Hi,
We have a macOS app that uses NETransparentProxyManager (Transparent App Proxy) with a NETunnelProviderExtension. The Network Extension is configured and deployed via an MDM configuration profile. The profile is pushed through Intune MDM as a user-enrolled device (Company Portal enrollment, not ADE/supervised).
The MDM profile sets up the Transparent Proxy extension as follows (sanitized snippet):
<key>VPNType</key>
<string>TransparentProxy</string>
<key>TransparentProxy</key>
<dict>
<key>ProviderType</key>
<string>app-proxy</string>
<key>ProviderBundleIdentifier</key>
<string>com.example.app.tunnel</string>
<key>ProviderDesignatedRequirement</key>
<string>identifier "com.example.app.tunnel" and anchor apple generic and certificate leaf[subject.OU] = TEAMID</string>
<key>RemoteAddress</key>
<string>100.64.0.0</string>
</dict>
<key>PayloadScope</key>
<string>System</string>
What we do in code:
- Call
NETransparentProxyManager.loadAllFromPreferences— this correctly returns the MDM-managed profile (1 profile found) - We do not call
saveToPreferences— the profile already exists - We call
NEVPNConnection.startVPNTunnel()to connect andNEVPNConnection.stopVPNTunnel()to disconnect
Problem:
On a user-enrolled MDM device, when the app is running as a standard user (non-admin), every call to startVPNTunnel() or stopVPNTunnel() triggers the macOS VPN consent dialog:
"VPN is trying to modify your system settings. Enter your password to allow this."
Console log evidence:
Failed to authorize 'system.preferences' by client
'/System/Library/ExtensionKit/Extensions/VPN.appex'
for authorization created by '/System/Library/ExtensionKit/Extensions/VPN.appex'
(-60006) (engine 881)
Key observations:
- Even if the user does not provide the admin credentials in the popup and cancel the window, still things work properly in the background i.e start/stop works.
- This does not happen for admin users on user-enrolled devices
saveToPreferencesis NOT called — the profile is MDM-managed and already present- The prompt is triggered purely by
startVPNTunnel()/stopVPNTunnel()from a standard user process
Question:
Is there a supported API, entitlement, or MDM configuration key that allows NETransparentProxyManager.startVPNTunnel() / stopVPNTunnel() to be invoked by a standard user process on a user-enrolled (non-supervised) device without triggering the system.preferences authorization dialog — given that the VPN profile is already deployed and managed by MDM?
Sorry I didn’t reply sooner; somehow I missed this )-:
Anyway, I see two parts to this:
- What’s going on?
- What can you do about it in the short term?
Reading through your report, I consider this to be a bug. I’m not aware of any documented restriction on non-admin users starting a tunnel.
Given that, I recommend that you file a bug about this. As part of that:
- Make sure to enabled additional, per the VPN (Network Extension) for macOS instructions on our Bug Reporting > Profiles and Logs page.
- Verify that you see the problem on the latest public release of macOS.
- Check whether this is a regression. You don’t need to go too far here, but it’d be worth checking the latest public release of macOS 15, just in case this is macOS 26 specific.
Please post your bug number, just for the record
As to what you can do about it in the short term, nothing obvious springs to mind, so lemme start out by clarifying your user experience here. To call the startVPNTunnel() method you need an NEVPNConnection instance, and only the container app (the app in which your transparent proxy provider is embedded) can get that. So somehow that container app is being launched and then calling startVPNTunnel(). How does that happen? Is it something the user does? Are have you set it up to launch automatically?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"