3 Replies
      Latest reply on Jul 22, 2015 7:36 AM by sandi
      rtrouton Level 1 Level 1 (0 points)

        What is the Network Extension framework?

         

        Provides APIs for the app to extend the core networking feature for OS X and iOS.

         

        • NEHotspotManager
        • NEVPNManager
        • NETunnelProvider
        • NEFilterProvider

         

        Content Filtering - NEFilterProvider; filters network content

         

         

        NEHotspotManager

         

        Used to create apps that connect to WiFi hotspots

        Custom authentication for WiFi Hotspots

         

        Register with the system as a Hotspot Helper

        - From the background

        Claim hotspots with high level of confidence

        Perform initial authentication

        Handles the authentication session

         

        Annotate Wifi networks in the WiFi network scanner (Display WiFi networks in the iOS X network scanner with a little tag that displays something (your company name, for example) under the SSID name.)

         

         

        NEVPNManager

         

        Personal VPN

        Configure and control the built-in IPSec client

         

        - Create a Personal VPN configuration

        - Supports IKEv1 and IKEv2

        - Configure Connect On Demand

        - Configure HTTP Proxies

        - Cooperates with Enterprise VPN configurations

         

        IKEv2 protocol enhancements

         

        - Mobility across interfaces using MOBIKE

        - Full IPv6 support for inside and outside VPN tunnel

        - IKE fragmentation support

        - IKE redirect support

         

        IKEv2 works better in a wider range of environments.

         

        You can only have one Personal VPN configuration saved at a time.

         

        Connect on Demand

         

        Set up rules which govern when the VPN should connect automatically (for example, whenever an iOS device connects to WiFi.)

         

         

        NETunnelProvider

         

        Create a custom VPN protocol provider

        - Runs as app extension

        - Packet Tunnel Provider for IP layer tunneling

        - App Proxy Provider for app layer tunneling

         

        Configure and control your own protocol provider

         

         

        NEPacketTunnelProvider

         

        The PacketTunnelProvider has a lot of control over the utun0 interface.

        More details, but went by fast. Watch the video.

         

        Demo of how PacketTunnelProvider works (watch the video.)

         


        Per-App VPN for Managed Apps

         

        VPN for BYOD

         

        Configure per-app VPN using MDM (Mobile device management)

        - Enroll devices in an MDM service

        - Link managed apps with per-app VPN configuration

         

        Supported protocols

         

        - Custom App Proxy Providers

        - Custom Packet Tunnel Providers

        - IKEv1 and IKEv2 support

         

         

        Demo of Per-App VPN with NEPacketTunnelProvider (watch video.)

         

        NEAppProxyProviderManager

         

        Works with Per-App VPN (for details, watch video)

         

         

        NEFilterProvider

         

        Previous solutions

         

        - On-site content filter

        - Global proxy

        - Full tunnel VPN

         

        Best solution - on-device content filter; sits on the device and manages what's available. This allows filtering to go wherever the device goes, without needing additional network infrastructure.

         

         

        NEFilterProvider provides an on-device content filter.

         

        NEFilterProvider is only available for iOS, with the targeted environment being schools

         

         

        For supervised iOS devices

        Dynamic eval of network content

        Ability to update filtering rules on the fly from the internet

        Customizable block page (show your school / company name and provide way to request access to blocked content.)

         

        Special entitlements required for the following before you'll be able to work with them in Xcode.

         

        • NEHotspotHelper
        • NETunnelProvider
        • NEFilterProvider

         

        There's an email address at Apple you need to contact to get these entitlements, see video.

         

        Email: networkextensions at apple dot com

        • Re: Notes from What's New in Network Extension and VPN
          amirltm Level 1 Level 1 (0 points)

          Nice, thanks for posting the notes! Did you get the impression that approval for the custom packet tunnel provider entitlement will be selective?

          • Re: Notes from What's New in Network Extension and VPN
            Christoph Böhm Level 1 Level 1 (0 points)

            Do you know why there are only IPSec with IKEv1 or IKEv2. What is the reason that no IPSec over L2TP is programmatically possible.

            • Re: Notes from What's New in Network Extension and VPN
              sandi Level 1 Level 1 (0 points)

              Hi ,

              I am able see my binary signed with NEHotspotHelper Entitlements  also i have added network-authentication background mode to the Info.plist .  I  would like to achive  below things in my app ,

              1) Annotate Wifi networks in the WiFi network scanner (Display WiFi networks in the iOS X network scanner with a little tag that displays something (your company name, for example) under the SSID name.)

              2) Authenticate for WiFi Hotspots in backgorund .

               

              My current code is pasted below .  registerWithOptions is returning true .

               

              NSDictionary* options = [NSDictionary dictionaryWithObjectsAndKeys:@"Connect Here",kNEHotspotHelperOptionDisplayName, nil];

              dispatch_queue_t queue = dispatch_queue_create("com.my.NewtworkExt", 0);

               

              BOOL returnType = [NEHotspotHelper registerWithOptions:options queue:queue handler: ^(NEHotspotHelperCommand * cmd) {

               

                  if(cmd.network) {

                      NEHotspotNetwork* network = cmd.network;

                      if( (cmd.commandType == kNEHotspotHelperCommandTypeEvaluate || cmd.commandType == kNEHotspotHelperCommandTypeFilterScanList ) {

                          [network setConfidence:kNEHotspotHelperConfidenceHigh];          

                      }

                  }

                }];

               

              Please provide me some sample code/ steps to achive above tasks.

               

              Thanks