iOS Per-App VPN Not Connected To Internet

Hi,

We are developing an app with Per-App VPN. This container app is designed for our some specific apps to connect network through VPN at certain times, while all the other apps not.

I have some questions can not find answers.

1. I've added NETestAppMapping key to Info.plist of my container app in Development. And Bundle Identifiers of those specific apps are added to NETestAppMapping. After building the container app and installing configuration profile by Apple Configurator 2, I found those specific apps can not connect to Internet until I turned on VPN in the container app. Is that normal?

2. NETestAppMapping is a way to config those specific apps in Development. I wonder the production mechanism for specifying app mappings.

Thank you very much.

Up vote post of nadev Down vote post of nadev
2.7k views
Posted by
nadev
Reply
Add a Comment

Accepted Reply

… I found those specific apps can not connect to Internet until I turned on VPN in the container app. Is that normal?

Yes. If you want the connection to happen automatically, configure VPN On Demand. Specifically, look at the 

OnDemandMatchAppEnabled
property in the Per-App VPN payload ( 
com.apple.vpn.managed.applayer
). 
NETestAppMapping
is a way to config those specific apps in Development. I wonder the production mechanism for specifying app mappings.

That depends on your target platform:

  • For iOS, you must install the target app via MDM. For some background on this, search Mobile Device Management Protocol Reference for 

    VPNUUID
    .

    Of course, how you do this in actual production depends on the specific MDM product you’re using.

  • On macOS, use the App-to-Per-App VPN Mapping payload (

    com.apple.vpn.managed.appmapping
    ). See the Configuration Profile Reference for details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

… I found those specific apps can not connect to Internet until I turned on VPN in the container app. Is that normal?

Yes. If you want the connection to happen automatically, configure VPN On Demand. Specifically, look at the 

OnDemandMatchAppEnabled
property in the Per-App VPN payload ( 
com.apple.vpn.managed.applayer
). 
NETestAppMapping
is a way to config those specific apps in Development. I wonder the production mechanism for specifying app mappings.

That depends on your target platform:

  • For iOS, you must install the target app via MDM. For some background on this, search Mobile Device Management Protocol Reference for 

    VPNUUID
    .

    Of course, how you do this in actual production depends on the specific MDM product you’re using.

  • On macOS, use the App-to-Per-App VPN Mapping payload (

    com.apple.vpn.managed.appmapping
    ). See the Configuration Profile Reference for details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Hi eskimo,

Thank you very much for your response.

Our apps run on iOS.

I've tried OnDemandMatchAppEnabled. But the effect is not quite what I expected.

We want these specific apps connect network normally before VPN is turned on, after the container app and configuration profile are installed. And these specific apps connect network through VPN once VPN is turned on in the container app.

We couldn't implement the function above if Per-App VPN works like you said.


Moreover, something really weird just happened. I deleted the configuration profile from iPhone, and NETestAppMapping from the container app. Then I turned on VPN in the container app by normal way. After done this, I found the function we want is implemented.

Posted by
nadev
Up vote reply of nadev Down vote reply of nadev
Add a Comment

We want these specific apps connect network normally before VPN is turned on, after the container app and configuration profile are installed.

This is not how per-app VPN works. It sounds like you don’t want per-app VPN, but instead want normal VPN. Normal VPN routes traffic based on the destination IP address of the connection. You have a bunch of options here, including:

  • If the servers in question all exist on some small set of networks, you can have the VPN publish routes to those networks. In that case, all your connections to those servers will go via the VPN as long as the VPN is up, or go via the default route otherwise. For example, Apple has a 17.0.0.0/8 subnet, so it’s easy for us to configure the VPN for employees so that all Apple connections go via the VPN.

  • You can also play games with DNS. A VPN can claim a specific set of domains, and all DNS queries for those domains will be routed to the VPN’s DNS. That DNS can then return different IP addresses than the public DNS, IP addresses that cause the connection to go via the VPN.

There is, however, a balance to be struck here. If you use normal VPN then any app on the system can use the VPN. A lot of folks like per-app VPN because it’s only available to specific apps, allowing them to secure those apps’ traffic while excluding other apps.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment