ISSUE
Our SDK leverages built-in iOS IPSec engine and is built on top of NetworkExtension framework.
One of our SDK's users complained about not being able to connect to VPN on his device(s). From the logs we he sent, we saw this:
Method `loadFromPreferencesWithCompletionHandler:` failed (error: Error Domain=NEVPNErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied}).
He also reported an absense of VPN profile in Settings.app.
Looking through our code we see that this log message is posted in the loadFromPreferencesWithCompletionHandler: callback of NEVPNManager's instance. Error code seems to correspond to NEVPNErrorConfigurationReadWriteFailed = 5
ATTEMPTS TO FIX
We cannot reproduce it on our end, so I have done two things to investigate the cause:
1) entitlement in Provision Profile -- it has "allow-vpn". Moreover, an app bundle provisioned with the same profile works for us, but does not work for the user
2) Using Apple Configurator 2, I supervised my device and added a configuration profile with A) a restriction to add Configuration profiles B) a restriction to add VPN profiles. Anazingly, I still can add VPN profile to my device from the very same app. VPN does work.
At this point, I'm really confized what to do here. Can anybody please give me a clue?