At WWDC 2015 we announced two major enhancements to the NetworkExtension framework:
NetworkExtension providers — These are app extensions that let you insert your code at various points within the networking stack, including:
- Packet tunnels via
- App proxies via
- Content filters via
- Packet tunnels via
Hotspot helper (
NEHotspotHelper) — This allows you to create an app that assists the user in navigating a hotspot (a Wi-Fi network where the user must interact with the network in order to get access to the wider Internet).
To use these facilities you previously had to be granted special entitlements by Apple. This policy has now changed for NetworkExtension providers. Any developer can now enable the NetworkExtension provider entitlement like they would any other entitlement.
The situation with hotspot helpers has not changed; if you want to create a hotspot helper, you must be granted a special entitlement by Apple. To apply for that entitlement, use this form.
The rest of this document answers some frequently asked questions about this change.
#1 — Has there been any change to the OS itself?
No, this change only affects the process by which you get the entitlements you need in order to use existing NetworkExtension framework facilities. Previously you had to be granted these entitlements by Apple. Now, except for hotspot helper, you can enable the necessary entitlements using the developer web site.
IMPORTANT Some of the NetworkExtension providers have other restrictions on their use. For example, a content filter can only be used on a supervised device. These restrictions are unchanged.
#2 — How exactly do I enable the NetworkExtension provider entitlement?
In the Certificates, Identifiers & Profiles section of the developer web site, when you add or edit an App ID, you’ll see a new service listed, Network Extensions. You should enable that service in your App ID and then regenerate the provisioning profiles based on that App ID.
The newly-generated profiles will include the
com.apple.developer.networking.networkextension entitlement, which is an array containing entries for each of the three types of NetworkExtension providers. You can confirm that this entitlement is present by dumping the profile as shown below.
$ security cms -D -i NETest.mobileprovision … <plist version="1.0"> <dict> … <key>Entitlements</key> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> <string>content-filter-provider</string> <string>app-proxy-provider</string> </array> … </dict> … </dict> </plist>
#3 — I normally use Xcode’s Signing & Capabilities editor to manage my entitlements. Do I have to use the developer web site for this?
No. In modern versions of Xcode you can configure NetworkExtension entitlements in the Signing & Capabilities tab of the target editor (r. 28568128).
#4 — Can I still use Xcode’s “Automatically manage signing” option?
Yes. Once you modify your App ID to include the NetworkExtension provider entitlement, Xcode’s automatic code signing support will include that entitlement in any profiles that it generates based on that App ID.
#5 — What should I do if I previously applied for the NetworkExtension provider entitlement and I’m still waiting for a reply?
You should consider your current application cancelled, and use the new process described above.
#6 — What should I do if I previously applied for the hotspot helper entitlement and I’m still waiting for a reply?
Apple will continue to process hotspot helper entitlement requests and respond to you in due course.
#7 — What if I previously applied for both NetworkExtension provider and hotspot helper entitlements?
Apple will ignore your request for the NetworkExtension provider entitlement and process it as if you’d only asked for the hotspot helper entitlement.
#8 — On the Mac, can Developer ID apps host NetworkExtension providers?
Yes, but there are some caveats:
This only works on macOS 10.15 or later.
Your NetworkExtension provider must be packaged as a system extension, not an app extension.
You must use the
xxx-systemextensionvalues for the NetworkExtension entitlement (
See my 14 Jan 2020 post on this thread for more details.
#9 — After moving to the new entitlement process, my app no longer has access to the
com.apple.managed.vpn.shared keychain access group. How can I regain that access?
Access to this keychain access group requires a special entitlement. If you need that entitlement, please open a DTS tech support incident and we will take things from there.
IMPORTANT This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility.
Opening a DTS tech support incident (TSI) will consume a TSI asset. However, as this is not a technical issue but an administrative one, we will assign a replacement TSI asset back to your account.
If you were previously granted NetworkExtension special entitlements (via the process in place before Nov 2016), make sure you mention that; restoring your access to the
com.apple.managed.vpn.shared keychain access group should be straightforward in that case.
11 Nov 2016 — First posted.
11 Nov 2016 — Added FAQ#5, FAQ#6 and FAQ#7.
6 Jan 2016 — Added FAQ#8.
25 Jan 2016 — Added FAQ#9.
16 Feb 2020 — Updated FAQ#8 to account for recent changes. Updated FAQ#3 to account for recent Xcode changes. Other editorial changes.