I am also encountering the same issue with missing "com.apple.managed.vpn.shared" keychain access which is blocking network extension development on iOS due to not being able to access the client certificate included in the configuration profile. Is there an existing support ticket that I can add to raise the priority or should I create a new one?
In the meantime, here is what I observe. Using the "new" network extension entitlement on the AppID I get a provisioning profile without the "com.apple.managed.vpn.shared" keychain access:
<key>Entitlements</key>
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
</array>
<key>keychain-access-groups</key>
<array>
<string>Z7N7QHVWT2.*</string>
</array>
<key>get-task-allow</key>
<true/>
<key>application-identifier</key>
<string>Z7N7QHVWT2.com.vmware.ios-tunnel</string>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.vmware.ios-tunnel</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>S2ZMFGQM93</string>
</dict>
And if I use the old method of adding the Network Extension iOS (Dev) entitlement when creating the development provisioning profile I get a profile without the "com.apple.managed.vpn.shared" keychain access but with a "com.apple.developer.networking.Hotspot" entitlement added:
<dict>
<key>keychain-access-groups</key>
<array>
<string>Z7N7QHVWT2.*</string>
</array>
<key>get-task-allow</key>
<true/>
<key>application-identifier</key>
<string>Z7N7QHVWT2.com.vmware.ios-tunnel</string>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.vmware.ios-tunnel</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>S2ZMFGQM93</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
</array>
<key>com.apple.developer.networking.HotspotHelper</key>
<true/>
</dict>
This is close to the previous profile which has both the keychain access and the Hotspot profile:
<dict>
<key>keychain-access-groups</key>
<array>
<string>Z7N7QHVWT2.*</string>
<string>com.apple.managed.vpn.shared</string>
</array>
<key>get-task-allow</key>
<true/>
<key>application-identifier</key>
<string>Z7N7QHVWT2.com.vmware.ios-tunnel</string>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.vmware.ios-tunnel</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>S2ZMFGQM93</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
</array>
<key>com.apple.developer.networking.HotspotHelper</key>
<true/>
</dict>