Hi, We have a profile to set the VPN configuration of the device. It is a BYOD device with per app vpn setting: https://developer.apple.com/documentation/devicemanagement/applayervpn We add following keys to our profile:  "SafariDomains", "CalendarDomains", "ContactsDomains" and "MailDomains". The "SafariDomains" works and shown in the VPN profile settings in the device(in "Included Apps" section), with the given domains. However, all other features(came with iOS 13 MailDomains and etc.) does not wok The domains we use are internal domains, so the DNS of the system is set within "VPN" connection. When we access the sites via Safari VPN works fine and we can access them, when we try Mail apps or try adding account via Settings then it fails. We tried both "packet-tunnel" and "app-proxy" as ProviderType in the AppLayerVPN.VPN settings but it still did not work. When we set the VPN on the whole device then the mail app and accounts can be fetched, so we do not think that it is VPN server related. What are we missing here? Any help or advice is appreciated. Thanks Our example profile: dict keyIKEv2/key dict keyAuthenticationMethod/key stringCertificate/string keyChildSecurityAssociationParameters/key dict keyDiffieHellmanGroup/key integer14/integer keyEncryptionAlgorithm/key string3DES/string keyIntegrityAlgorithm/key stringSHA1-96/string keyLifeTimeInMinutes/key integer1440/integer /dict keyDeadPeerDetectionRate/key stringMedium/string keyDisableMOBIKE/key integer0/integer keyDisableRedirect/key integer0/integer keyEnableCertificateRevocationCheck/key integer0/integer keyEnablePFS/key integer1/integer keyIKESecurityAssociationParameters/key dict keyDiffieHellmanGroup/key integer14/integer keyEncryptionAlgorithm/key string3DES/string keyIntegrityAlgorithm/key stringSHA1-96/string keyLifeTimeInMinutes/key integer1440/integer /dict keyOnDemandEnabled/key integer1/integer keyLocalIdentifier/key stringuser@example.com/string keyPayloadCertificateUUID/key string5c0c7855-a8d9-4c86-8a21efec8335105a/string keyRemoteAddress/key stringvpn.example.com/string keyRemoteIdentifier/key stringvpn.example.com/string keyUseConfigurationAttributeInternalIPSubnet/key integer0/integer /dict keyIPv4/key dict keyOverridePrimary/key integer1/integer /dict keyVPNUUID/key string4dfdca51-aea1-461b-9a76-d24e8a2f9c07/string keyOnDemandMatchAppEnabled/key true/ keySafariDomains/key array stringinternal.lan/string /array keyCalendarDomains/key array stringinternal.lan/string stringoutlook.internal.lan/string /array keyContactsDomains/key array stringinternal.lan/string stringoutlook.internal.lan/string /array keyMailDomains/key array stringinternal.lan/string stringoutlook.internal.lan/string /array keyPayloadDescription/key stringConfigures VPN settings/string keyPayloadDisplayName/key stringVPN/string keyPayloadIdentifier/key stringcom.apple.vpn.managed.applayer.ebec689e-6c37-4344-a590-09fe4a22f436/string keyPayloadType/key stringcom.apple.vpn.managed.applayer/string keyPayloadUUID/key stringebec689e-6c37-4344-a590-09fe4a22f436/string keyPayloadVersion/key integer1/integer keyProxies/key dict keyHTTPEnable/key integer0/integer keyHTTPSEnable/key integer0/integer /dict keyUserDefinedName/key stringMDM VPN/string keyVPNType/key stringIKEv2/string keyVPN/key dict keyProviderType/key stringpacket-tunnel/string /dict /dict Complete Profile - https://developer.apple.com/forums/content/attachment/220f2081-3de5-4274-bacd-96bb8470524a

Hi, We are trying to implement Aloways on vpn(IKEv2) in a slightly different way. Since there are problems about the implementation of Maildomains and CalendarDomains in Applayer VPN (per app vpn: https://developer.apple.com/forums/thread/676815 ) we are trying to make whole vpn behave as per app. By adding onDemandRules (with "ConnectIfNeeded"), the particular domains trigger the vpn connection. However the same method to stop the vpn connection on specific domains does not work(with "NeverConnect"). For testing purposes, we have included two domains. If they are loaded from Safari, the VPN should stop its connection, however, once the connection started by provided "ConnectIfNeed" domains, the connection never stops. The profile is also provided below. Any help or advice is appreciated. Thanks in advance. language dict keyIKEv2/key dict keyAuthenticationMethod/key stringCertificate/string keyChildSecurityAssociationParameters/key dict keyDiffieHellmanGroup/key integer14/integer keyEncryptionAlgorithm/key string3DES/string keyIntegrityAlgorithm/key stringSHA1-96/string keyLifeTimeInMinutes/key integer1440/integer /dict keyDeadPeerDetectionRate/key stringMedium/string keyDisableMOBIKE/key integer0/integer keyDisableRedirect/key integer0/integer keyEnableCertificateRevocationCheck/key integer0/integer keyEnablePFS/key integer1/integer keyIKESecurityAssociationParameters/key dict keyDiffieHellmanGroup/key integer14/integer keyEncryptionAlgorithm/key string3DES/string keyIntegrityAlgorithm/key stringSHA1-96/string keyLifeTimeInMinutes/key integer1440/integer /dict keyOnDemandEnabled/key integer1/integer keyLocalIdentifier/key stringuser@example.com/string keyPayloadCertificateUUID/key stringd7aee729-ebca-4f2a-a137-efda5a9f219f/string keyRemoteAddress/key stringvpn.example.com/string keyRemoteIdentifier/key stringvpn.example.com/string keyUseConfigurationAttributeInternalIPSubnet/key integer0/integer keyDisconnectOnIdle/key integer1/integer keyOnDemandRules/key array dict keyAction/key stringEvaluateConnection/string keyActionParameters/key array dict keyDomains/key array stringinternal.lan/string stringoutlook.internal.lan/string /array keyDomainAction/key stringConnectIfNeeded/string /dict /array /dict dict keyAction/key stringEvaluateConnection/string keyActionParameters/key array dict keyDomains/key array stringwww.google.com/string stringwww.bing.com/string /array keyDomainAction/key stringNeverConnect/string /dict /array /dict /array /dict