Using the enterprise certificate will cause the vpn function to be unavailable

Question

Created Aug ’18

Replies 4

Boosts 0

Participants 2

Our app has always used a normal certificate, the function of the app's vpn is working properly. Last week we decided to change the app to an enterprise app release. We used the enterprise certificate we applied for before. Then we found that the app's vpn function can not be used normally. We didn't make any changes to the code, so it shouldn't be a code issue. The configuration of our enterprise certificate is the same as the normal certificate configuration item, only the name of appid and app group is changed. I found that I have no way to debug my extension because it didn't start at all, but when I call [self.tunnelManager.connection startVPNTunnelWithOptions: options andReturnError: &startError], startError is nil, I can't find where the problem is, so ask for help.

This is the setting of the host app appid:

This is the setting of the extension appid:

This is the setting of the extension entitlement:

Boost

Answer 1

DouDouMewo OP

Aug ’18

This is the setting of the extension and host app's entitlements:

<dict>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>app-proxy-provider</string>

<string>content-filter-provider</string>

<string>packet-tunnel-provider</string>

</array>

<key>com.apple.developer.networking.vpn.api</key>

<array>

<string>allow-vpn</string>

</array>

<key>com.apple.security.application-groups</key>

<array>

<string>group.com.xxx.enterprise</string>

</array>

</dict>

</plist>

NetworkExtension, Personal VPN, and App Group are enabled in the appid settings of the host app and extensions.

0

Answer 2

DTS Engineer OP

Apple

Aug ’18

That looks like your

.entitlements

file, which is only one part of the entitlements issue. The

.entitlements

file is an input to the code signing process, and the final result is the entitlements embedded in your code signed binaries. It’s these entitlements that are checked by the OS, and thus it’s those you should dump.

There’s info on how to do this in Technote 2415 Entitlements Troubleshooting. Don’t forget you need look at the entitlements of both the

.app

and the

.appex

nested within that app.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 3

DouDouMewo OP

Aug ’18

My .entitlements file has only changed the key value of com.apple.security.application-groups after replacing the enterprise certificate. No other changes have been made. And I can confirm that the App Group has been created and is correct. So I really don't know what went wrong. Can you help me find out what the problem is? Please...

0

Answer 4

DTS Engineer OP

Apple

Aug ’18

My
.entitlements
file has only changed the key value of
com.apple.security.application-groups
after replacing the enterprise certificate. No other changes have been made.

Right. But my point is that your

.entitlements

file is not the same as your entitlements. Your entitlements are set up by the code signing process based on various inputs. If you’re looking at your

.entitlements

file, you’re only looking at part of the story. You need to look at the entitlements of the compiled binary. That is, after all, what iOS is looking at.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0