I'm now setting sandbox to be false for both the containing app and the system network extension. And I'm getting the group container URL from and app and passing it into the network extension. This is the group container URL I used: /Users/<user_name>/Library/Group%20Containers/<group_id>/Crash/ Question: Is there any concern regarding disabling the sandbox for the app and the system network extension? We are not distributing the app in the App Store.

Thanks for the suggestion on the temporary exception entitlements! I tried to add the following entry into the network extension's entitlements file: <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key> <array> <string>/Library/Application Support</string> </array> But I still couldn't read or write to the directory from the network extension process. This is the error I got: mkdir /Users/<user_name>/Library/Application Support/Crash/: Operation not permitted (1)

Yes, we have configured on demand, but even if we disabled the on demand, the VPN would still auto reconnect. Code with on demand enabled: newManager.enabled = YES; [newManager setOnDemandEnabled:YES]; newManager.onDemandRules = @[ alwaysOnRule ]; Code with on demand disabled: newManager.enabled = YES; [newManager setOnDemandEnabled:NO];