What is the Network Extension framework?
Provides APIs for the app to extend the core networking feature for OS X and iOS.
- NEHotspotManager
- NEVPNManager
- NETunnelProvider
- NEFilterProvider
Content Filtering - NEFilterProvider; filters network content
NEHotspotManager
Used to create apps that connect to WiFi hotspots
Custom authentication for WiFi Hotspots
Register with the system as a Hotspot Helper
- From the background
Claim hotspots with high level of confidence
Perform initial authentication
Handles the authentication session
Annotate Wifi networks in the WiFi network scanner (Display WiFi networks in the iOS X network scanner with a little tag that displays something (your company name, for example) under the SSID name.)
NEVPNManager
Personal VPN
Configure and control the built-in IPSec client
- Create a Personal VPN configuration
- Supports IKEv1 and IKEv2
- Configure Connect On Demand
- Configure HTTP Proxies
- Cooperates with Enterprise VPN configurations
IKEv2 protocol enhancements
- Mobility across interfaces using MOBIKE
- Full IPv6 support for inside and outside VPN tunnel
- IKE fragmentation support
- IKE redirect support
IKEv2 works better in a wider range of environments.
You can only have one Personal VPN configuration saved at a time.
Connect on Demand
Set up rules which govern when the VPN should connect automatically (for example, whenever an iOS device connects to WiFi.)
NETunnelProvider
Create a custom VPN protocol provider
- Runs as app extension
- Packet Tunnel Provider for IP layer tunneling
- App Proxy Provider for app layer tunneling
Configure and control your own protocol provider
NEPacketTunnelProvider
The PacketTunnelProvider has a lot of control over the utun0 interface.
More details, but went by fast. Watch the video.
Demo of how PacketTunnelProvider works (watch the video.)
Per-App VPN for Managed Apps
VPN for BYOD
Configure per-app VPN using MDM (Mobile device management)
- Enroll devices in an MDM service
- Link managed apps with per-app VPN configuration
Supported protocols
- Custom App Proxy Providers
- Custom Packet Tunnel Providers
- IKEv1 and IKEv2 support
Demo of Per-App VPN with NEPacketTunnelProvider (watch video.)
NEAppProxyProviderManager
Works with Per-App VPN (for details, watch video)
NEFilterProvider
Previous solutions
- On-site content filter
- Global proxy
- Full tunnel VPN
Best solution - on-device content filter; sits on the device and manages what's available. This allows filtering to go wherever the device goes, without needing additional network infrastructure.
NEFilterProvider provides an on-device content filter.
NEFilterProvider is only available for iOS, with the targeted environment being schools
For supervised iOS devices
Dynamic eval of network content
Ability to update filtering rules on the fly from the internet
Customizable block page (show your school / company name and provide way to request access to blocked content.)
Special entitlements required for the following before you'll be able to work with them in Xcode.
- NEHotspotHelper
- NETunnelProvider
- NEFilterProvider
There's an email address at Apple you need to contact to get these entitlements, see video.
Email: networkextensions at apple dot com