Thanks for the answer Quinn. Can you target Safari via the NETestAppMapping key in the info.plist if its an Enterprise build?

Hi Quinn, Thanks for your answer and those links. My app is a VPN app and the cert is packaged with the profile (mobile config). It's used by for some API calls to configure the VPN. Does that seem like a reasonable use case to create a DTS Tech support ticket for access to the com.apple.managed.vpn.shared keychain group? I'm assuming access would solve my problem. Thanks for all your help.

Just wondering if anyone else has ever submitted one of these requests and how long it takes? Is there a way to check the status of the request?

Thanks for that. I don't see the DNS traffic enter the tunnel so I need to debug that separately. I have two general questions: Could the DNS traffic be excluded using the ipv4Settings.excludedRoutes? Is excluded traffic just dropped or is it routed "normally", i.e. as if the tunnel wasn't running?

Thanks Quinn. Seems like excluding the DNS traffic isn't the way to go. I'll debug it further and see why I'm not getting any in the Tunnel.