We have a VPN app built using PacketTunnelProvider and support per-app VPN on iOS. We're currently investigating an issue specific to per-app VPN configurations that use split tunneling, where some URLs are routed through the VPN tunnel while others are intended to go directly. Tunneled traffic works as expected. However, for direct traffic, we observe intermittent failures where the browser does not receive an ACK, leading to repeated retransmissions and eventual page load failures. This issue appears only in per-app VPN scenarios, and we've reproduced it across multiple MDM solutions (Intune, CEM) and multiple managed browsers. It's intermittent but frequently reproducible with common public URLs routed directly. Key observations: writePackets returns true, confirming the VPN app writes packets to the TUN interface. Despite that, the browser often fails to acknowledge receipt (no ACK), suggesting it may not receive the packet at all. We suspect a possible packet loop, where packets written to TUN are immediately read back by the app. However, due to the intermittent nature of the issue, this is hard to confirm. A consistent loop would likely result in persistent failures, not sporadic ones. We are attaching: A Wireshark summary - highlighting the missing ACK and retransmission pattern. As we cannot attach the xlsx file or a zip file, we have took the screenshots of the files names as image1, image2, image3, image4 and image5 in sequence. Dails on the iOS device and MDM environment. NETunnelProviderProtocol configuration that reproduces the issue Any guidance on how to further debug this, particularly on confirming packet delivery to the browser and identifying potential loops would be greatly appreciated. Thank you. e t

I am working on a MacOS application in which I need System Extension along with some network extension capabilities. In order to distribute the app externally, I have to create a Developer ID application (provisioning profile) using the App ID that already has Network extension capability. I have followed this documentation to create the App ID and provisioning profiles: https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.networking.networkextension?language=objc What I have: 2 App IDs (For app with network and system extension capability and for extension with only network extension capability) *2 Developer ID application (For both App and Extension) My App's entitlement file contains: <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>packet-tunnel-provider</string> </array> My system extension's entitlement file contains: <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>dns-proxy</string> </array> Both the targets now have the following error: Provisioning profile "StandaloneCSAExtension" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. Note: Instead of Developer ID application if I create a normal development provisioning profile with the same App ID, everything works perfectly fine, the only reason why we need to move to Developer ID application is because we need to distribute the app externally. Please help me if I have missed anything. Thanks in advance!