8 Replies
      Latest reply on Jun 17, 2018 6:54 AM by playability
      playability Level 1 Level 1 (0 points)



        Our SDK leverages built-in iOS IPSec engine and is built on top of NetworkExtension framework.


        One of our SDK's users complained about not being able to connect to VPN on his device(s). From the logs we he sent, we saw this:


        Method `loadFromPreferencesWithCompletionHandler:` failed (error: Error Domain=NEVPNErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied}).


        He also reported an absense of VPN profile in Settings.app.


        Looking through our code we see that this log message is posted in the loadFromPreferencesWithCompletionHandler: callback of NEVPNManager's instance. Error code seems to correspond to NEVPNErrorConfigurationReadWriteFailed = 5




        We cannot reproduce it on our end, so I have done two things to investigate the cause:


        1) entitlement in Provision Profile  -- it has "allow-vpn". Moreover, an app bundle provisioned with the same profile works for us, but does not work for the user

        2) Using Apple Configurator 2, I supervised my device and added a configuration profile with A) a restriction to add Configuration profiles B) a restriction to add VPN profiles. Anazingly, I still can add VPN profile to my device from the very same app. VPN does work.


        At this point, I'm really confized what to do here. Can anybody please give me a clue?

        • Re: NEVPNErrorConfigurationReadWriteFailed upon loadFromPreferencesWithCompletionHandler:
          eskimo Apple Staff Apple Staff (10,835 points)

          1) entitlement in Provision Profile

          Be aware that the provisioning profile is only one part of the entitlement story.  Entitlements are baked in to the app at compile time, so you need to verify the entitlements of the built app.

          In your situation I recommend the following:

          1. Have your customer build and archive an app and then generate an ad hoc .ipa.

          2. Have them verify that this .ipa, when installed on the device, still has the problem.

          3. Have them send you that .ipa.

          4. Once you get it, unpack it (it’s actually a .zip file) and then dump the entitlements of the enclosed app.

            $ codesign -d --entilements :- /path/to/the.app


          5. For good measure you can dump the provisioning profile within the app.

            $ security cms -D -i /path/to/the.app/embedded.mobileprovision


          This will tell you whether the app has the correct entitlements and whether they’re being correctly whitelisted by the associated profile.

          ps For more info on entitlement debugging see Technote 2415 Entitlements Troubleshooting.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"