I'm developing a iOS 7 app and i would like to know if the feature "Per app VPN" is activated "by hand" (like location services, where you can choose which app can and can't) or I can set it up by code inside the app?
Looking around the web I found very little info about it, and apple announcement did not make it any clear also... I was hoping to prompt the user for the VPN configuration when he first open the app, and then, when he is "outside" the internal Wi-Fi, I would automatically activate it...
Information is still somewhat sketchy, but from what I can tell so far its something the VPN vendors will need to support, and it will be enabled using configuration profiles, e.g. via MDM. In the profile you'll define your VPN configuration like you can do today, and additionally you'll specify which apps use which VPN configs. Apps won't be need to be modified at all, nor (I assume) even aware they're being tunneled. I don't know yet if they'll allow users to configure this on their own, without a config profile. I don't see why not, other than maybe wanting to insulate common users from "enterprisey" features.
I expect Apple will release a new version of the iPhone Configuration Utility or Apple Configurator that will allow you to set all of this up. If you have access to their developer site there's information about the XML keys in the config profile that turn it on, so you could probably craft a profile on your own without the tool, but without VPN vendor support there's not much you'll be able to do. I don't know if any of the built-in VPNs currently support it.
*Note: This is an example custom payload. It needs to be modified to match your VPN configuration and is supported by some VPN providers. This example is using a Connection Type of L2TP. The new keys for Per-App VPN are the VPNUUID and OnDemandMatchAppEnabled.
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (VPN Configuration)</string>
<key>PayloadIdentifier</key>
<string>126b636d-38ce-4bb1-a211-5239e60bd4ab</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.vpn.managed.applayer</string>
<key>PayloadUUID</key>
<string>63e3f54a-e8bd-45fd-af18-5aadfed9dc9d</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>VPN Configuration #12345</string>
<key>VPNUUID</key>
<string>b78ee624-442d-4997-a77f-dc8245109716</string>
<key>OnDemandMatchAppEnabled</key>
<string>True</string>
<key>VPNType</key>
<string>L2TP</string>
<key>EAP</key>
<dict />
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PPP</key>
<dict>
<key>CommRemoteAddress</key>
<string>ExampleServerHostname</string>
<key>CCPEnabled</key>
<integer>1</integer>
</dict>
<key>Proxies</key>
<dict />
</dict>
More information is available at: https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
Related
I'm new in MDM servers at all.
I'm working with nanomdm server. Can I add my own metadata to the commands or payload, which send to the device? For example, UDID, that will be readed later by my mobile application and how can my mobile application do that? Or can I get UDID, which used in nanomdm, by my mobile application in another way?
Like that:
...
<key>PayloadContent</key>
<array>
<dict>
<key>UDID</key>
<string>MY_UDID</string>
</dict>
<dict>
<key>PayloadDisplayName</key>
<string>Profile Removal</string>
<key>PayloadIdentifier</key>
...
udid = get_from_profile()
One your iOS device has been registered with your MDM, you can provide configuration to an iOS app using the Settings command.
The app must first be "managed" by the MDM. This can be accomplished using the "InstallApplication" command. Once you allow the app to be managed, using the Settings command with a payload containing your devices UUID.
iOS doesn't allow to navigate to http only url, allowing only https.
There is a solution, which is changing some code inside info.plist file
https://github.com/facebook/react-native/issues/8717
How can I change settings for iOS, as it comes with only .expo folder but nothing else.
Do I need to change server configuration for this at last? :(
As you properly find out, the problem is that iOS do not allow arbitrary calls to non-secure(http only) domains. It was a feature introduced with iOS 9 in order to push developers onto more secured connections.
As per writing of this(mid 2017), there is workaround. You should open
{Your-project}/ios/{Your-project}/Info.plist
and set proper values for the domain you are targeting(docs).
Following example will disable ATS and allow HTTP call to somedomain.com:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
In your situation, I believe you are looking for the Info.plist file in the wrong place. It is not part of the node modules, instead look at the ios path specified above.
Unfortunately Expo doesn't allow you to modify the App Transport Security Settings but may bake in a configuration option. Here's a Github thread.
You can eject from Expo but only do this if you are 100% sure.
This will give you a project very similar to one created by react-native init
This features an ios and android directory, navigating to ios/YourProject/ will reveal Info.plist.
How much of a struggle would it be to install an SSL certificate on your server? It may be more beneficial to do this and you can use a free service like letsencrypt.
It seems to be a big feature to share data between different Apps through the iOS Keychain, but how can I avoid the sharing between apps? I can't find anything for that case in the Apple documentation.
I know that the access-group and therefore the access of the keychain for an app is defined through the provisioning profile with the parameter keychain-access-groups.
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
...
<key>keychain-access-groups</key>
<array>
<string>XXXXXXXXXX.*</string>
</array>
</dict>
After Apple redesigned their developer-page it is not more possible to create different App-Prefix-Ids where defines the keychain-access-groups. I hope someone can give me a hint, how to prevent the sharing of the keychain for different apps with the same code base.
Additional Note:
It is not possible to save the data with different keys.
Update:
I found an attribute that set on runtime the keychain-access-group kSecAttrAccessGroup I think this should help to fix the problem.
You misunderstood what share means here, which is you can opt to share with different apps produced by you and accepted by Apple. Arbitrary apps cannot access your app's keychain data.
I'm using an app called "Stickam", which is live audio/video recording and upload over 3G. The app is perfect for my purpose except for lacking LED torch (flashlight) mode. I have a tweak installed which allows me to toggle on torch via settings and leave it on while I use other apps (i.e., Safari, Appstore) but when I start a Stickam broadcast, the torch turns off.
I'm using a file browser on the iPhone with basic text editing and file manipulation ability to examine the iOS file structure and the apps. I don't want to edit Stickam, just override it's setting by pasting in Stickam's
var/mobile/Applications/FA037A73-C483-43D6-8AE8-7E69CD57EBDD/Library/Preferences/.GlobalPreferences.plist, a reference to torch's location and trigger.
Similar to:
<dict>
<key>cell</key>
<string>PSSwitchCell</string>
<key>default</key>
<false/>
<key>alternateColors</key>
<true/>
<key>defaults</key>
<string>com.ravirajm.torch</string>
<key>key</key>
<string>torchenabled</string>
<key>label</key>
<string>Enable Torch</string>
<key>PostNotification</key>
<string>com.ravirajm.torch/prefs</string>
</dict>
Doesn't seem like it would work. What ideas do you have on how to do this?
You can't modify another developer's app bundle at all unless the device is jailbroken.
I know that in general installation via HTTPS is working but somehow it doesn't in my Environment.
The itms-service link is HTTP as far as I understood:
itms-services://?action=download-manifest&url=http://' . $_SERVER['SERVER_NAME'] . $downloadLink
The links in the .plist are then HTTPS
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>https://app.ipa</string>
</dict>
<dict>
<key>kind</key>
<string>full-size-image</string>
<key>needs-shine</key>
<true/>
<key>url</key>
<string>https://image_512x512.png</string>
</dict>
<dict>
<key>kind</key>
<string>display-image</string>
<key>needs-shine</key>
<true/>
<key>url</key>
<string>https://image_57x57.png</string>
</dict>
</array>
But the app won't install. I always get the message "App could not be loaded"
All URL's are reachable with HTTP & HTTPS.
XCode shows the app log
unknown securityd[2331] : CFReadStream domain: 12 error: 8
What am I doing wrong here?
Thx
There's not a huge amount of information about how you've tried to solve this, so rather than actual answers I just have questions. If the answer to any of the questions is 'no' then should point you at the area your problem is in.
Is https://app.ipa the actual URL you're using in the .plist? If so I'd try with the full hostname & path in there.
Does the https site have a proper signed valid certificate that Safari on iOS accepts without any interaction with the user? If not try a proper certificate.
Do you see the .ipa file get downloaded from the server, if you check the server log file?
Have you tried installing the .ipa file using iTunes, does it get accepted?
The problem is that the Certificate Authority needs to be known by the iPad.
If you distribute Apps with HTTPS and the CA Server is your own, you need to install the certificate on the iPad. Otherwise iOS will try to download it.
You can install it sending it via email to your iPad or create a .pem File from the Keychain Access program and host it on your server for installation purposes. Then open it with Safari and iOS will ask you to accept it.
Then the installation works. But beware of using .htaccess as using HTTPS and HTTP together in the installation process seems to trigger the login/password for every request, which are 4 for images, .ipa and .plist, which is really annoying.
[EDIT]
Please keep in mind that you need to refer to the .plist file only with HTTPS since Apple introduced iOS 7.1.
See here: Enterprise app deployment doesn't work on iOS 7.1