It seems that the new DNS encryption setting in Big Sur is incompatible with NETransparentProxyProvider. Maybe it considers it a VPN connection? The fact is that when the TransparentProxy is active, MacOS does not attempt to use the DoH server configured via a configuration profile.

The question is do we need to provide a real iOS/Mac app in order to provide this functionality. Would it be enough just to create an App ID (call the app "[Company] Account" for instance) and use it to implement the Sign in with Apple functionality on our website without going through the app review?