Managing the order of Transparent Proxies from MDM Profile

Sites that have multiple transparent proxies installed, and thus depend on the Order property, usually install everything via a MDM system, and by “everything” I mean all the transparent proxy container apps and their configurations. Is that how you’re testing this?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We have a transparent proxy extension and a container app and both are written in swift. We use MDM for configuring the transparent proxy extension.

Customer machine can have different product with another transparent proxy extension. This can be deployed via MDM or manual installation.

Our requirement here is if a machine has more than one transparent proxy installed from multiple container apps(through multiple products), then is there any way we can control the order of receiving the network traffic to these transparent proxy extensions? If yes, how can we achieve this?

if a machine has more than one transparent proxy installed … is there any way we can control the order … ?

You? No.

Your customer? Yes, by setting the Order property in the configuration profile payloads they use to enable the proxies.

That’s assuming they’re using MDM, of course. If not, there’s no way for your customer to control this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

So if customer needs more than one transparent proxy and if they configure all the transparent proxies using MDM with transparent proxy payload with order, it should work right? In a single profile they need to create multiple Transparent proxy payloads right?

The current problem is, if we add the Order attribute to the VPN/TransparentProxy payload, while installing the extension, the save to preferences fails with "Error in saving TP configuration in updateOnDemandRule permission denied" error. Dynamically in the code, once we load the preferences, we need to call saveToPreferences, other wise the VPN tunnel won't be established. How can we fix this issue?

This is how our container app is installed at Customer: Customer triggers a script via MDM that installs a pkg, and the pkg-installer copies the container app over to /Applications/. Is this the right way to install the container app? If this is NOT the right way to install the container app, could you please explain how it should be installed instead?

You’ve raised a bunch of questions here and it’s hard to answer them all at once. I recommend that you tease these apart, so you can focus on one issue at a time.

Let’s start with the original issue in this thread, that is, the Order properly. Try this:

1. For each transparent proxy app:
   1. Install it using the Finder.
   2. Run it.
   3. Activate its system extension.
2. Then push an MDM configuration with configuration payloads for both proxies, each with an appropriate Order value.

Does that work?

Note that you don’t need to use the real transparent proxy apps here. You can create two separate test transparent proxy apps that do nothing but log when flows are passed to them. You can then look at the system log to confirm that flows are arriving at the proxies in the specified order.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Followed the above mentioned steps with 2 different transparent proxy extensions. Here are the observations:

• The System Preferences -> Network -> VPN & Filters section shows duplicate entries for both the extensions. One from the container app and another from the MDM profile.
• Order field in the MDM installed extension is not having any impact in receiving the traffic.

Could you please provide the working example of MDM payload with order?

One from the container app and another from the MDM profile.

Huh? Normally when you configure an NE provider by MDM you do just that; you don’t also have the container app save a configuration. So, if you delete everything and only configure via MDM, what do you see?

Could you please provide the working example of MDM payload with order?

I don’t have anything like that handy. In general, deployment issues like this are handled by folks from Apple Support rather than DTS, because our focus is on APIs.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

If I install the Transparent Proxy or VPN payload MDM profile first and then on installing the container app, the extension already installed via MDM gets mapped with the extension from container app. (Note that when we install the MDM profile, it will just add the extension under Network -> VPN & Filters section in a disabled state and when we install the container app, if the profile payload matches then the same extension gets activated and enabled)

Attaching the MDM profile which is created using iMazing Profile Editor having 2 Transparent Proxy payloads without order field. (DGWebProxy and Forcepoint F1E)

If I add the Order key value pairs to the same profile, while installing the container app, the extension does not get mapped and it will show 2 entries for each extension under VPN & Filters section. Also the added order field in the MDM profile is not having any impact in receiving the network traffic.

Also while installing the extension, save to preferences fails with "Error in saving TP configuration in updateOnDemandRule permission denied" error.

If I install the Transparent Proxy or VPN payload MDM profile first

OK, but why are you doing things in that order?

If I were investigating this issue, I’d do the following:

1. Create a trivial container app A with a dummy transparent proxy PA.
2. Set the handle-new-flow method to log the flow details and return false.
3. Clone the app to form container app B with dummy transparent proxy PB.
4. Install both on the Mac.
5. Activate both of their system extensions, but don’t install any network configurations.
6. Push an MDM proxy with a configuration for PA and PB, and the Order property set on both.
7. Do some networking.
8. Remove that configuration.
9. Repeat step 6 with the Order property reversed.
10. Do some more networking.

The log entries from steps 7 and 10 will tell you whether the Order property is doing its job.

This will either work on not. If it doesn’t work then you’ve clearly isolated the problem and you can use these steps as the basis of your bug report. Make sure to enable VPN (Network Extension) debugging and take a sysdiagnose log at steps 7 and 10. Oh, and please post your bug number, just for the record.

OTOH, if this works then the issue you’re seeing isn’t as simple as the Order field not working, and we can investigate other potential causes.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I created a test app and with test provisioning profiles, it establishes the VPN connection. It retains the order we specified in the Transparent Proxy payload in MDM profile.

The issue we are facing is, if we use distribution provisioning profile with order key attribute in Transparent Proxy payload in MDM profile, the transparent proxy extension is not establishing the VPN connection.

From the application log and system logs we could not get any valuable errors. connection.startVPNTunnel() API does not return any error and in UI the VPN tunnel is in disabled state. When we retrieve the connection status it's coming as disconnected.

Any idea why VPN tunnel is not establishing if we use Transparent Proxy payload with order key attribute in MDM profile and use Mac Distribution Provisioning profiles?

Any idea why VPN tunnel is not establishing if we use Transparent Proxy payload with order key attribute in MDM profile and use Mac Distribution Provisioning profiles?

Not off the top of my head.

But, to be clear, if you use exactly the same app binary (so, distribution signed) and only change the configuration profile by removing the Order property from the com.apple.vpn.managed payload, your transparent proxy works?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, with the same binary and distribution provisioning profile, if I just remove the order key attribute from com.apple.vpn.managed payload, it establishes the VPN tunnel. As the order field is not there its not retaining the order when it receives the network traffic.