Thanks eskimo! With user enrollment MDM on iOS/iPadOS SafariDomains don't seem to be supported. It doesn't specifically say so here https://developer.apple.com/documentation/devicemanagement/applayervpn but it doesn't wind up getting used. Note, even Intune documentation calls this out "Per-App VPN. This support excludes Safari Domains as User Enrollment doesn't support configuring Safari settings." (https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions) Any chance this will be addressed any time soon? Without a way to specify SafariDomains or the original issue with WKWebView not respecting per app vpn rules, there is no workarounds to the root issue (putting IP restrictions on corporate apps) except to go the route of doing whole device VPN (something we'd prefer not to do for privacy reasons).

Just to add one important detail - the above question is related to NEPacketTunnelProvider.

Is this still the case that NetworkExtensions can only be supported in the App Store? With Big Sur/M1, it is much harder to use the kext based approaches and not all apps can live inside the App Store. Is there really no way to use this in an app outside of the appstore still? Thanks!