We are developing an app with Per-App VPN runs on iOS. This container app is designed for our some specific apps to connect network through VPN at certain times, while all the other apps not.
We want these specific apps connect network normally before VPN is turned on, after the container app and configuration profile are installed. And these specific apps connect network through VPN once VPN is manually turned on in the container app.
I have some questions can not find answers.
I've added NETestAppMapping key to Info.plist of my container app in Development. And Bundle Identifiers of those specific apps are added to NETestAppMapping. After building the container app and installing configuration profile by Apple Configurator 2, I found those specific apps can not connect to Internet until I turned on VPN in the container app. Is that normal?
NETestAppMapping is a way to config those specific apps in Development. I wonder the production mechanism for specifying app mappings.
Moreover, something really weird once happened. I deleted the configuration profile from iPhone, and NETestAppMapping from the container app. Then I turned on VPN in the container app by normal way. After done this, I found the function we want is implemented.
Thank you very much.
An app that is associated with a Per-App VPN, will only have its traffic routed through the Per-App VPN. If On-Demand is disabled, and the VPN is turned off, then no traffic will flow from the app.
As such, I see two ways to achieve having the apps route through the Per-App VPN only some of the time:
Implement the VPN using NEPacketTunnelProvider
in such a way the VPN always launches On-Demand and continues to be 'active', but the VPN app can be used to toggle whether the NEPacketTunnelProvider
actually routes the traffic through the VPN or whether it simply acts as a TCP/UDP forwarder.
Utilise an MDM and its SDK (assuming support) to associate and disassociate your applications from the Per-App VPN when a toggle is switched in the VPN app. Note that this will likely be clunky, with a time delay and may cause your app to be killed if it is running. I won't recommend this approach.
It's worth noting that NETestAppMapping
only works for development builds and won't work for distribution builds (e.g. Enterprise (In-House) or App Store). You will need to use an MDM to utilise a Per-App VPN.
For an example of using an NEPacketTunnelProvider
with packet forwarding, I would take a look at this paper: Does your phone spy on you? by Severin Amrein.