Need info to bypass system.preferences VPN consent prompt on MDM device for standard user

Question

Created 1w

Replies 3

Boosts 0

Participants 2

Hi,

We have a macOS app that uses NETransparentProxyManager (Transparent App Proxy) with a NETunnelProviderExtension. The Network Extension is configured and deployed via an MDM configuration profile. The profile is pushed through Intune MDM as a user-enrolled device (Company Portal enrollment, not ADE/supervised).

The MDM profile sets up the Transparent Proxy extension as follows (sanitized snippet):

<key>VPNType</key>
<string>TransparentProxy</string>
<key>TransparentProxy</key>
<dict>
    <key>ProviderType</key>
    <string>app-proxy</string>
    <key>ProviderBundleIdentifier</key>
    <string>com.example.app.tunnel</string>
    <key>ProviderDesignatedRequirement</key>
    <string>identifier "com.example.app.tunnel" and anchor apple generic and certificate leaf[subject.OU] = TEAMID</string>
    <key>RemoteAddress</key>
    <string>100.64.0.0</string>
</dict>
<key>PayloadScope</key>
<string>System</string>

What we do in code:

Call NETransparentProxyManager.loadAllFromPreferences — this correctly returns the MDM-managed profile (1 profile found)
We do not call saveToPreferences — the profile already exists
We call NEVPNConnection.startVPNTunnel() to connect and NEVPNConnection.stopVPNTunnel() to disconnect

Problem:

On a user-enrolled MDM device, when the app is running as a standard user (non-admin), every call to startVPNTunnel() or stopVPNTunnel() triggers the macOS VPN consent dialog:

"VPN is trying to modify your system settings. Enter your password to allow this."

Screenshot 2026-04-22 at 11.51.15 AM.png

Console log evidence:

Failed to authorize 'system.preferences' by client
'/System/Library/ExtensionKit/Extensions/VPN.appex'
for authorization created by '/System/Library/ExtensionKit/Extensions/VPN.appex'
(-60006) (engine 881)

Key observations:

Even if the user does not provide the admin credentials in the popup and cancel the window, still things work properly in the background i.e start/stop works.
This does not happen for admin users on user-enrolled devices
saveToPreferences is NOT called — the profile is MDM-managed and already present
The prompt is triggered purely by startVPNTunnel() / stopVPNTunnel() from a standard user process

Question:

Is there a supported API, entitlement, or MDM configuration key that allows NETransparentProxyManager.startVPNTunnel() / stopVPNTunnel() to be invoked by a standard user process on a user-enrolled (non-supervised) device without triggering the system.preferences authorization dialog — given that the VPN profile is already deployed and managed by MDM?

Answered by DTS Engineer in 886056022

Sorry I didn’t reply sooner; somehow I missed this )-:

Anyway, I see two parts to this:

What’s going on?
What can you do about it in the short term?

Reading through your report, I consider this to be a bug. I’m not aware of any documented restriction on non-admin users starting a tunnel.

Given that, I recommend that you file a bug about this. As part of that:

Make sure to enabled additional, per the VPN (Network Extension) for macOS instructions on our Bug Reporting > Profiles and Logs page.
Verify that you see the problem on the latest public release of macOS.
Check whether this is a regression. You don’t need to go too far here, but it’d be worth checking the latest public release of macOS 15, just in case this is macOS 26 specific.

Please post your bug number, just for the record

As to what you can do about it in the short term, nothing obvious springs to mind, so lemme start out by clarifying your user experience here. To call the startVPNTunnel() method you need an NEVPNConnection instance, and only the container app (the app in which your transparent proxy provider is embedded) can get that. So somehow that container app is being launched and then calling startVPNTunnel(). How does that happen? Is it something the user does? Are have you set it up to launch automatically?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

2d

Recommended

Sorry I didn’t reply sooner; somehow I missed this )-:

Anyway, I see two parts to this:

What’s going on?
What can you do about it in the short term?

Reading through your report, I consider this to be a bug. I’m not aware of any documented restriction on non-admin users starting a tunnel.

Given that, I recommend that you file a bug about this. As part of that:

Make sure to enabled additional, per the VPN (Network Extension) for macOS instructions on our Bug Reporting > Profiles and Logs page.
Verify that you see the problem on the latest public release of macOS.
Check whether this is a regression. You don’t need to go too far here, but it’d be worth checking the latest public release of macOS 15, just in case this is macOS 26 specific.

Please post your bug number, just for the record

As to what you can do about it in the short term, nothing obvious springs to mind, so lemme start out by clarifying your user experience here. To call the startVPNTunnel() method you need an NEVPNConnection instance, and only the container app (the app in which your transparent proxy provider is embedded) can get that. So somehow that container app is being launched and then calling startVPNTunnel(). How does that happen? Is it something the user does? Are have you set it up to launch automatically?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

PavanGulla OP

1d

Thanks for the guidance on the logging commands. A couple of quick questions before I share the logs:

1. Log collection approach — did I do this correctly?

Since the device is user-enrolled (Intune) and the standard user is not in the sudoers file, here is the exact sequence I followed:

Logged in as admin, ran the two defaults write commands to enable NE debug logging
Switched to the standard user login and reproduced the VPN consent prompt
Switched back to the admin account to collect the NE log — the standard user does not have permission to read the NE log file either

Is this the correct approach for collecting NE debug logs for a standard user repro? Or does the debug log need to be collected from within the same user session where the issue occurs?

2. Clarification on our app's launch and tunnel behaviour:

Our container app is a background menu bar app — it launches automatically at login as a Login Item and runs silently. The user never explicitly opens it.

startVPNTunnel() is called programmatically by the app after authentication completes.

0

Answer 3

DTS Engineer OP

Apple

1d

Is this the correct approach for collecting NE debug logs for a standard user repro?

It’ll work, but you can do better. More on that below.

does the debug log need to be collected from within the same user session … ?

No.

The download with your approach is that there’s a relatively long delay between the event and you capturing the log. A better option would be:

Using the GUI, log in as a standard user.
Using SSH, log in as an admin user.
And enable the debug options.
In the GUI, reproduce the problem.
In the SSH session, trigger the log.

However, if it’s hard to set this up — for example, if this managed Mac won’t let you enable SSH — it’s just fine to user the original approach you outlined.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0