We currently have a PacketTunnelProvider providing VPN to managed devices. Our profile locks this down with OnDemandEnabled and OnDemandUserOverrideDisabled set to true. We've received some reports that on device startup, there is a time period after Wi-Fi connects but before the OnDemand VPN kicks in to enable our VPN, where users are able to navigate to IPs that are meant to be captured by the VPN tunnel. Instead, they are able to reach these IPs directly during this time period. Is there an expectation in regards to when OnDemand VPN is allowed to kick in to enable the VPN? Is there anything that we can do to minimize this delay?

We currently have a PacketTunnelProvider providing a VPN connection to managed devices. Our profile locks this down with OnDemandEnabled and OnDemandUserOverrideDisabled set to true. We've had reports of the OnDemand feature not kicking in on macOS when switching profiles or creating new profiles for managed users (but this works for the initial user login). When switching profiles, OnDemand does not enable; however, if the user manually enables the VPN and then disables, OnDemand will now correctly turn the connection back on. The installed profile contains: OnDemandEnabled: 1 OnDemandRules: Connect Action for WiFi, Cellular, and Ethernet OnDemandUserOverrideDisabled: 1 From sysdiagnose logs, I see some interesting logs for nesessionmanager: Handling a network changed event Resetting VPN On Demand Found 0 registrations for [...].PacketTunnel Failed to find [...].PacketTunnel app extension using neagent Plugin is not available in launch services Plugin is not installed (I also see some failures with LSApplicationProxy, but not sure if those are relevant.) Eventually, I see: Plugin is installed Enabling VPN On Demand And things seem to kick off more as expected from that point on. Do we have any guidance on how to address this issue? We also have a ticket submitted with Feedback Assistant.