To start, I want to be clear about one thing: App proxy providers and the global HTTP proxy are very different things. There are lots of architectural differences (app proxy providers are plumbed in at the kernel level whereas HTTP proxies require user-level support) but an obvious behavioural difference is that an app proxy provider will see all TCP connections for a particular app, whereas a global HTTP proxy will only see HTTP[S] connections but for all apps.
Is it possible to connect my app to a simple http/https proxy and have access to the packetFlow?
That depends on your exact requirements. You can set up HTTP proxies in three ways:
On a per-session basis, using the
connectionProxyDictionary
property of the NSURLSessionConfiguration object you use to create the sessionOn an interface basis, using Settings > Wi-Fi or a configuration profile, via the
com.apple.apn.managed
payload for WWAN and the com.apple.wifi.managed
payload for Wi-FiGlobally, via the
com.apple.proxy.http.global
payload
The last item requires a supervised device.
Why do I have to configure a global proxy over a profile instead of doing this in code, using the app proxy provider?
This question doesn’t make sense because app proxy providers and the global HTTP proxy are very different things.
As to the “why” part of your question, I generally can’t answer “why” questions. I will, however, note that the global HTTP proxy can see inside HTTPS connections, and thus restricting it to supervised devices makes sense security-wise. The same thing applies to Network Extension content filter providers.
Why do I need a MDM to use per-App VPN, which is required for using the app proxy provider?
At a technical level this is because per-app VPN relies on a mapping between apps and the specific VPN configuration. This mapping is done by the VPNUUID, a property of the
com.apple.vpn.managed.applayer
payload of the configuration profile. For an app to use the per-app VPN, it must be tagged with that VPNUUID when it is installed by MDM.
If you’re asking about policy stuff (“Why are things done this way?”) I can’t speak to that.
In the system settings of an iOS Device you can configure very simple a http proxy, the only thing you have to do is to add ip address and port. Thats it, all the traffic is redirected to the proxy. I want to do this step using the NE API. Can I use the App Proxy Provider or is it required to push a config file through MDM / supervised device to have the same effect like setting the proxy settings in the system preferences?
Again, this question seems to be coming from a perspective that app proxy providers and HTTP proxies are the same thing, which is not the case.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
