Newly iconNewly
How to Get the Apple Network Extension (VPN) Entitlement

How to Get the Apple Network Extension (VPN) Entitlement

VPNs, content filters and DNS proxies use the Network Extension entitlement. Most types are now self-serve — here is which still need an Apple request.

Timothy Lindblom
Timothy Lindblom

Founder, Newly

The Network Extension entitlement lets your app extend the iOS network stack — running a VPN tunnel, a content filter, a DNS proxy or a captive-network helper. There is an important nuance most guides get wrong: since 2016, the common provider types (packet tunnel / VPN, content filter, app proxy, DNS proxy) are self-serve and you enable them yourself, while only the managed types (Hotspot Helper and the Network Extension app push provider) still require an Apple request form.

Apply through this form

Network Extension (Hotspot Helper) request form

Open form

Key Takeaways

  • VPN, content-filter, app-proxy and DNS-proxy providers are self-serve — no request needed since 2016.
  • Only Hotspot Helper and the NE app push provider remain managed and need an Apple request.
  • Provider logic must be native and runs as a separate app-extension target.
  • These capabilities require a custom build and cannot run in Expo Go.

Network Extension at a Glance

Mostly
Self-serve since 2016
Hotspot
Still needs a request
Native
Provider target required
iOS 9+
NetworkExtension

What This Entitlement Is

com.apple.developer.networking.networkextension is the entitlement that authorizes NetworkExtension providers: packet tunnels (VPN), per-app proxies, content filters, DNS proxies and Wi-Fi Hotspot Helpers. The provider runs as a system-level extension, separate from your app UI, and must be written in native Swift/Objective-C. The key distinction for approval is whether your provider type is self-serve or managed.

Entitlement & config keys

  • com.apple.developer.networking.networkextension
  • Values: packet-tunnel-provider, app-proxy-provider, content-filter-provider, dns-proxy
  • Managed values: hotspot-helper (request required)
  • Framework: NetworkExtension (separate extension target)

Who Needs It

VPN clients

Apps that route traffic through a Packet Tunnel Provider (or Personal VPN). Self-serve.

Content filters & parental controls

Apps using a Content Filter Provider to block or inspect traffic. Self-serve.

Secure / filtering DNS apps

Apps that run a DNS Proxy Provider for encrypted or filtered DNS. Self-serve.

Captive Wi-Fi / carrier apps

Hotspot Helper apps that onboard users onto Wi-Fi networks. Managed — request required.

How to Request the Entitlement

  1. 1

    Check whether your provider is self-serve

    Packet tunnel (VPN), app proxy, content filter and DNS proxy are self-serve — skip the form and enable the capability in Signing & Capabilities directly.

  2. 2

    For managed types, open the request form

    Only Hotspot Helper and the NE app push provider need a request. Sign in to your developer account to submit it.

  3. 3

    Justify the managed networking use case

    Explain the carrier or enterprise networking scenario and why a managed capability is needed rather than a self-serve provider.

  4. 4

    Add the entitlement and a provider target

    Add com.apple.developer.networking.networkextension with the relevant provider value to both the app and the extension, and implement the provider in native code.

  5. 5

    Build, sign and submit

    Regenerate provisioning profiles that include the entitlement, then build and submit. App Review will still assess that the networking behavior matches your description.

What Apple Evaluates

  • Whether your provider type actually needs a managed entitlement or is already self-serve.
  • That a Hotspot Helper request reflects a legitimate carrier or enterprise use case.
  • That the networking behavior matches what the app claims to do.
  • That traffic is handled transparently and within Apple’s privacy expectations.

Timeline. Self-serve providers are available immediately the moment you enable the capability — there is no waiting. For the managed Hotspot Helper / push provider, Apple reviews case-by-case, commonly over days to weeks, and the entitlement appears on your account once granted.

Common Reasons It Gets Rejected

Requesting a managed capability without cause

Asking for Hotspot Helper when a self-serve provider would do is typically declined.

How to avoid it: Confirm your provider type first; most VPN and filtering apps never need the form.

Entitlement does not match behavior

The provider value or app description does not line up with what the app does.

How to avoid it: Use the precise provider value for your use case and describe the traffic flow accurately.

Privacy concerns at App Review

VPN and filter apps that mishandle or monetize user traffic are rejected even when the entitlement is self-serve.

How to avoid it: Be transparent about what you route, log and retain, and keep a clear privacy policy.

Adding It in Newly

Newly builds real native apps, so the capability goes into your app exactly the way it would in a hand-written project — you just describe it instead of editing config files.

  1. 1Describe the networking feature, e.g. "add a VPN packet-tunnel provider" or "filter web content with a content filter."
  2. 2Newly creates the custom native build with the NetworkExtension entitlement, the right provider value and a separate provider extension target.
  3. 3For self-serve providers you can build immediately; for Hotspot Helper, submit Apple’s request form first.
  4. 4Rebuild and submit from the Deploy modal once your provisioning profiles include the entitlement.

For the full deployment flow, see the permissions & entitlements guide in the Newly docs.

Frequently Asked Questions

Do VPN apps still need to request the Network Extension entitlement?

No. Since November 2016, Packet Tunnel, App Proxy, Content Filter and DNS Proxy providers are self-serve — you enable the capability in Xcode or on the developer website with no request. Only Hotspot Helper and the NE app push provider remain managed.

Why does the request URL redirect to Hotspot Helper?

Because the Hotspot Helper flow is the only Network Extension type that still requires a managed request. The other provider types were moved to self-serve, so the form now covers just the managed case.

Can I build a VPN with Expo?

Not in Expo Go. You need a custom native build with a separate Network Extension provider target written in Swift/Objective-C; the JavaScript layer can drive the container app UI but not the provider itself.

Where does the provider code run?

In a system-level app extension that is separate from your main app. The OS manages its lifecycle, and it must be implemented against the native NetworkExtension framework.

Ship a Network Extension app without fighting the native config

Describe the feature and Newly wires up the entitlement keys, Info.plist / manifest entries and native modules for you — then builds and submits to the App Store and Google Play. You still file the approval yourself, but the build is ready the moment it's granted.

Start Building Your App

Sources & Further Reading

Official Apple documentation for the Network Extension capability. Always confirm the current requirements against these pages before you apply.

Continue Learning

Family Controls Entitlement

Screen Time and parental-control distribution entitlement.

CarPlay Entitlement

Request-gated entitlement for in-car apps.

Critical Alerts Entitlement

Notifications that bypass silent mode and Focus.

Android Restricted Permissions

The Google Play equivalent: declaration-gated permissions.