per-app-vpn apprule

App & System Services Networking
tanfromhangzhou OP
Created Mar ’17
Replies 5
Boosts 0
Views 1.8k
Participants 2

In "https://developer.apple.com/reference/networkextension/netunnelprovidermanager", we find "The MDM client running on the device creates one app rule in the VPN configuration for each managed app".

My question is how to create app rule in VPN configuration. I want to set the "matchDomains" property in apprule for per-app-VPN to access specific address.

Replies  5
Boosts  0
Views  1.8k
Participants  2
DTS Engineer OP
Apple
Mar ’17

In this context the MDM client is a subsystem of iOS that creates these app rules internally. These are not things that you can configure directly.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
tanfromhangzhou OP
Mar ’17

Thank you.

When realizing per-App-VPN by MDM, I want to exclude some IP addresses(for example, the VPN tunnel server address), but I don't know how to do this(For system VPN, the address of the tunnel server is automatically excluded from the tunnel, but for per-APP-VPN not).

0
DTS Engineer OP
Apple
Mar ’17

I want to exclude some IP addresses(for example, the VPN tunnel server address) …

I don’t thinks there’s any way to do that; the whole concept of per-app VPN is that it’s based on the source app, not the destination address.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
tanfromhangzhou OP
Mar ’17

In NetworkExtension framework, there is a class called "NEAppRule". In class NEAppRule, there is a property called matchDomains ( @property(copy) NSArray *matchDomains ).

The discussion of matchDomains is "If this property is set to a nonempty array, then only connections to destinations in the domains specified in the array will use the VPN."

Is it possible specify destination address for per-app VPN by setting matchDomains?

0
DTS Engineer OP
Apple
Mar ’17

In NetworkExtension framework, there is a class called NEAppRule.

Right. That lets you see per-app VPN configurations but it doesn’t let you create them. In fact, per-app VPN configurations can’t be created programmatically, they must be set up by a configuration profile (in addition, on iOS at least, they require MDM). AFAICT there’s no way to create a configuration profile that specifies match domains in the context of per-app VPN (as opposed to VPN On Demand) but, hey, you can check this for yourself in the Configuration Profile Reference.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
1
per-app-vpn apprule
First post date Last post date
 
 
Q