We already referred https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy documentation and created the profile. If we provide the RemoteAddress field, we were able to install the profile and also while installing our product, the Transparent Proxy gets mapped with the one which is installed via profile. However after that the network is broken and hence unable to browse anything. We are suspecting the remote server(RemoteAddress) filed is causing this. So we tried creating the custom profile without remote server address for VPN payload, but we are unable to install the profile. It throws below error: 2025-02-11 16:43:55.193348+0530 0x2f880 Error 0x0 6815 0 mdmclient: (NetworkExtension) [com.apple.networkextension:] Failed to save configuration DGWebProxy because it is invalid: Error Domain=NEConfigurationErrorDomain Code=2 "configuration is invalid: Missing server address" UserInfo={NSLocalizedDescription=configuration is invalid: Missing server address}
2025-02-11 16:43:55.193376+0530 0x2f880 Error 0x0 6815 0 mdmclient: (NetworkExtension) [com.apple.networkextension:] NEProfileIngestion Error occurred when saving configuration 'DGWebProxy': configuration is invalid: configuration is invalid: Missing server address 
2025-02-11 16:43:55.196159+0530 0x2f880 Error 0x0 6815 7 mdmclient: [com.apple.ManagedClient:CPDomainPlugIn] [ERROR] [0:MDMDaemon:CPDomainPlugIn:<0x2f880>] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<<
2025-02-11 16:43:55.196826+0530 0x2f880 Error 0x0 6815 7 mdmclient: [com.apple.ManagedClient:MDMDaemon] [ERROR] [0:MDMDaemon:<0x2f880>] [CE] PlugIn_InstallPayload ==> Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} Note: Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We don’t have any remote server setup to forward the traffic, instead we open a connection with a certain localhost:port to redirect the traffic which is received in our transparent proxy. We have another module that listens to the particular localhost:port to process the traffic further.

We are already using Non-removable system extensions from UI attribute and it is not working in the current beta version of Mac OS 26 (Tahoe) for the extensions shown in General -> LogIn Items & Extension -> Apps tab. Will this be fixed in upcoming beta releases?

Finally we could resolve the MDM profile - network broken issue with MDM profile having VPN payload by setting IncludeAllNetworks to 0. IncludeAllNetworks 0

We have a transparent proxy extension and a container app and both are written in swift. We use MDM for configuring the transparent proxy extension. Customer machine can have different product with another transparent proxy extension. This can be deployed via MDM or manual installation. Our requirement here is if a machine has more than one transparent proxy installed from multiple container apps(through multiple products), then is there any way we can control the order of receiving the network traffic to these transparent proxy extensions? If yes, how can we achieve this?

So if customer needs more than one transparent proxy and if they configure all the transparent proxies using MDM with transparent proxy payload with order, it should work right? In a single profile they need to create multiple Transparent proxy payloads right? The current problem is, if we add the Order attribute to the VPN/TransparentProxy payload, while installing the extension, the save to preferences fails with "Error in saving TP configuration in updateOnDemandRule permission denied" error. Dynamically in the code, once we load the preferences, we need to call saveToPreferences, other wise the VPN tunnel won't be established. How can we fix this issue?

This is how our container app is installed at Customer: Customer triggers a script via MDM that installs a pkg, and the pkg-installer copies the container app over to /Applications/. Is this the right way to install the container app? If this is NOT the right way to install the container app, could you please explain how it should be installed instead?

Followed the above mentioned steps with 2 different transparent proxy extensions. Here are the observations: The System Preferences -> Network -> VPN & Filters section shows duplicate entries for both the extensions. One from the container app and another from the MDM profile. Order field in the MDM installed extension is not having any impact in receiving the traffic. Could you please provide the working example of MDM payload with order?

If I install the Transparent Proxy or VPN payload MDM profile first and then on installing the container app, the extension already installed via MDM gets mapped with the extension from container app. (Note that when we install the MDM profile, it will just add the extension under Network -> VPN & Filters section in a disabled state and when we install the container app, if the profile payload matches then the same extension gets activated and enabled) Attaching the MDM profile which is created using iMazing Profile Editor having 2 Transparent Proxy payloads without order field. (DGWebProxy and Forcepoint F1E) DGWebProxy_Forcepoint_TP_iMazing_WithoutOrder If I add the Order key value pairs to the same profile, while installing the container app, the extension does not get mapped and it will show 2 entries for each extension under VPN & Filters section. Also the added order field in the MDM profile is not having any impact in receiving the network traffic. Also while installing the extension, save to preferences fails with "Error in saving TP configuration in updateOnDemandRule permission denied" error.

I created a test app and with test provisioning profiles, it establishes the VPN connection. It retains the order we specified in the Transparent Proxy payload in MDM profile. The issue we are facing is, if we use distribution provisioning profile with order key attribute in Transparent Proxy payload in MDM profile, the transparent proxy extension is not establishing the VPN connection. From the application log and system logs we could not get any valuable errors. connection.startVPNTunnel() API does not return any error and in UI the VPN tunnel is in disabled state. When we retrieve the connection status it's coming as disconnected. Any idea why VPN tunnel is not establishing if we use Transparent Proxy payload with order key attribute in MDM profile and use Mac Distribution Provisioning profiles?

Yes, with the same binary and distribution provisioning profile, if I just remove the order key attribute from com.apple.vpn.managed payload, it establishes the VPN tunnel. As the order field is not there its not retaining the order when it receives the network traffic.