Per-App VPN for a third-party app: possible? How?

apple.stackexchange https://apple.stackexchange.com/questions/358829

Question

I need to set up per-app VPN as a way to ensure that several apps I installed from App Store are using only internet traffic over VPN, but not using non-VPN traffic at all. I'm not a corporate user, so I'm considering to setup an MDM profile.

Am I reading the official docs from Apple correctly that I can only set up per-app VPN for the app I developed, not for a third-party app from AppStore?

The "App to Per App VPN" section requires DesignatedRequirement and SigningIdentifier, both of which seems to be available only for the developer of an app in question. If not, how can I find out both of them?

Was it helpful?

Solution

You can find the DesignatedRequirement and SigningIdentifier like this:

Start by installing the app on a device. On your Mac make sure you have the app downloaded in iTunes as well. In the folder "~/Music/Itunes/Mobile Applications/" you'll now find an .ipa file for you app.

Assuming that the app you want to target is "SomeApp" then copy SomeApp.ipa from that folder to a temporary folder. Rename the file and change the file extension from .ipa to .zip. Double-click to unzip the file. When unzipped you'll find that you have a folder named "Payload" in which a "SomeApp.app" folder exists.

Open a Terminal window and cd to the temporary folder. Run the following command:

codesign -d -r- "Payload/SomeApp.app"

This command will output the designated requirement ("anchor apple generic...").

Then run the following command:

codesign --display --verbose=1 "Payload/SomeApp.app"

This command will output a line starting with "Identifier=". The rest of the line is the SigningIdentifier.

Note that you mention the "App to Per App VPN" section of the linked manual - this specific payload is only supported on macOS. On iOS you do the same thing by sending the Settings command with an ApplicationAttributes entry over the MDM protocol.

OTHER TIPS

I see you mentioning .ipa-files, but this is not supported on iOS. Per App VPN is limited to domains and can not be specified for apps.

Apple docs say "This payload is supported only in macOS 10.9 and later. It is not supported in iOS."

https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange
scroll top