Best Practices & Limitations for developing iOS applications leveraging per app VPN using VMware Tunnel

Use high level "connect by name" APIs like URLSession

To support VPN On Demand you must use some sort of connect by name API. These includes CFSocketStream and anything layered on top of that (including URLSession). Doing separate resolve then connect is usually more work and is incompatible with VPN On-Demand.

Note: BSD Sockets does not have a connect by name API. Therefore, try to avoid using these if your app is going to leverage AirWatch per-app Tunnel solution.

Boxer over per-app VPN is not currently supported, however, it is on the roadmap. 


It is not recommended to set up your own DNS resolution

When working with VPN in general, it is recommended to not set up your own DNS resolution. The system DNS resolver has lots of smarts to cope with all sorts of odd situations, and those situations often crop up in a VPN scenario. For example, a company might have two DNS servers:


An external DNS server, that contains a limited set of DNS records for their public ’net presence


An internal DNS server, that contains a larger set of DNS records for all their internal systems


Their VPN is configured such that the system DNS resolver uses the internal server for when the VPN is up. If you, as an app developer set up your own DNS resolution, this will not work.


iOS Reachability API

Reachability API for iOS is not compatible with on demand VPN. Tunnel client will not initiate a VPN connection for your app in response to the network test performed by Apple’s reachability API.


Xamarin based application

Xamarin supports three protocols for HTTP Client implementation namely:

  1. Managed
  2. CFNetwork
  3. NSURLSession.

Managed stack is Microsoft's native implementation using BSD sockets and is not compliant with per-app VPN framework as it uses low level DNS APIs and cannot trigger on-demand VPN. Please make sure to choose either CFNetwork or NSURLSession to make sure that the application works with per-app VPN. 

This stack can be changed in Xamarin IDE under Project options>Build>iOS Build>HttpClient Implementation.


Generic best practices for iOS networking

Numerous best practices have been outlined in Apple’s article on Avoid Common Networking Mistakes. Developers should make sure to follow them while doing networking in their iOS Application.

Have more questions? Submit a request


Article is closed for comments.