iOS 18.1 is out, and still no response or acknowledgement of this issue. FWIW, the release notes for 18.1 mention a known issue 137974410 related to RCS and MDM - I'm curious if this VPN issue is related. I've left similar feedback on FB15094270, the ticket I had filed.

Thanks Quinn. I've submitted via Feedback Assistant: FB14113991.

Setting that workflow to use Xcode 14.3.1 works. Using the latest (Xcode 15.0.1 when I was running into this issue) causes the hang.

In case this is helpful to others. Our Xcode Cloud workflow was set to use the releases/2.18.0 branch, and run nightly. I was trying to do a manual workflow run on my-new-feature branch. This was failing. When I changed the Xcode Cloud workflow to use the my-new-feature branch and ran the workflow manually, it succeeded. Very frustrating, but hopefully this fix works for others.

Our VPN has a user who is unable to install the VPN profile. From the logs: Connect Tunnel Save Error: Error Domain=NEVPNErrorDomain Code=5 "total NetworkExtension configuration size limit exceeded" UserInfo={NSLocalizedDescription=total NetworkExtension configuration size limit exceeded}. The user is running iOS 16.4.1 on an iPhone 12 Pro. I believe (from the message and the discussion above) that the total size of the user's NetworkExtension config (across all apps/settings) is too large, and is blocking the install of our VPN. What settings are in this "NetworkExtension config", and thus contributing to the size? Will "Reset Network Settings" clear it all out, allowing the user to install the VPN?

For anyone stumbling upon this thread, this is now fixed as of iOS 16.4: https://developer.apple.com/documentation/networkextension/nevpnprotocol/4140517-excludecellularservices This defaults to true, so things should just start working now.

I understand the philosophy behind that, but the user (and developer) experience seems subpar: macOS and iPadOS (on a WiFi iPad): If you set includeAllNetworks you can ensure all the user's traffic goes through the VPN tunnel, with no loss of functionality. iOS: If you set includeAllNetworks, you can ensure all the user's traffic goes through the VPN tunnel, but MMS will not work. Your choice is either "let MMS work, but don't guarantee the remaining traffic goes through the tunnel" or "kill user's MMS functionality". MMS is currently treated differently by iOS when there is a WiFi connection, as seen in the logs - it diverts MMS traffic to the cellular network. Given how cell companies require MMS to be delivered, it doesn't seem out-of-line that it would also be treated differently by iOS if a VPN is active. And even if this wasn't the default, adding a flag to allow MMS to go outside a VPN seems really, really helpful here. (We already have an optional excludeLocalNetworks flag that only matters when includeAllNetworks is active. Perhaps an additional excludeMMS as well?) While I can dream of a flag to allow MMS through, do you know of a way to allow MMS to go outside the VPN while otherwise keeping similar functionality to includeAllNetworks ("if... the tunnel is unavailable, the system drops all network traffic")?