Hi Quinn, Yes, we think it may be an iOS system problem. We've reproduced on our devices by: Enrolling a test device into one of our end-user's MDM with their permission. The specified identity within the profile was the SCEP certificate. Deploying a similarly configured profile using a different MDM internally, and the same problem occurred. It's almost as if iOS thinks our network extension isn't installed with our app, but looking at the installed plugins from the powerlog DB in a sysdiganose indicates that the extension is indeed installed correctly. I haven't seen anything in the docs but are we missing any override we need to do as a NEAppProxyProvider to handle the fact that we're being given a certificate for authentication?

No. Even if we’re, it’d have to be declarative — so, something in the Info.plist for example — because your code hasn’t been run at the time it fails. True. It's hard for me to test with another app, but I will continue to try and make that happen. However, I do know from speaking with our end-user and inspecting their sysdiagnose that they, at one point, had another 3rd-party proxy provider on the device. They say it was working correctly, but I don't see any per-app assignment rules nor Safari domains assigned for that configuration, so I'm not sure how they would have confirmed that it was working. We did have them remove said configuration to rule out some conflict between the two VPNs using the same identity. It didn't fix the problem. Does the system determine which extension to launch using LaunchServices? Is there any way that the profile could be corrupting the LS DB? It doesn't seem possible on iOS, but thought maybe it was worth throwing out there.