Posts

Post not yet marked as solved
7 Replies
1.7k Views
HI, We faced an issue where the NEAppProxyProvider based per-app VPN fails to connect when device is enrolled in the User Enrollment mode. This occurs as NEAppProxyProvider can not lookup the client TLS identity based on the persistence reference passed in VPN profile. We are using following code to get the client identity and certificate from the VPN configuration persistence reference and the lookup fails with "-25300" status.NSDictionary *dict = @{ (__bridge id)kSecClass: (__bridge id)kSecClassIdentity, (__bridge id)kSecReturnRef: (id)kCFBooleanTrue, (__bridge id)kSecValuePersistentRef: persistantIdentityRef }; CFTypeRef identityRef = NULL; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)dict, &identityRef);Same logic works fine in Device Enrollment mode.Anyone faced the similar issue or is this bug on iOS side?
Posted
by sanaw.
Last updated
.
Post not yet marked as solved
0 Replies
375 Views
Hi, We are facing an issue while browsing NTLM authenticating endpoints where our WKWebView does not get the authentication challenge. In the logs we see the following entry: 0x105d9c000 - [pageProxyID=9, webPageID=10, frameID=3, resourceID=87, isMainResource=0, isSynchronous=0] NetworkResourceLoader::didBlockAuthenticationChallenge:and the CFNetwork logs failure to lookup the credentials:default 2020-05-21 20:31:25.812654 +0300 com.apple.WebKit.Networking CFNetwork Diagnostics [3:16791] 20:31:25.777 { Use Credential: (null) Loader: { URL: http://internalsire.qa/QG.Portal/PortalService.svc/$metadata } Credential: null } [3:16791]any suggestions what might be going wrong here. We can see that the 401 is written correctly to the WebKit but it fails later with the above logs.Thanks.
Posted
by sanaw.
Last updated
.
Post not yet marked as solved
5 Replies
551 Views
HI,We would like to implement full device VPN for macOS. As of now, we have NEAppProxyProvicer based VPN client but as there are lot of configurations needed to flag each application binary for VPN, it takes some time to find out which binary would be creating connections in the application bundle and flag those for VPN.For creating full device VPN using the TLS protocol so that we can connect to our existing VPN server, is there any framework already on macOS like Network Extension to achieve tunneling the traffic at TCP layer? Thanks.
Posted
by sanaw.
Last updated
.
Post marked as solved
7 Replies
2.5k Views
HI,We are facing speed issues while downloading on the high latency network with per-app VPN client. We are using NWTCPConnection as of now, and would like to test if changing the receive/send buffer sizes would make any difference to handle the high latency environment.With NWTCPConnection I don't see any option to get socket FD and override the default values, is there any other way to get around this? Would we need to switch to Network Framework or NSStream instead as NSStream gives the socket FD and possible allows to change the buffer sizes.Thanks.
Posted
by sanaw.
Last updated
.
Post not yet marked as solved
0 Replies
398 Views
HI,We are having some performance issues with NEAppProxyProvider based per-app VPN. With VPN in between the download speed is 30% of the max speed without VPN is picture. We did confirm from the Wireshark IO Graphs that the actual link speed between client and VPN server is also almost 30% of the normal link speed. VPN Server and the client are on the same local network for performance testing so very minimal latency . Any idea/suggestions to improve this further or is the limitation of NEAppProxyProvider stack?We thought this might be due to the fact that while writing the received data back to the application using "NEAppProxyTCPFlow's writeData" we are using to write just one data chunk (as this might need multiple kernel writes) of our protocol (~1500 bytes) and not more. We tried to write the multiple chunks equal to 4096 bytes instead to TCP flow to confirm if this might be the issue but does not help.Thanks.
Posted
by sanaw.
Last updated
.
Post not yet marked as solved
1 Replies
980 Views
HI,We have a macOS application available on macOS AppStore and we would need to change the "Product Name" of the application due to rebranding.On iOS we could just change the "CFBundleDisplayName" and the app name shown to user is changed at all places without touching Product Name. But it seems it is not possible on macOS application as it uses the "Product Name" at few places like under Applications and in the Menu bar.Can anyone comment if changing the product name is recommended for the already published apps on the App Store? Would it cause any issued while updating the apps on the Macs when this new update is published? Is it possible in macOS to not touch Product Name/Bundle Name and achieve the same as in case of iOS?Thanks, Sanjay,
Posted
by sanaw.
Last updated
.
Post not yet marked as solved
1 Replies
1k Views
HI, Is there any way to workaround the new iOS 13 TLS policies checking for TLS server cert validity for 825 days and so on? Can we override the TLS validation using Secure Transport to manually trust such certificate of longer validity that this limit and others such as SAN requirement (I think SAN we can override using SecPolicyCreateSSL())? Thanks.
Posted
by sanaw.
Last updated
.
Post marked as solved
3 Replies
819 Views
HI,We have NEAppProxyProvider VPN client deployed and the VPN server is using the self signed certificate. We install this server self signed certificate on devices using MDM. In this case TLS handshake still fails saying "Invalid Certificate Chain" so we have couple of questions here:1. Should self signed certs not work with TLS handshake if installed by MDM?2. If this fails for self signed certificates would the same use case still fail with enterprise CA (issuing the VPN server cert) deployed by MDM?Is it recommended to override the TLS chain validation here and set the "SecTrustSetAnchorCertificates" in the both cases but how can we read those custom CAs from keychain in that case? Any suggestions?
Posted
by sanaw.
Last updated
.
Post not yet marked as solved
0 Replies
1.1k Views
Hi, We have command line tools which are distributed as daemons and we are trying to set the BundleIdentifier to those but by default the product name is set as BundleIdentifier.In Xcode, we can add the Info.plist to those and add Bundle Identifier but it does not have any effect (codesign says "Info.plist=not bound"). Is there any way to assign the custom bundle identifier to the command line tools which resigning using "codesign"?Thanks.
Posted
by sanaw.
Last updated
.