You’re now watching this thread. If you’ve opted in to email or web notifications, you’ll be notified when there’s activity. Click again to stop watching or visit your profile to manage watched threads and notifications.
You’ve stopped watching this thread and will no longer receive emails or web notifications when there’s activity. Click again to start watching.
We have an application which is written in Swift, which activates two network extensions (Content Filter, Transparent Proxy). We want to use MDM deployment for these network system extensions.
For Content Filter, we already have Jamf Profile which has Web Content Filter payload and it works fine.
Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We don’t have any remote server setup to forward the traffic, instead we open a connection with a certain localhost:port to redirect the traffic which is received in our transparent proxy. We have another module that listens to the particular localhost:port to process the traffic further.
We are unable to find the appropriate payload in any of the Profile Editor applications like Apple Configurator, iMazing Profile Editor and Jamf Pro that correctly describes our setup.
As per https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy documentation, we noticed that we can use the VPN payload with app-proxy as Provider Type for Transparent Proxy.
Here are the list of issues encountered with different MDM solutions.
**AppleConfigurator: **
We were able to install the profile created via Apple Configurator. However when we install our product (which has the above mentioned system extensions), the Transparent Proxy added by our product fails to map with the installed profile. User has to provide the credentials and follow the steps while installing the extension via the product.
Attached the screenshot of "Network->Filters" screen and the profile for reference.
iMazing Profile Editor:
Unable to install the profile created using iMazing Profile Editor.
Attached the screenshot of error and the profile for reference:
PayloadContent
PayloadDisplayName
VPN #1
PayloadIdentifier
com.apple.vpn.managed.BD15A63A-FD44-4A68-A5F0-AD1FD54E76A8
PayloadType
com.apple.vpn.managed
PayloadUUID
BD15A63A-FD44-4A68-A5F0-AD1FD54E76A8
PayloadVersion
1
TransparentProxy
AuthenticationMethod
Password
OnDemandEnabled
1
Order
1
Password
Kunyu@123
ProviderBundleIdentifier
com.digitalguardian.webproxy
ProviderDesignatedRequirement
identifier "com.digitalguardian.networkextensionmanager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = HLGBMCXUS7
ProviderType
app-proxy
UserDefinedName
DGWebProxy
VPNSubType
com.digitalguardian.networkextensionmanager
VPNType
TransparentProxy
PayloadDescription
Transparent proxy Profile
PayloadDisplayName
DGWebProxy Profile iMazing
PayloadIdentifier
Krishnavenis-MacBook-Pro-2.2C0854F6-BCFE-4372-BE06-2E537E54B093
PayloadOrganization
Digital Guradian
PayloadScope
System
PayloadType
Configuration
PayloadUUID
2C0854F6-BCFE-4372-BE06-2E537E54B093
PayloadVersion
1
TargetDeviceType
5
Jamf Pro:
We were able to install the profile created via Jamf Pro and also while in stalling our product the Transparent Proxy gets mapped with the one which is installed via profile. However after that the network is broken and hence unable to browse anything.
Attached the profile for reference.
If we provide the RemoteAddress field, we were able to install the profile and also while installing our product, the Transparent Proxy gets mapped with the one which is installed via profile. However after that the network is broken and hence unable to browse anything.
We are suspecting the remote server(RemoteAddress) filed is causing this. So we tried creating the custom profile without remote server address for VPN payload, but we are unable to install the profile. It throws below error:
2025-02-11 16:43:55.193348+0530 0x2f880 Error 0x0 6815 0 mdmclient: (NetworkExtension) [com.apple.networkextension:] Failed to save configuration DGWebProxy because it is invalid: Error Domain=NEConfigurationErrorDomain Code=2 "configuration is invalid: Missing server address" UserInfo={NSLocalizedDescription=configuration is invalid: Missing server address} 2025-02-11 16:43:55.193376+0530 0x2f880 Error 0x0 6815 0 mdmclient: (NetworkExtension) [com.apple.networkextension:] NEProfileIngestion Error occurred when saving configuration 'DGWebProxy': configuration is invalid: configuration is invalid: Missing server address 2025-02-11 16:43:55.196159+0530 0x2f880 Error 0x0 6815 7 mdmclient: [com.apple.ManagedClient:CPDomainPlugIn] [ERROR] [0:MDMDaemon:CPDomainPlugIn:<0x2f880>] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<< 2025-02-11 16:43:55.196826+0530 0x2f880 Error 0x0 6815 7 mdmclient: [com.apple.ManagedClient:MDMDaemon] [ERROR] [0:MDMDaemon:<0x2f880>] [CE] PlugIn_InstallPayload ==> Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.}
Note: Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We don’t have any remote server setup to forward the traffic, instead we open a connection with a certain localhost:port to redirect the traffic which is received in our transparent proxy. We have another module that listens to the particular localhost:port to process the traffic further.
