8 Replies
      Latest reply on Jan 6, 2017 1:04 PM by vzrao
      abhinavbansal8 Level 1 Level 1 (0 points)

        I want to understand what is the behavior that iOS supports if there are multiple apps that implement NEFilterManager class of APIs. In general muliple apps implementing Network Extension frameworks.

         

        Q1. Which app gets the priority for filtering decisions?

        Q2. If one app allows website A but the other app disallows website A, how would OS decide?

        Q3. If there are multiple apps implementing NETunnelProviderManager with default route, who will get the utun packets?

        Q4. Why is NEAppProxyProvider allowed only for managed apps? Is there any particular reason for this?

         

        Any help would be greatly appreciable.

        • Re: What is the behavior when there are multiple apps implementing NETunnelProvider class of APIs
          eskimo Apple Staff Apple Staff (13,885 points)

          Q1. Which app gets the priority for filtering decisions?

          Q2. If one app allows website A but the other app disallows website A, how would OS decide?

          This is actually covered by the documentation, but you have to read between the lines a little.  Specifically, the NEFilterManager Class Reference has this to say about the enabled property.

          Setting this property to true and saving the configuration will disable all other network content filters on the system …

          Thus, it’s not possible to have multiple filter providers active simultaneously, and thus the situations you described can’t crop up.


          Q3. If there are multiple apps implementing NETunnelProviderManager with default route, who will get the utun packets?

          This is also covered by the documentation, this time in the NETunnelProviderManager Class Reference.

          VPN configurations created using NETunnelProviderManager are classified as regular enterprise VPN configurations (as opposed to the Personal VPN configurations created by NEVPNManager). Only one enterprise VPN configuration can be enabled on the system at a time. If both a Personal VPN and an enterprise VPN are active on the system simultaneously, the enterprise VPN takes precedence, meaning that if the routes for the two VPNs conflict then the routes for the enterprise VPN will take precedence. The Personal VPN will remain active and connected while the enterprise VPN is active and connected, and any traffic that is routed to the Personal VPN and is not routed to the enterprise VPN will continue to traverse the Personal VPN.

          So you can’t have two tunnel providers active simultaneously, which obviates your specific question, and the relationship between Personal VPN and regular VPN is clearly defined.


          Q4. Why is NEAppProxyProvider allowed only for managed apps? Is there any particular reason for this?

          We’ve never specifically given a reason but, in terms of practicality, the per-app VPN infrastructure needs to be able to accurately identify an app and that’s done via the MDM infrastructure.

          Share and Enjoy

          Quinn "The Eskimo!"
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

          … who read the documentation closely today (-: