NEAppProxyProvider VPN does not connect in User Enrollment mode

HI, We faced an issue where the NEAppProxyProvider based per-app VPN fails to connect when device is enrolled in the User Enrollment mode. This occurs as NEAppProxyProvider can not lookup the client TLS identity based on the persistence reference passed in VPN profile. We are using following code to get the client identity and certificate from the VPN configuration persistence reference and the lookup fails with "-25300" status.


NSDictionary *dict = @{
                           (__bridge id)kSecClass: (__bridge id)kSecClassIdentity,
                           (__bridge id)kSecReturnRef: (id)kCFBooleanTrue,
                           (__bridge id)kSecValuePersistentRef: persistantIdentityRef
                           };
CFTypeRef identityRef = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)dict, &identityRef);


Same logic works fine in Device Enrollment mode.


Anyone faced the similar issue or is this bug on iOS side?

Replies

We're seeing this same behavior with NETunnelProvider per-App VPN. Everything works well in Device Enrollment, but with User Enrollment the cert isn't found.


Looking at the confguration pushed by the MDM we can see the required certificate, but it's not found by SecItemCopyMatching.


Did you ever find a solution?

No, we have raised feedback on this one and still waiting.

What was the FB number?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn, FB7303482 is the feedback number. We also have "727754398" TSI open with Apple, I would also follow up on that shortly. But as of now profile for VPN is having right entitlements as was asked to verify in TSI. Please let us know if you need any more info. Regards.

We were told by a customer that Apple told *them* that only App Proxy providers were supported for User Enrollment.


Our understanding was that Tunnel Providers would work as long as the VPN was a per-App VPN, not a device-level VPN. I.e., the VPN type was the issue, not the provider type.


Is there somewhere that this question is explicitly addressed?

I would like to know this information as well. Our packet tunnel does not work using user enrollment, and I have verified that we are indeed being passed an identity cert ref, it just isn't found. We have access to the keychain items in question. In particular, can you verify that this isn't going to work for Packet Tunnels at all, only AppProxyProviders? What is the reasoning behind this?

Did anyone find a solution for this? We are also having the same issue. I really appreciate any help you can provide.