@DTS Engineer we are manually importing it using keychain access, taking care to make sure that it's imported into the System keychain.

Did the DR actually change? What does it look like if you dump the DR of your old appex and the DR of your new sysex? I believe this clued me in on the reason. The issue is that when we create a configuration profile in our app, it takes the designated requirement of that app. We would then install a TestFlight build, and that would have a different designated requirement. Since it's signed by the TestFlight signing cert vs the App Store signing cert. I was able to verify that a configuration profile created in a TestFlight app extension build would work on a TestFlight system extension build, since their DRs would be the same for both. But a profile created on an AppStore build would not work on a TestFlight build. I obviously can't verify from AppStore -> AppStore easily. But I believe that the fact that this works TestFlight -> TestFlight proves the hypothesis.

Why are you trying to do that? Hi @eskimo, we are doing this so that we can ship outside of the app store.

It's out!

Hi Matt making matchDomains = nil fixes the issue.

I have filed FB9224983 for iOS, and FB9224605 for macOS. Thank you.

Hi Matt, When we disable DoH/DoT configurations, our Packet Tunnel gets DNS traffic, so we believe this to be a bug. I can file it as such, let me know if you need anything else. Thanks