Hi,
I’m looking for clarification on TN3134: Network Extension provider deployment, specifically iOS deployment requirements for:
- packet tunnel provider
- DNS proxy provider
From the documentation:
Packet Tunnel Provider
- App extension (min iOS 9.0): per-app mode requires a managed device
DNS Proxy Provider
- App extension (min iOS 11.0): supervised devices only
- App extension (min iOS 11.0): per-app mode requires managed devices
Issue
I implemented a DNS proxy using NEDNSProxyManager.
- Works as expected in debug builds on a local device
- Fails to configure when distributed via TestFlight
Console Output (TestFlight build)
error 10:05:39.872258-0500 nehelper The production version of *** is not allowed to create DNS proxy configurations. Use MDM to create DNS Proxy configurations for the production version of ***.
Question
Is it possible to distribute a DNS proxy provider for use on non-MDM / non-supervised devices?
If not:
- Is the limitation strictly enforced at distribution/runtime?
- Is a packet tunnel provider the only viable alternative for App Store distribution?
There is a lot of different VPN apps on the App Store that appear to work out of the box without MDM or supervision, which suggests they are using a different deployment model.
Thank you for any clarification or guidance!
Is it possible to distribute a DNS proxy provider for use on non-MDM / non-supervised devices?
No. The table in the DNS proxy section of TN3134 lists two options for iOS:
app extension | 11.0 | supervised devices only
| 16.0 | per-app on managed devices
If you exclude those two options then you have… well… zero options.
Is [this] strictly enforced at distribution/runtime?
Yes.
It’s a privacy policy that’s strictly enforced at runtime
Is a packet tunnel provider the only viable alternative for App Store distribution?
There are two parts to this question:
- Do packet tunnel providers work on general user devices?
- Are there a viable alternative to a DNS proxy.
The answer to the first is “Yes.” TN3134 makes that clear.
The answer to the second is “No.” TN3120 Expected use cases for Network Extension packet tunnel providers talks more about this.
There are common use cases for DNS proxies that do have viable alternatives:
- If you’re building a content filter, look at the new URL filter provider. Its technology maintains user privacy, and thus it supports a wide range of distribution and deployment channels.
- If you’re looking to provide a secure DNS, check out the DNS setting. Again, this has few limitations.
WWDC 2025 Session 234 Filter and tunnel network traffic with NetworkExtension talks about all of this stuff in more detail.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
