496EETime Awake Since Boot: 2000 secondsSystem Integrity Protection: enabledCrashed Thread:       0Exception Type:       EXCCRASH (Code Signature Invalid) Exception Codes:      0x0000000000000000, 0x0000000000000000 Exception Note:       EXCCORPSENOTIFYTermination Reason:   Namespace CODESIGNING, Code 0x1kernel messages:VM Regions Near 0 (cr2):->     TEXT                000000010d2b9000-000000010d644000 [ 3628K] r-x/r-x SM=COWThread 0 Crashed: 0  ???                            0x00000001184e819c dyldstart + 0Thread 0 crashed with X86 Thread State (64-bit):   rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000   rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffee2946c18    r8: 0x0000000000000000  r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000   r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000   rip: 0x00000001184e819c rfl: 0x0000000000000200 cr2: 0x0000000000000000Logical CPU:    0 Error Code:     0x00000000 Trap Number:    0Binary Images:        0x10d2b9000 -       0x10d643fef +??? (0) <45E0CE2B-93E3-360D-9CFF-6C4B8DEB6BA3> (null)        0x1184e7000 -       0x118531acf +??? (551.4) <8A72DE9C-A136-3506-AA02-4BA2B82DCAF3> (null)External Modification Summary:   Calls made by other processes targeting this process:     taskforpid: 0     threadcreate: 0     threadsetstate: 0   Calls made by this process:     taskforpid: 0     threadcreate: 0     threadsetstate: 0   Calls made by all processes on this machine:     taskforpid: 1764     threadcreate: 0     threadsetstate: 0VM Region Summary: ReadOnly portion of Libraries: Total=4384K resident=0K(0%) swappedoutorunallocated=4384K(100%) Writable regions: Total=8444K written=0K(0%) resident=0K(0%) swappedout=0K(0%) unallocated=8444K(100%)                                VIRTUAL  REGION REGION TYPE                       SIZE   COUNT (non-coalesced) ===========                    ======= ======= STACK GUARD                      56.0M       2 Stack                            8192K       2 _DATA                           1184K       5 LINKEDIT                        456K       3 LLVMCOV                        204K       2 _TEXT                           3928K       3 shared memory                       8K       3 ===========                    ======= ======= TOTAL                            69.6M      13Model: MacBookPro11,1, BootROM 156.0.0.0.0, 2 processors, Intel Core i5, 2.4 GHz, 8 GB, SMC 2.16f68 Graphics: Intel Iris, Intel Iris, Built-In Memory Module: BANK 0/DIMM0, 4 GB, DDR3, 1600 MHz, 0x02FE, - Memory Module: BANK 1/DIMM0, 4 GB, DDR3, 1600 MHz, 0x02FE, - AirPort: spairportwirelesscardtypeairportextreme (0x14E4, 0x112), Broadcom BCM43xx 1.0 (7.77.37.31.1a9) Bluetooth: Version 6.0.7f10, 3 services, 18 devices, 1 incoming serial ports Network Service: Wi-Fi, AirPort, en0 Serial ATA Device: APPLE SSD SD0256F, 251 GB USB Device: USB 3.0 Bus USB Device: Apple Internal Keyboard / Trackpad USB Device: BRCM20702 Hub USB Device: Bluetooth USB Host Controller Thunderbolt Bus: MacBook Pro, Apple Inc., 17.2

We moved our macOS NKE-based VPN over to Network Extensions a while back. Although Network Extensions offered us less control over the system traffic it also let us have a single code base for the core functionality on iOS &amp; macOS, as well as offering the possibilty of MDM.The talk on Network Extensions for Modern macOS offered us some of the control back. The includeAllNetworks and excludeLocalNetworks flags are great to see. But, the title of the talk said 'for Modern macOS', so:- Are they only on macOS, or are the Network Extension parts of that talk also applicable to iOS?- Will those Network Extension flags function if the user is running macOS Mojave?- iOS 12?Or are they only going to work on Cataline/iOS13 and later?Users do tend to upgrade their macOS &amp; iOS versions, but corporate customers upgrade slowly, and they're our market.One abillity of NKEs that we lost with Network Extensions was the ability to do an 'Always On' VPN which made sure that all traffic from the system was tunneled. Because we could make the NKE load at boot time there was no user dependency. It doesn't sound like this is going to be possible even with the current changes.The talk referred to Driver Extensions as user-independent, and providing something available at the system level, but not Network Extensions. Is that the case?Kevin