What's the best way to launch containing app on macOS from the Network Extension

Hi There,

We have a VPN application built on top of the Packet Tunnel Provider. We are seeing an issue that once our containing application crashed, the packet tunnel provider keeps running. We could detect the crash from the tunnel, but there is no way for us to stop the VPN because on-demand will bring back VPN all the time.

Since there is no way to disable on-demand rule within the packet tunnel provider, is it possible that we can programmatically launch the crash application from the packet tunnel provider? Something like iOS's silent push notification could work too since all we need is to disable on-demand rule from the application and stop VPN.

Replies

We are seeing an issue that once our containing application crashed, the packet tunnel provider keeps running.

Right. That’s 100% expected. The lifecycle of your tunnel, and hence your packet tunnel provider, is unrelated to the lifecycle of its container app. Why are you attempting to tie these together?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

The containing app runs as a menu bar app which not only provides the latest status of the VPN but also provides some other features such as allowing the user to stop VPN etc.

As a result, the containing app is expected to be always running alongside with the packet tunnel provider. When the app crashes, we could:

  • Show an alert to the user (which is doable) and stop the VPN (which is not doable because on-demand).
  • Programmatically re-launch the containing app (which is this question).

The major reason is because unlike iOS, macOS doesn't have an indicator of whether the VPN is running or not, also it doesn't have a VPN toggle in the Settings that is easy to find. That's why we need the containing app to serve as the go-to place for the user to manage their VPN.

There’s a bunch of factors in play here…

Launching an app from within an NE provider is a massive layer violation on our platforms. There’s no way to do that directly.

macOS has a built-in menu bar status item for VPN. You enable it by selecting the VPN service in the Network preferences panel and checking “Show VPN status in menu bar”. Having said that:

  • I’m not sure whether it’s available for third-party VPN transports.

  • It’s probably not sufficient to meet your needs.

Most Mac products implement menu bar status items using a Service Management login item, installed using SMLoginItemSetEnabled. That disconnects the status item from the main app. The user can quit and relaunch the app as they like and the Service Management login item continues running.

Having said that this may not work for a VPN app because there’s a special relationship between the NE provider and its container app. Still, you might be able to use this to implement your ‘keep the container app running’ feature.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

  • Thanks for your detailed explanations as always! Eskimo.

Add a Comment