Hello -
Network Extensions with per app vpn (via MDM or profile) and apps that use WKWebView or SFSafariViewController have a big problem with since that traffic does not go over the NE.
This creates a lot of issues with many apps in corporate environments due to many apps using web views for their login process. For example, login into apps like Slack, Office 365, Zendesk, Jira, Confluence and many others use the web views for the login process. Majority of the traffic goes over the NE but auth does not and since WKWebView/SFSafariViewControllers do not have proxy there is no real way to fix this.
The use case is that many corporate apps across many companies are using IP restrictions to lock down access to corporate data. With this limitation there is no real way to access those on iOS/iPadOS without establishing a device wide VPN (not possible in user enrollment mode) or using AssociatedDomains (something almost impossible to manage since as an MDM vendor we do not know how an app like Zendesk/Slack/Outlook are built and what URLs they use internally). At best we can do hacks that are a PITA to maintain.
Does Apple have any recommendations how to solve this in the short term vs hopefully Apple addressing this limitation in the long term as part of an update. Either by way of MDM or Network Extension framework would be great.
One idea is if we can use bundle id's for the WKWebVIew/SFSafariViewController to associate traffic for user enrollment managed apps with the NE. Or maybe Associated Domains can be managed with wild cards (again in a user enrollment MDM this makes sense since ALL apps should be going over a corporate VPN).
I've filled Apple feedback around these and 9891393 and 9891440 but never got any response on how to actually deal with this very common scenario.
-
—
eskimo
Add a CommentFB9891393FB9891440