Hi all! I’m having trouble distributing an iOS app with a DNS Proxy NetworkExtension via AdHoc. The app and extension work perfectly with development profiles, but when I export and install the AdHoc IPA, I get a “permission denied” error when trying to install/enable the DNS Proxy extension.
What I’ve done:
- Both the app and the DNS Proxy extension have their own App IDs in the Apple Developer portal.
- Both App IDs have the same App Group enabled: group.com.irakai.SafeLinkApp2.
- The extension App ID has the NetworkExtension capability with dns-proxy enabled.
- I created two AdHoc provisioning profiles (one for the app, one for the extension), both including the same devices and the correct entitlements.
- I assigned the correct AdHoc profiles to each target in Xcode and exported the IPA via Organizer.
- I install the IPA on a registered device using Apple Configurator.
Entitlements (extracted from the signed binaries on device): App:
<key>application-identifier</key><string>6PBG234246.com.irakai.SafeLinkApp2</string>
<key>com.apple.developer.networking.networkextension</key><array>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
</array>
<key>com.apple.developer.team-identifier</key><string>6PBG234246</string>
<key>com.apple.security.application-groups</key><array>
<string>group.com.irakai.SafeLinkApp2</string>
</array>
<key>get-task-allow</key><false/>
DNSProxy Extension:
<key>application-identifier</key><string>6PBG234246.com.irakai.SafeLinkApp2.DNSProxy</string>
<key>com.apple.developer.networking.networkextension</key><array>
<string>dns-proxy</string>
</array>
<key>com.apple.developer.team-identifier</key><string>6PBG234246</string>
<key>com.apple.security.application-groups</key><array>
<string>group.com.irakai.SafeLinkApp2</string>
</array>
<key>get-task-allow</key><false/>
Error message (from my app’s logs):
Error instalando DNS Proxy: permission denied
Usuario: Roberto
AppGroup: group.com.irakai.SafeLinkApp2
AppGroupPath: /private/var/mobile/Containers/Shared/AppGroup/D8AD2DED-AD96-4915-9B7A-648C9504679B
Entitlements:
BundleId: com.irakai.SafeLinkApp2
Debug info: Error Domain=NEDNSProxyErrorDomain Code=1 "permission denied" UserInfo={NSLocalizedDescription=permission denied}
Other details:
- The device is included in both AdHoc profiles.
- The App Group is present and identical in both entitlements.
- The extension’s bundle identifier matches the App ID in the portal.
- The extension is signed with the correct AdHoc profile.
- I have tried rebooting the device and reinstalling the IPA.
- The error only occurs with AdHoc; development builds work fine.
Questions:
- Is there anything else I should check regarding AdHoc provisioning for NetworkExtension DNS Proxy?
- Are there any known issues with AdHoc and NetworkExtension on recent iOS versions?
- Is there a way to get more detailed diagnostics from the system about why the permission is denied?
- Could this be a bug in iOS, or am I missing a subtle configuration step?
Any help or suggestions would be greatly appreciated. Thank you!
Wow, that’s quite a coincidence. Another developer just bumped into the same issue. See my response on their thread.
Note There are differences in the details, but they don’t affect the result. Specifically:
-
They’re talking about NE content filters but, as explained in TN3134, NE DNS proxies have similar limits.
-
iOS Ad Hoc distribution is still distribution, and thus subject to the same limits as other distribution channels, like TestFlight and App Store.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"