Our NEAppProxyProvider is implemented in a network extension that successfully installs and operates using our normal MDM installation methods, but fails to locate the necessary identity certificate using the certificate reference passed by the OS when installed using the Apple User Enrolment feature. Although the reference is non-null, calling SecItemCopyMatching() using this persistentIdentityRef fails with status "-25300" - the identity cannot be found in the keychain. These identical issues have already been reported to Apple (see https://forums.developer.apple.com/thread/132295 and https://forums.developer.apple.com/thread/123374 ). We have been distributing this product for many years and have all the proper entitlements, so that is not the issue. This appears to be a bug rather than a design decision, since we are passed a persistent identity reference - if the intention was to simply deny us the ability to operate, obviously the OS should pass a NULL reference.
Everything just works fine in Device Enrolment mode and the issue is seen only in user enrolment mode.
Please let us know the best way to proceed and fix this issue.