I am in the process of re-writing an existing macOS packet tunnel provider VPN implementation that uses an Application Extension to instead use a System Extension. The current app implementation stores the credentials for the VPN configuration in the keychain and provides a persistent reference via the NEVPNProtocol.passwordReference property to the packet tunnel provider implementation in the Application Extension. After some trial and error and reading various other posts, I believe that this approach is not possible when the packet tunnel provider is in a System Extension because it will not have access to a shared app group or keychain group. Given that, it seems like the only option is to pass these credentials in the NETunnelProviderProtocol.providerConfiguration property instead. My concern is that this may not be a secure place to put credentials, but the documentation does not specify how it is secured. So my question is what is the best practice for providing credentials from the host app to a packet tunnel provider in a System Extension if the keychain is not a viable option?