Does iOS Per-App VPN require use of MDM?
Is there any other way in which this feature can be utilized?
So far my finding has been that it can only be used with MDM. See Routing Network Data to the VPN Section
Thanks!
Yes, technically it is possible to configure an app to use a Per-App VPN without an MDM. However, this is purely for development of your own VPN plugin and will not work for apps pushed to the app store.
Testing Per-App VPN
As described above, an MDM server is required to configure Per-App VPN
for VPN apps distributed via the App Store. To make testing Per-App
VPN easier, it is possible to configure Per-App VPN without an MDM
server during development by using the NETestAppMapping Info.plist
key.
The NETestAppMapping Info.plist key can only be used to create app
rules in apps that are signed with a Development provisioning profile.
In apps that are signed with Distribution provisioning profiles the
NETestAppMapping Info.plist key has no effect.
Source: https://developer.apple.com/documentation/networkextension/netunnelprovidermanager
Related
One of my developer is asking me to export my Apple Distribution certificate and key from my Keychain and send it to him. He claims he need this to run the app we are developing on his device. I am concerned about sharing this certificate. what should I do? is there an alternative way which does not involve sharing the certificate?
Developer will need the Apple Development Certificate to run and debug the application in the device. You can use TestFlight for Testing purpose but for development one will need the certificate.
If the functionalities of the application doesn't require device then the app can be used in the simulators as well.
We are developing an app with Per-App VPN runs on iOS. This container app is designed for our some specific apps to connect network through VPN at certain times, while all the other apps not.
We want these specific apps connect network normally before VPN is turned on, after the container app and configuration profile are installed. And these specific apps connect network through VPN once VPN is manually turned on in the container app.
I have some questions can not find answers.
I've added NETestAppMapping key to Info.plist of my container app in Development. And Bundle Identifiers of those specific apps are added to NETestAppMapping. After building the container app and installing configuration profile by Apple Configurator 2, I found those specific apps can not connect to Internet until I turned on VPN in the container app. Is that normal?
NETestAppMapping is a way to config those specific apps in Development. I wonder the production mechanism for specifying app mappings.
Moreover, something really weird once happened. I deleted the configuration profile from iPhone, and NETestAppMapping from the container app. Then I turned on VPN in the container app by normal way. After done this, I found the function we want is implemented.
Thank you very much.
An app that is associated with a Per-App VPN, will only have its traffic routed through the Per-App VPN. If On-Demand is disabled, and the VPN is turned off, then no traffic will flow from the app.
As such, I see two ways to achieve having the apps route through the Per-App VPN only some of the time:
Implement the VPN using NEPacketTunnelProvider in such a way the VPN always launches On-Demand and continues to be 'active', but the VPN app can be used to toggle whether the NEPacketTunnelProvider actually routes the traffic through the VPN or whether it simply acts as a TCP/UDP forwarder.
Utilise an MDM and its SDK (assuming support) to associate and disassociate your applications from the Per-App VPN when a toggle is switched in the VPN app. Note that this will likely be clunky, with a time delay and may cause your app to be killed if it is running. I won't recommend this approach.
It's worth noting that NETestAppMapping only works for development builds and won't work for distribution builds (e.g. Enterprise (In-House) or App Store). You will need to use an MDM to utilise a Per-App VPN.
For an example of using an NEPacketTunnelProvider with packet forwarding, I would take a look at this paper: Does your phone spy on you? by Severin Amrein.
We have distributed more than 50 iOS applications using a iOS Distribution Certificate (in-house, internal use apps).The apps are in house apps and distributed through our MDM solution. The iOS Distribution Certificate is going to be expire soon. When we checked the expiry of iOS Distribution Certificate in apple documentation, we got following information.
iOS Distribution Certificate (in-house, internal use apps)
Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate
As the apps are used in many stores real time, if we are sign the app with new certificate and then we need to re distribute it and will affect all the internal network. We are thinking to move the update on a nightly time. Can you suggest any solution other than this?
You should talk to your MDM vendor regarding deployment strategy. The topics on Stackoverflow are intended to be more technical in nature. Your vendor will have a lot more experience than you on this and should be able to provide best practices to you. There are many factors involved: network capacity, devices online/offline, etc.
Does APNs work with apps distributed inhouse using the Enterprise Distribution program and distributed interanlly from a website?
I found this from this link saying no, but I see vague comments in forums that it is possible:
Apple Push Notification service (APNs) is available only to apps distributed through the iOS App Store or Mac App Store. Your app must be provisioned and code signed to use app services. If you are a company, most of these configuration steps can be performed only by a team agent or admin.
This link has a comment indicating that it can be done.
iOS - APNS With InHouse Distribution
Yes, you can absolutely send Push Notifications to an Enterprise-signed application. The AppID setup, device provisioning, server-side setup, push token registrations, etc. are exactly identical to the tools, process, servers, and APIs used when enabling Push Notifications for apps on the App Store or the Mac App Store.
The process starts by enabling the Push Notifications Entitlement on the AppID registered in your Enterprise Developer Account on the Certificates, Identifiers, and Profiles tool. Apple's Push Notification documentation, has long standing issues with misstating that Push is only available to App Store / Mac App Store apps; it has always been a configurable service for Enterprise accounts despite what documentation leads you to believe.
I'm researching about MDM in iOS, and find out information about Apple’s native iOS mobile device management. Once the device is enrolled into a MDM server, server can manage the device by sending commands. I tested on a MDM server and saw that without installing MDM agent app on device, server can still send profiles and apply policies to the device.
Could anyone help me to address:
Is Apple’s native iOS mobile device management built inside the iOS itself?
Can MDM server manage device (install apps, disable camera, iTunes...) without installing a MDM agent app?
How can the device itself can communicate with MDM server and install profiles sent from server automatically?
Do I need an enterprise account to use iOS MDM service?
Where can I find documents about MDM API and how to use it?
Is Apple’s native iOS mobile device management built inside the iOS itself?
Yes - as of iOS4 devices become MDM-capable.
Can MDM server manage device (install apps, disable camera, iTunes...) without installing a MDM agent app?
Yes. The only thing an MDM Agent app will get you is the ability to report back on the device's IP address / network information, custom logging, etc. By default iOS does not allow for "tracking" a user's network details.
How can the device itself can communicate with MDM server and install profiles sent from server automatically?
This is what I refer to as "the circle of hell". Your MDM sends command/installation packets to the APNs server, the APNs server tells the device it has a pending command from the MDM, the device reaches out to the MDM for its instructions and acknowledges. My nickname is for the trouble it takes to get firewall permissions setup in large enterprises.
Do I need an enterprise account to use iOS MDM
service? Where can I find documents about MDM API and how to use it?
To use an MDM service you do not need an Enterprise account. To create an MDM service and access its documentation you do need an Enterprise account at $299/year.
Yes.
N/A as the 'agent' is already built in iOS
To manage a device by MDM, the device must be enrolled manually first. During the enrollment process, a configuration file will be installed in the device containing the information of the MDM server. The MDM framework also make use of push notification to communicate with the device.
Yes. In addition, you also need the ability to generate MDM Vendor Certificate on Apple's Developer Portal.
Is Apple’s native iOS mobile device management built inside the iOS
itself?
Yes , Apple has secured mdm-client bundled in each Apple product . We can make use of the client upon enrolling . There is supervised enrollment where mdm-client can perform more privileged task .
Can MDM server manage device (install apps, disable camera, iTunes...)
without installing a MDM agent app?
Yes , Once device is enrolled you can apply restrictions on iOS and macOS , install apps silently using VPP etc . Refer Configuration-Profile-Reference.pdf Page 67 for list of all restrictions
How can the device itself can communicate with MDM server and install
profiles sent from server automatically?
Like iOS apps , mdm-client responds to notifications through APNS . The server in which device is enrolled will have push-magic string,device token and a topic device listens to these helps the server to notify device . Device will then ping the server. I have attached Official MDM guide that you can refer for more details.
Do I need an enterprise account to use iOS MDM service?
Here you have two options , if you want to build your own MDM solution then like i said before you would need to notify device so that it contacts your MDM server upon enrollment . Similar to building iOS app , you need an developer account to create a APNS certificate (refer here) to notify default mdm-client.
Or you you just wish to manage your device , you need not require a developer certificate. MDM vendors would use their certificate for signing, and you would need an apple id account to use upload certificate provided by your MDM to notify devices.
Where can I find documents about MDM API and how to use it?
Refer below links to getting started with MDM . Comment your queries for any help.
1. Setting up MDM and MDM Protocol
2. Restrictions and other MDM profiles
3. Apple business manager