Yes. You are right about the scenario.
The App entitlement is:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>$(TeamIdentifierPrefix)com.mycompany.mytestbundleID</string>
</array>
<key>com.apple.security.files.downloads.read-write</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
The System Extension entitlement is:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>$(TeamIdentifierPrefix)com.mycompany.mytestbundleID</string>
</array>
<key>com.apple.security.files.downloads.read-write</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
I activate SystemExtension in the App is:
OSSystemExtensionRequest* request = [OSSystemExtensionRequest activationRequestForExtension:@"com.mycompany.mytestbundleID.PacketTunnel" queue:dispatch_get_main_queue()];
request.delegate = (id)self;
[[OSSystemExtensionManager sharedManager] submitRequest:request];
System Preferences will be requested to be launched to Allow the SystemExtension. I Allow it. Then I use "systemextensionsctl list", I can see the SystemExtension is "[activated enabled]". After that, in the App, it load NETunnelProviderManager, then call NEVPNConnection.startVPNTunnelAndReturnError, I can see the SysemExtension process ( /Library/SystemExtensions/E7EF657E-F2EB-446A-8630-120A52F6098E/com.mycompany.mytestbundleID.PacketTunnel.systemextension/Contents/MacOS/com.mycompany.mytestbundleID.PacketTunnel ) be launched by launchd, and NEPacketTunnelProvider.startTunnelWithOptions() be invoked.