Guideline 5.4

Guideline 5.4 - Legal: VPN App from Individual Developer

High RiskHardTypical Fix: 1-3 days0 Reports
Also known as:VPN app submitted under individual developer accountVPN app must be submitted by an organizationApp does not use NEVPNManager API for VPN functionalityVPN app missing data usage declarationVPN-like functionality implemented without Network Extension framework

Our Take

Apple is rejecting your app because it is a VPN app submitted under an individual developer account. Under guideline 5.4, VPN apps must be submitted by an organization developer account (enrolled as a company or organization, not an individual). This requirement exists because VPN apps handle sensitive user traffic, and Apple wants an identifiable legal entity to be accountable. This rejection is similar to the regulated-field rejection under 5.1.1(ix) — it's an account-level requirement, not an app-level code issue. No amount of changes to the app will resolve it while it remains under an individual account. Additionally, VPN apps must use the NEVPNManager API (Network Extension framework) for their VPN functionality. Apps that implement VPN-like behavior through other means (e.g., proxy configuration, DNS manipulation, or custom tunnel implementations that don't use the Network Extension framework) will be rejected separately under this guideline.

Resolution Guide

01

**Enroll as an organization** — Register a legal entity if you don't have one, obtain a D-U-N-S number, and enroll in the Apple Developer Program as an organization. This typically takes 2-4 weeks.


02

**Use NEVPNManager** — Implement VPN functionality using Apple's Network Extension framework and the NEVPNManager API. This is the only approved method. Remove any custom proxy, DNS tunnel, or non-NE VPN implementations.


03

**Add a Network Extension target** — Create a Network Extension target in Xcode for your packet tunnel provider. This requires the Network Extension entitlement from Apple.


04

**Declare data usage** — In your privacy policy and review notes, clearly state: what user data the VPN collects, whether browsing activity is logged, how long data is retained, whether data is shared with third parties, and your data deletion policy.


05

**Request Network Extension entitlement** — If you haven't already, submit an entitlement request to Apple for the Network Extension capability. This is a separate approval process.

Prevention

  • Start with an organization developer account for VPN development
  • Use the Network Extension framework from the beginning
  • Apply for the Network Extension entitlement early — it can take time
  • Prepare a comprehensive data usage declaration before submission
  • Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.4 - Legal: VPN App from Individual Developer
    Guideline 5.4 - Legal - VPN Apps Your app provides VPN services but does not meet the requirements for VPN apps on the App Store. Specifically: - Your app is submitted under an individual developer account. VPN apps must be submitted by an organization enrolled in the Apple Developer Program. - Your app must use the NEVPNManager API for all VPN functionality. Next Steps: Please: 1. Enroll in the Apple Developer Program as an organization and resubmit under the organization account. 2. Ensure your app uses the NEVPNManager API (Network Extension framework) for VPN functionality. 3. Clearly declare what user data is collected, how it is used, and how long it is retained in your privacy policy.

    Before & After

    Before — Rejected

    VPN app submitted under 'Jane Doe' individual account; VPN tunnel implemented using custom socket connections and DNS configuration profiles

    After — Approved

    App resubmitted under 'SecureNet Technologies Inc.' organization account; VPN implemented using NEPacketTunnelProvider and NEVPNManager API; Network Extension entitlement granted; comprehensive data usage declaration in privacy policy

    What changed: VPN apps require an organization account and the NEVPNManager API. Custom tunnel implementations and individual accounts are both rejected.

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections