Network Extension Framework Entitlements

This thread has been locked by a moderator.
At WWDC 2015 we announced two major enhancements to the Network Extension framework:
  • Network Extension providers — These are app extensions that let you insert your code at various points within the networking stack, including:

    • Packet tunnels via NEPacketTunnelProvider

    • App proxies via NEAppProxyProvider

    • Content filters via NEFilterDataProvider and NEFilterControlProvider

  • Hotspot helper (NEHotspotHelper) — This allows you to create an app that assists the user in navigating a hotspot (a Wi-Fi network where the user must interact with the network in order to get access to the wider Internet).

To use these facilities you previously had to be granted special entitlements by Apple. This policy has now changed for Network Extension providers. Any developer can now enable the Network Extension provider entitlement like they would any other entitlement.

The situation with hotspot helpers has not changed; if you want to create a hotspot helper, you must be granted a special entitlement by Apple. To apply for that entitlement, use this form.

The rest of this document answers some frequently asked questions about this change.

#1 — Has there been any change to the OS itself?

No, this change only affects the process by which you get the entitlements you need in order to use existing Network Extension framework facilities. Previously you had to be granted these entitlements by Apple. Now, except for hotspot helper, you can enable the necessary entitlements using Xcode’s Signing & Capabilities editor or the developer web site.

IMPORTANT Some of the Network Extension providers have other restrictions on their use. For example, a content filter can only be used on a supervised device. These restrictions are unchanged.

#2 — How exactly do I enable the Network Extension provider entitlement?

In the Signing & Capabilities editor, add the Network Extensions capability and then check the box that matches the provider you’re creating.

In the Certificates, Identifiers & Profiles section of the developer web site, when you add or edit an App ID, you’ll see a new capability listed, Network Extensions. You should enable that capability in your App ID and then regenerate the provisioning profiles based on that App ID.

The newly-generated profiles will include the entitlement in their allowlist; this is an array with an entry for each of the supported Network Extension providers. You can confirm that this is present by dumping the profile as shown below.

Code Block
$ security cms -D -i NETest.mobileprovision
<plist version="1.0">
… and so on …

#3 — I normally use Xcode’s Signing & Capabilities editor to manage my entitlements. Do I have to use the developer web site for this?

No. Xcode 11 and later support this capability in the Signing & Capabilities tab of the target editor (r. 28568128).

#4 — Can I still use Xcode’s “Automatically manage signing” option?

Yes. Once you modify your App ID to include the Network Extension provider capability, Xcode’s automatic code signing support will include the entitlement in the allowlist of any profiles that it generates based on that App ID.

#5 — What should I do if I previously applied for the Network Extension provider entitlement and I’m still waiting for a reply?

You should consider your current application cancelled, and use the new process described above.

#6 — What should I do if I previously applied for the hotspot helper entitlement and I’m still waiting for a reply?

Apple will continue to process hotspot helper entitlement requests and respond to you in due course.

#7 — What if I previously applied for both Network Extension provider and hotspot helper entitlements?

Apple will ignore your request for the Network Extension provider entitlement and process it as if you’d only asked for the hotspot helper entitlement.

#8 — On the Mac, can Developer ID apps host Network Extension providers?

Yes, but there are some caveats:
  • This only works on macOS 10.15 or later.

  • Your Network Extension provider must be packaged as a system extension, not an app extension.

  • You must use the ***-systemextension values for the Network Extension entitlement (

See my 14 Jan 2020 post on this thread for more details.

#9 — After moving to the new entitlement process, my app no longer has access to the keychain access group. How can I regain that access?

Access to this keychain access group requires a special entitlement. If you need that entitlement, please open a DTS tech support incident and we will take things from there.

IMPORTANT This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility.

Opening a DTS tech support incident (TSI) will consume a TSI asset. However, as this is not a technical issue but an administrative one, we will assign a replacement TSI asset back to your account.

If you were previously granted Network Extension special entitlements (via the process in place before Nov 2016), make sure you mention that; restoring your access to the keychain access group should be straightforward in that case.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + ""

Changes History
  • 11 Nov 2016 — First posted.

  • 11 Nov 2016 — Added FAQ#5, FAQ#6 and FAQ#7.

  • 6 Jan 2016 — Added FAQ#8.

  • 25 Jan 2016 — Added FAQ#9.

  • 16 Feb 2020 — Updated FAQ#8 to account for recent changes. Updated FAQ#3 to account for recent Xcode changes. Other editorial changes.

  • 27 Feb 2020 — Fixed the formatting. Updated FAQ#3. Minor editorial changes.

Up vote post of eskimo