Skip to content

feat: add MDM managed app configuration support for iOS #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dbrieck wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add MDM managed app configuration support for iOS #105

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
13d49e7
feat: add MDM managed app configuration support for iOS
dbrieck-pengate Apr 24, 2026
5e6a597
fix: pass MDM management URL to NewAuth for setup key login
dbrieck-pengate Apr 24, 2026
3b41a30
fix: read iOS managed app config from standard defaults
Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions NetBird.xcodeproj/project.pbxproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,10 @@
A1C3D5EE2F000008001A2B3C /* CellularOnDemandPolicy.swift in Sources */ = {isa = PBXBuildFile; fileRef = A1C3D5E82F000002001A2B3C /* CellularOnDemandPolicy.swift */; };
A1C3D5EF2F000009001A2B3C /* CellularOnDemandPolicy.swift in Sources */ = {isa = PBXBuildFile; fileRef = A1C3D5E82F000002001A2B3C /* CellularOnDemandPolicy.swift */; };
A1C3D5F02F00000A001A2B3C /* CellularOnDemandPolicy.swift in Sources */ = {isa = PBXBuildFile; fileRef = A1C3D5E82F000002001A2B3C /* CellularOnDemandPolicy.swift */; };
BB1100012F30000100000001 /* ManagedConfigReader.swift in Sources */ = {isa = PBXBuildFile; fileRef = BB1100002F30000100000001 /* ManagedConfigReader.swift */; };
BB1100022F30000100000001 /* ManagedConfigReader.swift in Sources */ = {isa = PBXBuildFile; fileRef = BB1100002F30000100000001 /* ManagedConfigReader.swift */; };
BB1100032F30000100000001 /* ManagedConfigReader.swift in Sources */ = {isa = PBXBuildFile; fileRef = BB1100002F30000100000001 /* ManagedConfigReader.swift */; };
BB1100042F30000100000001 /* ManagedConfigReader.swift in Sources */ = {isa = PBXBuildFile; fileRef = BB1100002F30000100000001 /* ManagedConfigReader.swift */; };
AA0001012F22000100000001 /* ProfileManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA0001002F22000100000001 /* ProfileManager.swift */; };
AA0001022F22000100000001 /* ProfileManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA0001002F22000100000001 /* ProfileManager.swift */; };
AA0001032F22000100000001 /* ProfileManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA0001002F22000100000001 /* ProfileManager.swift */; };
Expand Down Expand Up @@ -359,6 +363,7 @@
AA0009002F22000900000001 /* ProfileConnectionCache.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ProfileConnectionCache.swift; sourceTree = "<group>"; };
AA1B2C012F4E5A0100D1E2F3 /* TVGradientBackground.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TVGradientBackground.swift; sourceTree = "<group>"; };
B1A2C3D32F3A000100000001 /* PeerDetailSheet.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PeerDetailSheet.swift; sourceTree = "<group>"; };
BB1100002F30000100000001 /* ManagedConfigReader.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ManagedConfigReader.swift; sourceTree = "<group>"; };
BB3D4E012F4E5A0200D1E2F3 /* TVPreSharedKeyButton.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TVPreSharedKeyButton.swift; sourceTree = "<group>"; };
C7A1CFF65CC44187912007EC /* iOSNetworksView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = iOSNetworksView.swift; sourceTree = "<group>"; };
CC5F6A012F4E5A0300D1E2F3 /* TVQRCodeSheet.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TVQRCodeSheet.swift; sourceTree = "<group>"; };
Expand Down Expand Up @@ -601,6 +606,7 @@
AA0001002F22000100000001 /* ProfileManager.swift */,
AA0009002F22000900000001 /* ProfileConnectionCache.swift */,
A1B2C3D42EEDF500001A2B3C /* ConfigurationProvider.swift */,
BB1100002F30000100000001 /* ManagedConfigReader.swift */,
50245A2D2A7BDC470034792B /* NetworkChangeListener.swift */,
50CD81612AD0595E00CF830B /* DNSManager.swift */,
50E608022A7950CB00BAF09B /* Device.swift */,
Expand Down Expand Up @@ -1058,6 +1064,7 @@
BB3D4E022F4E5A0200D1E2F3 /* TVPreSharedKeyButton.swift in Sources */,
CC5F6A022F4E5A0300D1E2F3 /* TVQRCodeSheet.swift in Sources */,
978FC4732EEDF167002D0EB8 /* AppLogger.swift in Sources */,
BB1100012F30000100000001 /* ManagedConfigReader.swift in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
Expand All @@ -1084,6 +1091,7 @@
44F3E3942EE2151100C87FEC /* ConnectionListener.swift in Sources */,
44F3E38C2EE214E300C87FEC /* NetBirdAdapter.swift in Sources */,
978FC4722EEDF167002D0EB8 /* AppLogger.swift in Sources */,
BB1100022F30000100000001 /* ManagedConfigReader.swift in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
Expand Down Expand Up @@ -1111,6 +1119,7 @@
505118CF2AD96ECA003027D3 /* x25519.c in Sources */,
F1B292082EE0AC2A001D91B8 /* EnvVarPackager.swift in Sources */,
978FC4712EEDF167002D0EB8 /* AppLogger.swift in Sources */,
BB1100032F30000100000001 /* ManagedConfigReader.swift in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
Expand Down Expand Up @@ -1152,6 +1161,7 @@
AA0001042F22000100000001 /* ProfileManager.swift in Sources */,
AA0009042F22000900000001 /* ProfileConnectionCache.swift in Sources */,
A1B2C3D62EEDF502001A2B3C /* ConfigurationProvider.swift in Sources */,
BB1100042F30000100000001 /* ManagedConfigReader.swift in Sources */,
50CD81B02AD5B94D00CF830B /* PeerCard.swift in Sources */,
B1A2C3D42F3A000100000001 /* PeerDetailSheet.swift in Sources */,
50003BCE2AFD405600E5EB6B /* ConnectionListener.swift in Sources */,
Expand Down
4 changes: 4 additions & 0 deletions NetBird/Source/App/NetBirdApp.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,10 @@ struct NetBirdApp: App {
activationTask = Task { @MainActor in
guard isAppActive, !Task.isCancelled else { return }

#if os(iOS)
viewModel.networkExtensionAdapter.applyManagedConfig()
#endif

if let initialStatus = await viewModel.networkExtensionAdapter.loadCurrentConnectionState() {
viewModel.extensionState = initialStatus
viewModel.updateVPNDisplayState()
Expand Down
173 changes: 173 additions & 0 deletions NetbirdKit/ManagedConfigReader.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
//
// ManagedConfigReader.swift
// NetBird
//
// Reads MDM-managed app configuration pushed via Apple Managed App Configuration (AppConfig).
// Configuration is delivered through the com.apple.configuration.managed UserDefaults key
// by MDM solutions such as Microsoft Intune, Jamf Pro, VMware Workspace ONE, or Mosyle.
//
// Key names match those defined in the Go SDK's ManagedConfig constants.
//

import Foundation
import NetBirdSDK
import os

/// Reads and applies MDM-managed app configuration from the Apple managed configuration domain.
///
/// ## How it works
/// - MDM pushes key-value pairs to the `com.apple.configuration.managed` UserDefaults key
/// - This reader checks that dictionary for NetBird-specific keys
/// - Values are applied to the Go SDK's config file, overriding user preferences
/// - Setup keys trigger silent device registration without user interaction
///
/// ## Supported keys
/// - `managementUrl` — Management server URL
/// - `setupKey` — Setup key for silent device registration
/// - `adminUrl` — Admin dashboard URL
/// - `preSharedKey` — WireGuard pre-shared key
/// - `rosenpassEnabled` — Enable Rosenpass post-quantum encryption
/// - `rosenpassPermissive` — Allow non-Rosenpass peers
/// - `disableAutoConnect` — Prevent auto-connect on launch
class ManagedConfigReader {

private static let logger = Logger(subsystem: "io.netbird.app", category: "ManagedConfigReader")

/// The Apple-native MDM managed configuration key in UserDefaults.standard.
private static let managedConfigurationKey = "com.apple.configuration.managed"

private static func managedConfigurationDictionary() -> [String: Any]? {
if let dict = UserDefaults.standard.dictionary(forKey: managedConfigurationKey) {
return dict
}

if let value = UserDefaults.standard.object(forKey: managedConfigurationKey) {
logger.warning("ManagedConfigReader: managed configuration value has unsupported root type: \(String(describing: type(of: value)), privacy: .public)")
} else {
logger.debug("ManagedConfigReader: managed configuration dictionary not available")
}

return nil
}

private static func managedStringValue(from dict: [String: Any], key: String) -> String? {
guard let rawValue = dict[key] as? String else { return nil }
let trimmedValue = rawValue.trimmingCharacters(in: .whitespacesAndNewlines)

if rawValue != trimmedValue {
logger.info("ManagedConfigReader: trimmed whitespace from MDM string value for key \(key, privacy: .public)")
}

return trimmedValue.isEmpty ? nil : trimmedValue
}

/// Reads managed configuration from the MDM domain.
/// Returns a populated ManagedConfig, or nil if no MDM config is available.
static func read() -> NetBirdSDKManagedConfig? {
guard let dict = managedConfigurationDictionary() else {
return nil
}

// Check if any NetBird keys are present
let managementUrlKey = NetBirdSDKGetManagedConfigKeyManagementURL()
let setupKeyKey = NetBirdSDKGetManagedConfigKeySetupKey()
let adminUrlKey = NetBirdSDKGetManagedConfigKeyAdminURL()
let preSharedKeyKey = NetBirdSDKGetManagedConfigKeyPreSharedKey()
let rosenpassEnabledKey = NetBirdSDKGetManagedConfigKeyRosenpassEnabled()
let rosenpassPermissiveKey = NetBirdSDKGetManagedConfigKeyRosenpassPermissive()
let disableAutoConnectKey = NetBirdSDKGetManagedConfigKeyDisableAutoConnect()

guard let config = NetBirdSDKNewManagedConfig() else {
logger.error("ManagedConfigReader: failed to create ManagedConfig")
return nil
}

if let managementUrl = managedStringValue(from: dict, key: managementUrlKey) {
config.setManagementURL(managementUrl)
logger.info("ManagedConfigReader: management URL configured")
}

if let setupKey = managedStringValue(from: dict, key: setupKeyKey) {
config.setSetupKey(setupKey)
// Do not log the setup key value for security
logger.info("ManagedConfigReader: setup key configured")
}

if let adminUrl = managedStringValue(from: dict, key: adminUrlKey) {
config.setAdminURL(adminUrl)
logger.info("ManagedConfigReader: admin URL configured")
}

if let preSharedKey = managedStringValue(from: dict, key: preSharedKeyKey) {
config.setPreSharedKey(preSharedKey)
logger.info("ManagedConfigReader: pre-shared key configured")
}

if let rosenpassEnabled = dict[rosenpassEnabledKey] as? Bool {
config.setRosenpassEnabled(rosenpassEnabled)
logger.info("ManagedConfigReader: Rosenpass enabled=\(rosenpassEnabled)")
}

if let rosenpassPermissive = dict[rosenpassPermissiveKey] as? Bool {
config.setRosenpassPermissive(rosenpassPermissive)
logger.info("ManagedConfigReader: Rosenpass permissive=\(rosenpassPermissive)")
}

if let disableAutoConnect = dict[disableAutoConnectKey] as? Bool {
config.setDisableAutoConnect(disableAutoConnect)
logger.info("ManagedConfigReader: disable auto-connect=\(disableAutoConnect)")
}

guard config.hasConfig() else {
logger.debug("ManagedConfigReader: no NetBird keys found in managed config")
return nil
}

logger.info("ManagedConfigReader: MDM managed configuration loaded successfully")
return config
}

/// Returns true if any MDM-managed configuration is available.
static func hasManagedConfig() -> Bool {
guard let config = read() else { return false }
return config.hasConfig()
}

/// Applies MDM config to the config file and optionally performs setup key registration.
/// - Parameters:
/// - configPath: Path to the NetBird config file
/// - deviceName: Device name for registration
/// - Returns: true if MDM config was applied
@discardableResult
static func applyIfAvailable(configPath: String, deviceName: String) -> Bool {
guard let config = read() else { return false }

do {
try config.apply(configPath)
logger.info("ManagedConfigReader: MDM config applied to \(configPath)")
} catch {
logger.error("ManagedConfigReader: failed to apply MDM config: \(error.localizedDescription)")
return false
}

// If MDM provides a setup key, attempt silent registration.
// Pass the MDM management URL so NewAuth connects to the correct server.
if config.hasSetupKey() {
let mgmtUrl = config.getManagementURL()
do {
guard let auth = NetBirdSDKNewAuth(configPath, mgmtUrl, nil) else {
logger.warning("ManagedConfigReader: failed to create Auth for setup key login")
return true
}
try auth.login(withSetupKeySync: config.getSetupKey(), deviceName: deviceName)
logger.info("ManagedConfigReader: silent setup key registration completed")
} catch {
// Setup key login may fail if already registered or key expired.
// This is not fatal — continue with normal flow.
logger.warning("ManagedConfigReader: setup key login skipped or failed: \(error.localizedDescription)")
}
}

return true
}
}
19 changes: 19 additions & 0 deletions NetbirdKit/NetworkExtensionAdapter.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,10 @@ public class NetworkExtensionAdapter: ObservableObject {
// This must happen in the main app — not via IPC — because the extension
// process may not be running yet when start() is called.
restoreConfigIfMissing()

// Apply MDM managed configuration before login.
// MDM values override user-set preferences on every launch.
applyManagedConfig()
#endif
await loginIfRequired()
logger.info("start: loginIfRequired() completed")
Expand All @@ -93,6 +97,21 @@ public class NetworkExtensionAdapter: ObservableObject {
logger.info("start: EXIT")
}

#if os(iOS)
/// Reads and applies MDM-managed app configuration if available.
/// MDM config is delivered via the com.apple.configuration.managed UserDefaults key.
public func applyManagedConfig() {
guard let configPath = Preferences.configFile() else {
logger.warning("applyManagedConfig: config path unavailable")
return
}
let deviceName = Device.getName()
if ManagedConfigReader.applyIfAvailable(configPath: configPath, deviceName: deviceName) {
logger.info("applyManagedConfig: MDM config applied successfully")
}
}
#endif

#if os(iOS)
/// If the active profile's config file is missing (deleted after logout) but we have
/// a saved management URL, write a minimal config so the SDK uses the correct server
Expand Down
12 changes: 12 additions & 0 deletions NetbirdNetworkExtension/PacketTunnelProvider.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,18 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
return
}

// Apply MDM managed configuration at the extension level.
// This ensures MDM values are applied even when the extension starts
// independently (e.g., via On Demand or Always-on VPN).
#if os(iOS)
if let extensionConfigPath = Preferences.configFile() {
let deviceName = Device.getName()
if ManagedConfigReader.applyIfAvailable(configPath: extensionConfigPath, deviceName: deviceName) {
AppLogger.shared.log("PacketTunnelProvider: MDM managed config applied")
}
}
#endif
Comment on lines +72 to +82

@coderabbitai coderabbitai Bot Jun 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify NetBirdAdapter exposes initializedConfigPath and check for consistent usage

# Check if NetBirdAdapter has initializedConfigPath property
echo "=== Checking NetBirdAdapter.initializedConfigPath ==="
rg -n -A2 -B2 'var initializedConfigPath' --type=swift

# Find all usages of Preferences.configFile() to check for similar pattern issues
echo -e "\n=== All usages of Preferences.configFile() ==="
rg -n -C3 'Preferences\.configFile\(\)' --type=swift

# Check if there are other places applying MDM config
echo -e "\n=== All ManagedConfigReader.applyIfAvailable call sites ==="
rg -n -C5 'ManagedConfigReader\.applyIfAvailable' --type=swift

Repository: netbirdio/ios-client

Length of output: 14124

🏁 Script executed:

#!/bin/bash
# Inspect the adapter initialization path in PacketTunnelProvider.swift
echo "=== PacketTunnelProvider.swift: startTunnel adapter init context (lines ~30-110) ==="
sed -n '1,200p' NetbirdNetworkExtension/PacketTunnelProvider.swift | nl -ba | sed -n '30,120p'

# Inspect NetBirdAdapter.swift around initializedConfigPath definition and init logic
echo -e "\n=== NetBirdAdapter.swift: initializedConfigPath + init implementation (lines ~230-360) ==="
sed -n '220,360p' NetbirdNetworkExtension/NetBirdAdapter.swift | nl -ba

# Find where adapter is created in PacketTunnelProvider.swift (search for NetBirdAdapter(...))
echo -e "\n=== PacketTunnelProvider.swift: NetBirdAdapter creation ==="
rg -n "NetBirdAdapter\\(" NetbirdNetworkExtension/PacketTunnelProvider.swift

Repository: netbirdio/ios-client

Length of output: 686

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== PacketTunnelProvider.swift: startTunnel context (around adapter creation) ==="
sed -n '1,230p' NetbirdNetworkExtension/PacketTunnelProvider.swift | cat -n | sed -n '20,220p'

echo -e "\n=== PacketTunnelProvider.swift: second adapter re-init context (around line ~160-220) ==="
sed -n '130,230p' NetbirdNetworkExtension/PacketTunnelProvider.swift | cat -n | sed -n '130,230p'

echo -e "\n=== NetBirdAdapter.swift: initializedConfigPath definition + init (around ~230-340) ==="
sed -n '220,360p' NetbirdNetworkExtension/NetBirdAdapter.swift | cat -n | sed -n '220,360p'

echo -e "\n=== NetBirdAdapter.swift: init sets configPath/statePath (search for initializedConfigPath assignment) ==="
rg -n "initializedConfigPath" NetbirdNetworkExtension/NetBirdAdapter.swift

echo -e "\n=== NetBirdAdapter.swift: init signature and how configPath is chosen ==="
sed -n '240,320p' NetbirdNetworkExtension/NetBirdAdapter.swift | cat -n

echo -e "\n=== PacketTunnelProvider.swift: current MDM block lines 60-95 ==="
sed -n '50,110p' NetbirdNetworkExtension/PacketTunnelProvider.swift | cat -n

Repository: netbirdio/ios-client

Length of output: 18715

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Find where startVPNTunnel passes configPath/statePath options (iOS app side) ==="
rg -n "startVPNTunnel\\(" -S --type=swift

echo -e "\n=== Find ManagedConfigReader implementation ==="
fd -a "ManagedConfigReader.swift" . 2>/dev/null || true
fd -a "ManagedConfigReader" . 2>/dev/null || true
rg -n "struct ManagedConfigReader|class ManagedConfigReader|ManagedConfigReader\\.applyIfAvailable" --type=swift

echo -e "\n=== Show ManagedConfigReader.applyIfAvailable implementation ==="
rg -n "applyIfAvailable\\(" --type=swift NetbirdKit NetbirdNetworkExtension . || true

Repository: netbirdio/ios-client

Length of output: 2342

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== NetbirdKit/ManagedConfigReader.swift: applyIfAvailable (around ~120-220) ==="
sed -n '1,240p' NetbirdKit/ManagedConfigReader.swift | cat -n

echo -e "\n=== PacketTunnelProvider.swift: adapter options configPath/statePath extraction (lines ~30-60) ==="
sed -n '30,90p' NetbirdNetworkExtension/PacketTunnelProvider.swift | cat -n

Repository: netbirdio/ios-client

Length of output: 12429

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== NetworkExtensionAdapter.swift: options passed to startVPNTunnel ==="
sed -n '430,560p' NetbirdKit/NetworkExtensionAdapter.swift | cat -n

echo -e "\n=== Preferences.configFile() implementation ==="
rg -n "func configFile\\(" -S --type=swift NetbirdKit NetbirdNetworkExtension Netbird/NetBird* . || true

# Show the file(s) containing configFile()
files=$(rg -l "configFile\\(" --type=swift NetbirdKit NetbirdNetworkExtension NetBird/Source . || true)
echo -e "\n=== Files mentioning Preferences.configFile() ==="
echo "$files" | head -n 50

if [ -n "${files:-}" ]; then
  for f in $(echo "$files" | head -n 10); do
    echo -e "\n--- $f (around configFile) ---"
    rg -n "configFile\\(" "$f" --type=swift
    # Print a small window around the first hit
    line=$(rg -n "configFile\\(" "$f" --type=swift | head -n1 | cut -d: -f1)
    start=$((line-20)); end=$((line+40))
    sed -n "${start},${end}p" "$f" | cat -n
  done
fi

Repository: netbirdio/ios-client

Length of output: 41085

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== NetbirdKit/Preferences.swift: configFile() implementation (around ~60-120) ==="
sed -n '50,130p' NetbirdKit/Preferences.swift | cat -n

echo -e "\n=== NetbirdKit/ProfileManager.swift: activeConfigPath()/default config path derivation (around migrateIfNeeded references) ==="
rg -n "activeConfigPath|active.*configPath|default.*configPath|migrateIfNeeded\\(" NetbirdKit/ProfileManager.swift NetbirdKit -S --type=swift
sed -n '240,380p' NetbirdKit/ProfileManager.swift | cat -n

Repository: netbirdio/ios-client

Length of output: 11984

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== NetBirdAdapter.needsLogin() implementation ==="
rg -n "func needsLogin\\(" NetbirdNetworkExtension/NetBirdAdapter.swift --type=swift
# Print around the definition (best-effort line window)
line=$(rg -n "func needsLogin\\(" NetbirdNetworkExtension/NetBirdAdapter.swift --type=swift | head -n1 | cut -d: -f1)
start=$((line-40)); end=$((line+80))
sed -n "${start},${end}p" NetbirdNetworkExtension/NetBirdAdapter.swift | cat -n

Repository: netbirdio/ios-client

Length of output: 5728

Apply MDM managed config using the adapter’s initialized config path, not Preferences.configFile()

PacketTunnelProvider.startTunnel (lines 72-82) applies MDM via Preferences.configFile() (profile-aware via ProfileManager.shared.activeConfigPath()), while the adapter is (re)created using the startVPNTunnel options configPath and stores that in adapter.initializedConfigPath. If the active profile changes between startVPNTunnel(options:) and startTunnel, MDM settings (management URL / setup key, etc.) can be written to a different profile’s config than the adapter will read.

Use adapter.initializedConfigPath (or the options-derived configPath) as the configPath passed to ManagedConfigReader.applyIfAvailable(...).

Also consider logging when applyIfAvailable(...) returns false for easier diagnosis when no managed config is present.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@NetbirdNetworkExtension/PacketTunnelProvider.swift` around lines 72 - 82, The
PacketTunnelProvider.startTunnel block currently calls
ManagedConfigReader.applyIfAvailable with Preferences.configFile(); change it to
use the adapter's initialized config path (adapter.initializedConfigPath) or the
startVPNTunnel options-derived configPath that was used to create the adapter so
MDM is applied to the same profile the adapter will read (locate the code around
PacketTunnelProvider.startTunnel and the Adapter/adapter initialization path).
Also add a log path when ManagedConfigReader.applyIfAvailable(...) returns false
so failures to find/apply managed config are visible (use AppLogger.shared.log
or AppLogger.shared.error in the same conditional).


if adapter.needsLogin() {
signalLoginRequired()
// Return the error immediately so iOS tears down the tunnel interface at once.
Expand Down