VPN application and user certificates using VPN Profile

Question

Created Sep ’25

Replies 1

Boosts 0

Participants 2

We are developing a custom vpn client using Packet Tunnel Provider extension. Our VPN use Client Certificate authentication.

Certificates need to be delivered to device using MDM. We plan to deliver certificates and other settings using configuration profiles with com.apple.vpn.managed and com.apple.security.pkcs12 payloads.

There are some things we do not understand:

What entitlements do we need? Do we need additional entitlements except com.apple.developer.networkingextension and com.apple.managed.vpn.shared?
What is the process to get com.apple.managed.vpn.shared entitlement?
Is ADP (not ADEP) enough for such application?

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’25

Accepted Answer

Recommended

I’m presuming you’re targeting iOS or one of its child platforms here. The story is different on macOS.

1- What entitlements do we need? Do we need additional entitlements except com.apple.developer.networkingextension and com.apple.managed.vpn.shared?

Neither of those are valid entitlement names O-:

When building an app with an NE provider, you need the com.apple.developer.networking.networkextension entitlement (note that you have the wrong spelling). This is restricted but not managed. Any developer can use it.

To support managed configuration, you need access to the com.apple.managed.vpn.shared keychain access group.

2- What is the process to [access the] com.apple.managed.vpn.shared [keychain access group]]?

See #9 in Network Extension Framework Entitlements.

3- Is ADP … enough for such application?

Yes. Indeed, this entitlement is primarily focused on ADP members.

IMPORTANT NE also has App Review constraints. See App Review Guidelines for the details.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1