We are a Layer 3 VPN provider offering a comprehensive SASE (Secure Access Service Edge) solution that includes TLS inspection, threat protection, granular access control, and secure access to private resources.
One of the key challenges we face involves TLS inspection. Many mobile applications, especially on iOS, implement certificate pinning, which causes them to fail when TLS inspection is applied. These apps expect connections to be secured with a specific certificate or trusted certificate authority, and inspection disrupts this trust model.
On iOS, the current limitation is that the Packet Tunnel Provider extension does not provide visibility into the originating application (i.e., there is no API to obtain the app’s bundle ID or package name associated with a given network connection). Due to this, we are unable to dynamically determine whether TLS inspection should be bypassed for a particular app.
While Apple’s Per-App VPN is one possible solution, it introduces a significant drawback: any applications that are excluded from the VPN configuration are entirely outside the VPN tunnel. This means they do not benefit from any of our SASE features — including secure access to internal resources, DNS/web content filtering, or threat detection. This limits the effectiveness of our solution in environments where both inspection and secure access are critical.
We would like to understand whether iOS has any current or planned capabilities to associate a network flow (e.g., a 5-tuple: source IP, destination IP, source port, destination port, and protocol) with the originating app. Such a capability would allow us to programmatically identify certificate-pinned apps and selectively disable TLS inspection without excluding them entirely from the VPN, thereby preserving the full set of SASE protections.
Is there any guidance or roadmap update from Apple that addresses this use case?
We would like to understand whether iOS has any current or planned capabilities …
Current: No. You analysis of the current situation is correct: Source app information is only available with per-app VPN.
Planned: I can’t talk about The Future™. If you’d like to see a change on this front, I recommend that you file an enhancement request describing your requirements.
Please post your bug number, just for the record.
Regarding this:
any applications that are excluded from the VPN configuration are entirely outside the VPN tunnel.
Have you explored the possibility of installing two VPN configurations, one per-app configuration for managed apps and another for the device as a whole?
I’m not an enterprise VPN setup expert, so I can’t remember whether that’s actually supported on iOS. But I think it is, and if it works then it should get you close to where you want to be.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"