Network filters failing in Ad Hoc distribution?

Hi, I'm the author of SelfControl, a Mac app that helps users block their own access to distracting websites. I am trying to bring this same app to iOS.


I created an app, based on the SimpleTunnel sample code, which uses filter control provider and filter data provider extensions to implement our filter. When we start filtering, the code looks like this:


NEFilterProviderConfiguration *newConfiguration = [NEFilterProviderConfiguration new];
newConfiguration.username = @"CharlieStigler";
newConfiguration.organization = @"SelfControl";
newConfiguration.filterBrowsers = YES;
newConfiguration.filterSockets = YES;

[[NEFilterManager sharedManager] setProviderConfiguration:newConfiguration];
       
[[NEFilterManager sharedManager] setEnabled:YES];


This was working great on my development versions of the app, running them from Xcode. However, when I made a version for Ad Hoc distribution and tried to distribute it onto my device, this step (setting the provider configuration) failed with a "permission denied" error. The logs show:


Sep 24 22:30:08 iPhone nehelper(NetworkExtension)[89] <Error>: -[NEHelperConfigurationManager:553  SelfControlIOS trying to create a content filter configuration through an app. Creating a content filter configuration is only allowed through profile in production version of SelfControlIOS.
Sep 24 22:30:08 iPhone SelfControlIOS(NetworkExtension)[23814] <Error>: -[NEFilterManager saveToPrefer:212  -[NEFilterManager saveToPreferencesWithCompletionHandler:]_block_invoke: failed to save the new configuration: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}
Sep 24 22:30:08 iPhone SelfControlIOS[23814] <Notice>: Failed to save the filter configuration: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}


What do I need to do to get my network extension working for Ad Hoc distribution, and keep testing my app before it's submitted to the App Store?


(The app is open-source, so full source code is available here: https://github.com/SelfControlApp/selfcontrol-ios)

Up vote post of cstigler Down vote post of cstigler
1.3k views
Posted by
cstigler
Reply
Add a Comment

Replies

I helped Charlie out in another context but, for those reading along at home, I wanted to post a short summary here.

In general Network Extension filter providers are only supported on supervised devices. However, to make things easier during bring up there’s a specific exception to this, namely, that if the product is signed with the 

get-task-allow
entitlement (the same entitlement that allows you to attach with the debugger) then the provider will run on any device. This entitlement is present when you sign for development but is not present when you sign for Ad Hoc distribution.

You can learn more about this in the NEFilterManager class reference.

I also recommend that you watch WWDC 2015 Session 717 What’s New in Network Extension and VPN, which covers this and a whole raft of other useful tidbits.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

but is not present when you sign for Ad Hoc distribution

To be clear, the get-task-allow entitlement is not present when you distribute on the App Store, and thus the supervised-device-only limitation applies there as well.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment