I've been working on an experiment with an NEAppProxyProvider to read traffic flows with the end goal of an on-device content filter (not an ideal use of AppProxyProvider, I know)
In order to properly test the app proxy provider, I need to figure out a proper profile for the per-app VPN configuration.
The following is the configuration profile I'm using.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
...
<key>PayloadContent</key>
<array>
<dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>VPN</key>
<dict>
<key>RemoteAddress</key>
<string>localhost</string>
</dict>
<key>VPNSubType</key>
<string>org.example.PacketTunnelProviderApp</string>
<key>VPNType</key>
<string>VPN</string>
<key>VPNUUID</key>
<string>76c971d6-516f-4c79-b2b4-44313d249b38</string>
<key>AuthenticationMethod</key>
<string>None</string>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.applayer.236F34CC-E35C-43E8-AA57-57F3823FB67E</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed.applayer</string>
<key>PayloadUUID</key>
<string>236F34CC-E35C-43E8-AA57-57F3823FB67E</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ProviderType</key>
<string>app-proxy</string>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>CloudVeil VPN</string>
<key>VendorConfig</key>
<dict/>
</dict>
</array>
<key>PayloadDescription</key>
<string>This profile configures per-app VPN and VPN mappings for the packet tunnel</string>
<key>PayloadDisplayName</key>
<string>CloudVeil VPN Profile</string>
<key>PayloadIdentifier</key>
<string>CloudVeil-VPN.1B7F99BE-F5F4-44C1-BE70-7C52100D557E</string>
<key>PayloadOrganization</key>
<string>CloudVeil Technology, Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>4CB93F9C-D51C-45C6-A276-5CC96FDB78B2</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
And here are a few log entries from the configuration profile install.
default | 15:22:34.729567 -0700 | authd | Succeeded authorizing right 'system.privilege.admin' by client '/usr/libexec/mdmclient' [8929] for authorization created by '/usr/libexec/mdmclient' [8929] (3,0) (engine 231) |
error | 15:22:34.752179 -0700 | mdmclient | NEConfiguration configurePluginWithPayload: unsupported authen type (null). |
error | 15:22:34.756208 -0700 | mdmclient | [ERROR] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<< |
default | 15:22:34.757148 -0700 | mdmclient | MessageTracer: load_domain_whitelist_search_tree:73: Search tree file's format version number (0) is not supported |
default | 15:22:34.782463 -0700 | authd | Succeeded authorizing right 'system.privilege.admin' by client '/usr/libexec/mdmclient' [8929] for authorization created by '/usr/libexec/mdmclient' [8929] (3,0) (engine 232) |
error | 15:22:34.806946 -0700 | mdmclient | CPProfileManager.installProfile returning error -319 (<private>) |
default | 15:23:05.667172 -0700 | mdmclient | Attempting idle exit: mdmclient agent |
I think the error that's causing the problem is "unsupported authen type (null).", but there are no indications of that error anywhere. Has anyone ever run into this problem? What am I missing from my configuration profile?
Any suggestions are greatly appreciated.