Notes from What's New in Network Extension and VPN

What is the Network Extension framework?


Provides APIs for the app to extend the core networking feature for OS X and iOS.


  • NEHotspotManager
  • NEVPNManager
  • NETunnelProvider
  • NEFilterProvider


Content Filtering - NEFilterProvider; filters network content



NEHotspotManager


Used to create apps that connect to WiFi hotspots

Custom authentication for WiFi Hotspots


Register with the system as a Hotspot Helper

- From the background

Claim hotspots with high level of confidence

Perform initial authentication

Handles the authentication session


Annotate Wifi networks in the WiFi network scanner (Display WiFi networks in the iOS X network scanner with a little tag that displays something (your company name, for example) under the SSID name.)



NEVPNManager


Personal VPN

Configure and control the built-in IPSec client


- Create a Personal VPN configuration

- Supports IKEv1 and IKEv2

- Configure Connect On Demand

- Configure HTTP Proxies

- Cooperates with Enterprise VPN configurations


IKEv2 protocol enhancements


- Mobility across interfaces using MOBIKE

- Full IPv6 support for inside and outside VPN tunnel

- IKE fragmentation support

- IKE redirect support


IKEv2 works better in a wider range of environments.


You can only have one Personal VPN configuration saved at a time.


Connect on Demand


Set up rules which govern when the VPN should connect automatically (for example, whenever an iOS device connects to WiFi.)



NETunnelProvider


Create a custom VPN protocol provider

- Runs as app extension

- Packet Tunnel Provider for IP layer tunneling

- App Proxy Provider for app layer tunneling


Configure and control your own protocol provider



NEPacketTunnelProvider


The PacketTunnelProvider has a lot of control over the utun0 interface.

More details, but went by fast. Watch the video.


Demo of how PacketTunnelProvider works (watch the video.)


Per-App VPN for Managed Apps


VPN for BYOD


Configure per-app VPN using MDM (Mobile device management)

- Enroll devices in an MDM service

- Link managed apps with per-app VPN configuration


Supported protocols


- Custom App Proxy Providers

- Custom Packet Tunnel Providers

- IKEv1 and IKEv2 support



Demo of Per-App VPN with NEPacketTunnelProvider (watch video.)


NEAppProxyProviderManager


Works with Per-App VPN (for details, watch video)



NEFilterProvider


Previous solutions


- On-site content filter

- Global proxy

- Full tunnel VPN


Best solution - on-device content filter; sits on the device and manages what's available. This allows filtering to go wherever the device goes, without needing additional network infrastructure.



NEFilterProvider provides an on-device content filter.


NEFilterProvider is only available for iOS, with the targeted environment being schools



For supervised iOS devices

Dynamic eval of network content

Ability to update filtering rules on the fly from the internet

Customizable block page (show your school / company name and provide way to request access to blocked content.)


Special entitlements required for the following before you'll be able to work with them in Xcode.


  • NEHotspotHelper
  • NETunnelProvider
  • NEFilterProvider


There's an email address at Apple you need to contact to get these entitlements, see video.


Email: networkextensions at apple dot com

Replies

Nice, thanks for posting the notes! Did you get the impression that approval for the custom packet tunnel provider entitlement will be selective?

Do you know why there are only IPSec with IKEv1 or IKEv2. What is the reason that no IPSec over L2TP is programmatically possible.

Hi ,

I am able see my binary signed with NEHotspotHelper Entitlements also i have added network-authentication background mode to the Info.plist . I would like to achive below things in my app ,

1) Annotate Wifi networks in the WiFi network scanner (Display WiFi networks in the iOS X network scanner with a little tag that displays something (your company name, for example) under the SSID name.)

2) Authenticate for WiFi Hotspots in backgorund .


My current code is pasted below . registerWithOptions is returning true .


NSDictionary* options = [NSDictionary dictionaryWithObjectsAndKeys:@"Connect Here",kNEHotspotHelperOptionDisplayName, nil];

dispatch_queue_t queue = dispatch_queue_create("com.my.NewtworkExt", 0);


BOOL returnType = [NEHotspotHelper registerWithOptions:options queue:queue handler: ^(NEHotspotHelperCommand * cmd) {


if(cmd.network) {

NEHotspotNetwork* network = cmd.network;

if( (cmd.commandType == kNEHotspotHelperCommandTypeEvaluate || cmd.commandType == kNEHotspotHelperCommandTypeFilterScanList ) {

[network setConfidence:kNEHotspotHelperConfidenceHigh];

}

}

}];


Please provide me some sample code/ steps to achive above tasks.


Thanks