Guideline 5.4
Guideline 5.4 - Legal: VPN App Not Using NEVPNManager API
Our Take
Apple is rejecting your VPN app because it implements VPN-like functionality without using the Network Extension framework and NEVPNManager API. Under guideline 5.4, all VPN apps must use Apple's official NEVPNManager API — apps that achieve VPN behavior through alternative technical means (proxy configuration profiles, DNS-over-HTTPS redirection, SOCKS proxy clients, custom socket tunneling, or system-level configuration profile installation) will be rejected. This rejection is technical in nature and requires a significant code change. Apple mandates NEVPNManager because it provides system-level VPN integration that users can see and control in iOS Settings, gives Apple visibility into how the VPN operates, and ensures the VPN follows Apple's sandboxing and security requirements. The Network Extension framework requires a special entitlement that must be requested from Apple separately. The turnaround for entitlement approval is typically 1-5 business days. You'll need to implement a Packet Tunnel Provider (NEPacketTunnelProvider) as a separate app extension target in your Xcode project.
Resolution Guide
**Request Network Extension entitlement** — Submit an entitlement request to Apple via developer.apple.com. This is a prerequisite — you cannot use NEVPNManager without it. Typical approval: 1-5 business days.
**Create a Packet Tunnel Provider extension** — Add a new Network Extension target to your Xcode project. Implement `NEPacketTunnelProvider` as your tunnel provider subclass.
**Implement NEVPNManager configuration** — Use `NEVPNManager` to configure the VPN connection. Set up the `NETunnelProviderProtocol` with your server addresses, authentication credentials, and tunnel configuration.
**Remove alternative implementations** — Remove any custom proxy configurations, DNS redirection code, SOCKS client implementations, or configuration profile installation code.
**Test system-level integration** — Verify the VPN appears in iOS Settings > VPN when active, can be toggled from Settings, and shows the VPN status bar indicator.
**Add the entitlement to your provisioning profile** — Ensure both the main app target and the Network Extension target have the com.apple.developer.networking.networkextension entitlement.
Prevention
Example Rejection Email
Before & After
App establishes VPN tunnel by configuring SOCKS5 proxy settings and routing DNS queries through a custom DoH resolver; no Network Extension target in the Xcode project
App uses NEPacketTunnelProvider extension with NEVPNManager configuration; VPN appears in iOS Settings; VPN status bar indicator shows when connected; SOCKS5 and DNS code removed
What changed: Apple requires NEVPNManager for system-level VPN integration, visibility, and user control. Alternative tunnel implementations are not accepted.
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
- Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy