Guideline 5.4
Guideline 5.4 - Legal: VPN App from Individual Developer
Our Take
Apple is rejecting your app because it is a VPN app submitted under an individual developer account. Under guideline 5.4, VPN apps must be submitted by an organization developer account (enrolled as a company or organization, not an individual). This requirement exists because VPN apps handle sensitive user traffic, and Apple wants an identifiable legal entity to be accountable. This rejection is similar to the regulated-field rejection under 5.1.1(ix) — it's an account-level requirement, not an app-level code issue. No amount of changes to the app will resolve it while it remains under an individual account. Additionally, VPN apps must use the NEVPNManager API (Network Extension framework) for their VPN functionality. Apps that implement VPN-like behavior through other means (e.g., proxy configuration, DNS manipulation, or custom tunnel implementations that don't use the Network Extension framework) will be rejected separately under this guideline.
Resolution Guide
**Enroll as an organization** — Register a legal entity if you don't have one, obtain a D-U-N-S number, and enroll in the Apple Developer Program as an organization. This typically takes 2-4 weeks.
**Use NEVPNManager** — Implement VPN functionality using Apple's Network Extension framework and the NEVPNManager API. This is the only approved method. Remove any custom proxy, DNS tunnel, or non-NE VPN implementations.
**Add a Network Extension target** — Create a Network Extension target in Xcode for your packet tunnel provider. This requires the Network Extension entitlement from Apple.
**Declare data usage** — In your privacy policy and review notes, clearly state: what user data the VPN collects, whether browsing activity is logged, how long data is retained, whether data is shared with third parties, and your data deletion policy.
**Request Network Extension entitlement** — If you haven't already, submit an entitlement request to Apple for the Network Extension capability. This is a separate approval process.
Prevention
Example Rejection Email
Before & After
VPN app submitted under 'Jane Doe' individual account; VPN tunnel implemented using custom socket connections and DNS configuration profiles
App resubmitted under 'SecureNet Technologies Inc.' organization account; VPN implemented using NEPacketTunnelProvider and NEVPNManager API; Network Extension entitlement granted; comprehensive data usage declaration in privacy policy
What changed: VPN apps require an organization account and the NEVPNManager API. Custom tunnel implementations and individual accounts are both rejected.
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
- Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy