Thanks. We are indeed using onDemand rules to get around this. It still has side effects (see below), and I still think this is something that should ultimately be solved on the iOS side. Side effect: Users are unable to turn off the VPN from Control Center's stock VPN toggle or the system Settings app, as the onDemand rule causes the VPN to turn itself back on as soon as a network request is made. (We do have our own Control Center Widget to partially help, though.) We've gotten some user feedback - especially when trying to access captive portal screens on airplanes, for example - that they're unable to turn off the VPN from the system settings and end up fully uninstalling the network extension, and that's just a bad user journey.

As someone who makes a consumer VPN, we'd also love this extended beyond MDM VPNs. iOS is the only platform we're not able to offer a feature to exclude specific apps' traffic from the VPN tunnel.

Request for better documentation on this was filed as FB14113991, in case that is useful.

iOS 18.1 is out, and still no response or acknowledgement of this issue. FWIW, the release notes for 18.1 mention a known issue 137974410 related to RCS and MDM - I'm curious if this VPN issue is related. I've left similar feedback on FB15094270, the ticket I had filed.

Thanks Quinn. I've submitted via Feedback Assistant: FB14113991.

Setting that workflow to use Xcode 14.3.1 works. Using the latest (Xcode 15.0.1 when I was running into this issue) causes the hang.

In case this is helpful to others. Our Xcode Cloud workflow was set to use the releases/2.18.0 branch, and run nightly. I was trying to do a manual workflow run on my-new-feature branch. This was failing. When I changed the Xcode Cloud workflow to use the my-new-feature branch and ran the workflow manually, it succeeded. Very frustrating, but hopefully this fix works for others.

Our VPN has a user who is unable to install the VPN profile. From the logs: Connect Tunnel Save Error: Error Domain=NEVPNErrorDomain Code=5 "total NetworkExtension configuration size limit exceeded" UserInfo={NSLocalizedDescription=total NetworkExtension configuration size limit exceeded}. The user is running iOS 16.4.1 on an iPhone 12 Pro. I believe (from the message and the discussion above) that the total size of the user's NetworkExtension config (across all apps/settings) is too large, and is blocking the install of our VPN. What settings are in this "NetworkExtension config", and thus contributing to the size? Will "Reset Network Settings" clear it all out, allowing the user to install the VPN?

For anyone stumbling upon this thread, this is now fixed as of iOS 16.4: https://developer.apple.com/documentation/networkextension/nevpnprotocol/4140517-excludecellularservices This defaults to true, so things should just start working now.

I understand the philosophy behind that, but the user (and developer) experience seems subpar: macOS and iPadOS (on a WiFi iPad): If you set includeAllNetworks you can ensure all the user's traffic goes through the VPN tunnel, with no loss of functionality. iOS: If you set includeAllNetworks, you can ensure all the user's traffic goes through the VPN tunnel, but MMS will not work. Your choice is either "let MMS work, but don't guarantee the remaining traffic goes through the tunnel" or "kill user's MMS functionality". MMS is currently treated differently by iOS when there is a WiFi connection, as seen in the logs - it diverts MMS traffic to the cellular network. Given how cell companies require MMS to be delivered, it doesn't seem out-of-line that it would also be treated differently by iOS if a VPN is active. And even if this wasn't the default, adding a flag to allow MMS to go outside a VPN seems really, really helpful here. (We already have an optional excludeLocalNetworks flag that only matters when includeAllNetworks is active. Perhaps an additional excludeMMS as well?) While I can dream of a flag to allow MMS through, do you know of a way to allow MMS to go outside the VPN while otherwise keeping similar functionality to includeAllNetworks ("if... the tunnel is unavailable, the system drops all network traffic")?