test NEAppProxyProvider without MDM?

App & System Services Networking
Davidbaraff2 OP
Created 1d
Replies 6
Boosts 0
Views 72
Participants 2

This discussion is for iOS/iPadOS.

  1. I've written an NEAppProxyProvider network extension. I'd like to test it. I thought that using the "NETestAppMapping" dictionary was a way to get there, but when I try to instantiate an NEAppProxyProviderManager to try to install stuff, the console tells me "must be MDM managed" and I get nowhere. So can someone tell me, can I at least test the idea without needing to first get MDM going?

  2. I'd like to know if how I'm approaching the core problem even makes sense. My custom application needs to stream video, via the SRT protocol, to some place like youtube or castr.

The problem is that in the environment we are in (big convention centers), our devices are on a LAN, but the connection from the LAN out to the rest of the world just sucks.

Surprisingly, cellular has better performance. So I am trying to do the perverse thing of forcing traffix that is NOT local to go out over cellular. And traffic that is completely local (i.e. talking to a purely local server/other devices on the LAN) happens over ethernet. [To simplify things, wifi is not connected.]

Is an app proxy the right tool for this? Is there any other tool? Unfortunately, I cannot rewrite the code to force everything through Apple's Network framework, which is the one place I know we can say "use cellular." [E.g. URLSession() has absolutely no way of forcing cellular, and even so, the low level streaming library I use is written with raw sockets, and its not feasible for me to rewrite it.]

Any other suggestions of how to accomplish this "send non-local traffic to cellular, all local traffic out over ethernet" gratefully welcomed!

Replies  6
Boosts  0
Views  72
Participants  2
DTS Engineer OP
Apple
1d

First up, have a read of TN3134 Network Extension provider deployment. This explains your deployment options for this technology. Specifically, for an app proxy on iOS the device must be managed. That’s because the MDM system is used to associate your app proxy with the apps that it proxies, by matching up the VPNUUID properties on both.

During development you can use NETestAppMapping to establish this mapping. You’ll still need a configuration profile to enable your app proxy, because of the requirement to provide a VPNUUID property with the configuration.

Is an app proxy the right tool for this?

Before you can answer that you have to first see if an app proxy will actually work. That is, in production:

  • Are the target devices managed?
  • Is the target app installed via MDM?

If either of those is false, an app proxy won’t work and thus it’s definitely not the right tool (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Davidbaraff2 OP
1d

Assume the target devices are managed and the app is installed by MDM.

My question of is an app proxy the right tool is really:

  1. Will an app proxy let me split the traffic in the way I envision? I have zero experience in this area.
  2. Can you suggest an easier way of getting this done.

As always, thanks for your attention. Could you perhaps give a simple explanation of what a minimal configuration file would be, and how, simply for testing in dev, I can install it? I’ve looked at the reference document and it is a bit… daunting.

I know what MDM is, I have a vague idea about configurations, and absolutely no experience here.

0
Davidbaraff2 OP
1d

Actually, the document you referred to isn’t so daunting. It’s the PDF about configurations which is overwhelming. That said, there is no place that I know of that documents how to set up the dictionary with NETestpAppMapping nor where it should go (the main app’s info file I assume).

If there’s any documentation, or one can spell out exactly how you’re supposed to use an NEAppProxyProviderManager in dev to get going, that’d be great. I tried to create one but the console printed an error message that “must be MDM blah blah.”

Presumably that’s because my attempt at providing the app mapping was flawed. I hope.

This stuff is all so hard when there’s basically no good documents telling you how to start (without MDM) to even test.

thanks again, you’re a life saver.

0
DTS Engineer OP
Apple
7h
is an app proxy the right tool

My general impression is that it is not, but it’s hard to but sure knowing more details about your situation. Specifically, this bit:

And traffic that is completely local … happens over ethernet.

Can you clarify what “local” means in this context? Is there a DHCP server on this Ethernet? Or is everything using link-local addresses [1]?

On the app proxy provider front:

  • The documentation for NETestAppMapping is here.
  • The configuration profile documentation is here.

I’ve posted examples of post in the past… but where? OK, some spelunking found this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] For IPv4 this means RFC 3927 Dynamic Configuration of IPv4 Link-Local Addresses.

0
Davidbaraff2 OP
6h

There is a DHCP server on the local LAN to assign addresses to devices.

The criteria is simple: if my iPad is trying to talk to anything on say 192.168, it should use ethernet.

Otherwise, it should use cellular.

If an app proxy is the wrong tool for this, then can you suggest any other way to accomplish this?

I could, just maybe, rewrite the low level libsrt library to use sockets provided from Network, where I can force traffic over cellular.

The problem would be that my HTTP rest requests, which use URLSession, would have no way of being forced over cellular.

Is there any library/framework that exists on top of Network that lets me make REST calls? If so, possibly doing all of this completely in app, i.e. forcing certain connections onto cellular while letting others do whatever the OS thinks is best, could be done.

The other thing that could work is if the OS had some way of knowing: “yeah, this device is on a LAN. But I know the LAN won’t send traffic out to the general WAN, so any connections that aren’t local can’t try to go the LAN.”

But I don’t believe it works that way… tell me if I’m wrong there.

0
Davidbaraff2 OP
3h

I said "I could, just maybe, rewrite the low level libsrt library to use sockets provided from Network, where I can force traffic over cellular."

Actually, no, I can't. I thought Network could give me the equivalent of a socket, which I could fold back into libsrt, but it doesn't work that way.

So at the application level, I cannot do this.

The only choice appears to be something outside the app which forces the traffic onto a route through cellular.

If that's not an app proxy, what could it be?

0
test NEAppProxyProvider without MDM?
First post date Last post date
 
 
Q