At WWDC 2015 we announced two major enhancements to the Network Extension framework:
Network Extension providers — These are app extensions that let you insert your code at various points within the networking stack, including:
- Packet tunnels via NEPacketTunnelProvider
- App proxies via NEAppProxyProvider
- Content filters via NEFilterDataProvider and NEFilterControlProvider
Hotspot helper (NEHotspotHelper) — This allows you to create an app that assists the user in navigating a hotspot (a Wi-Fi network where the user must interact with the network in order to get access to the wider Internet).
To use these facilities you previously had to be granted special entitlements by Apple. This policy has now changed for Network Extension providers. Any developer can now enable the Network Extension provider entitlement like they would any other entitlement.
The situation with hotspot helpers has not changed; if you want to create a hotspot helper, you must be granted a special entitlement by Apple. To apply for that entitlement, use this form.
The rest of this document answers some frequently asked questions about this change.
#1 — Has there been any change to the OS itself?
No, this change only affects the process by which you get the entitlements you need in order to use existing Network Extension framework facilities. Previously you had to be granted these entitlements by Apple. Now, except for hotspot helper, you can enable the necessary entitlements using the developer web site.
IMPORTANT Some of the Network Extension providers have other restrictions on their use. For example, a content filter can only be used on a supervised device. These restrictions are unchanged.
#2 — How exactly do I enable the Network Extension provider entitlement?
In the Certificates, Identifiers & Profiles section of the developer web site, when you add or edit an App ID, you’ll see a new service listed, Network Extensions. You should enable that service in your App ID and then regenerate the provisioning profiles based on that App ID.
The newly-generated profiles will include the
com.apple.developer.networking.networkextension entitlement, which is an array containing entries for each of the three types of Network Extension providers. You can confirm that this entitlement is present by dumping the profile as shown below.
$ security cms -D -i NETest.mobileprovision … <plist version="1.0"> <dict> … <key>Entitlements</key> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> <string>content-filter-provider</string> <string>app-proxy-provider</string> </array> … </dict> … </dict> </plist>
#3 — I normally use Xcode’s Capabilities editor to manage my entitlements. Do I have to use the developer web site for this?
Yes, you must use the developer web site. We hope to add support for the Network Extension provider entitlement to Xcode’s Capabilities editor but do not have any details to share about that right now. (r. 28568128).
#4 — Can I still use Xcode’s “Automatically manage signing” option?
Yes. Once you modify your App ID to include the Network Extension provider entitlement, Xcode’s automatic code signing support will include that entitlement in any profiles that it generates based on that App ID.
#5 — What should I do if I previously applied for the Network Extension provider entitlement and I’m still waiting for a reply?
You should consider your current application cancelled, and use the new process described above.
#6 — What should I do if I previously applied for the hotspot helper entitlement and I’m still waiting for a reply?
Apple will continue to process hotspot helper entitlement requests and respond to yours in due course.
#7 — What if I previously applied for both Network Extension provider and hotspot helper entitlements?
Apple will ignore your request for the Network Extension provider entitlement and process it as if you’d only asked for the hotspot helper entitlement.
#8 — On the Mac, can Developer ID apps host Network Extension providers?
Currently this is not possible; only Mac App Store apps can host Network Extension providers.
#9 — After moving to the new entitlement process, my app no longer has access to the
com.apple.managed.vpn.shared keychain access group. How can I regain that access?
Access to this keychain access group requires a special entitlement. If you need that entitlement, please open a DTS tech support incident and we will take things from there.
IMPORTANT This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility.
Opening a DTS tech support incident (TSI) will consume a TSI asset. However, as this is not a technical issue but an administrative one, we will assign a replacement TSI asset back to your account.
If you were previously granted Network Extension special entitlements (via the process in place before Nov 2016), make sure you mention that; restoring your access to the
com.apple.managed.vpn.shared keychain access group should be straightforward in that case.
11 Nov 2016 — First posted.
11 Nov 2016 — Added FAQ#5, FAQ#6 and FAQ#7.
6 Jan 2016 — Added FAQ#8.
25 Jan 2016 — Added FAQ#9.