Yes @ eskimo. This is on a managed device for now.

Yes, it will also have a network extension, but that will be activated once the API that I mentioned above is called and auth is completed.

Thanks for clarifying the difference between digital identity and certificate. The app has the network extension, but the API that I was talking about had nothing to do with it. It was an oAuth API. Right now, it presents the API call and the presentation of the client certificate that I mentioned had nothing to do with the network extension. Today, in our Mac app, if we open a URL in the default browser (using UIApplication.open()), and the TLS handshake requires a client certificate, the browser shows a prompt where user can select the client certificate to proceed. User can accept or skip that part. So if we do that in our iOS app too, will the default browser also prompt the user to select a certificate or we will have to do that programmatically by reading certs from keychain and matching them with what was asked by the TLS handshake ?

Thanks again! You mentioned that 'if the default browser is Safari' and we call UIApplication.open() to open an mtls URL, then Safari will present an identity selection UI. Does this imply that if the default browser on iOS is Chrome or Brave, it will not present the UI ? Also, Safari builds the identity list by looking at 'its' keychain access group, does this imply that if MDM is supposed to put an identity in the iOS keychain, it has to do something specific so that Safari can read them to show the identity selection list ?