Connect On Demand not working as predicted on macOS

We have an iOS app that uses an NETunnelProviderManager to save our packet tunnel provider preferences to the device. This properly saves Connect On Demand settings and works as predicted.


We have recently ported this to macOS, and with the exact same code, while the VPN does connect manually, the Connect On Demand settings do not work as indented.


Our onDemandRules are very simple:


private var onDemandRules:[NEOnDemandRule] {
        let rule = NEOnDemandRuleConnect()
        rule.probeURL = self.onDemandProbeURL
        return [rule]
}


On iOS, this works as intended, with the VPN automatically reconnecting itself as long as our probe URL is accessible. On the Mac, if I disable the VPN (without disabling Connect On Demand), the VPN never reconnects itself.


Is there something I'm missing here? Are there other settings that we have to configure in our NETunnelProviderManager for macOS specifically?


We are testing this in macOS Sierra.

Up vote post of adam48 Down vote post of adam48
15k views
Posted by
adam48
Reply
Add a Comment

Replies

We are testing this in macOS Sierra.

How are you testing this? There’s an issue on macOS where some VPN features, including and VPN On Demand, don’t work unless the app containing your provider was installed by an installer. This is a bit of a hassle on macOS because there’s no TestFlight on macOS. You should read this post, which describes one way to work around this limitation.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

We certainly weren't testing this via an installer. This is helpful


Do you happen to know the current best practice for creating the most minimal installer possible? I know this best practice has changed significantly over the past few releases of macOS.

Posted by
adam48
Up vote reply of adam48 Down vote reply of adam48
Add a Comment

Do you happen to know the current best practice for creating the most minimal installer possible?

Curiously, I was looking at this myself just last week. The current weapon of choice here is 

productbuild
. You can build a signed installer package from a build product with a command line like this: 
$ productbuild --product requirements.plist --sign "***" --component build/Debug/InstallerTest.app /Applications InstallerTest.pkg

where 

***
is the name of a digital identity in your keychain (gosh, that’s a lot easier than it used to be).

I have not yet tested whether such an installer actually solves the VPN On Demand issue. Then again, as I mentioned in my other post, I think the promo code approach is the absolute best way to test this stuff.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment