Managed app is unable to start its network extension in iOS 14

I have an app that contains an NEPacketTunnelProvider network extension. Some users are reporting that after upgrading their devices to iOS 14 they are no longer able to start the VPN. We have manage to reproduce the issue, and it only happens when all the following conditions are true:

• The app is managed by MDM

• The App Store version of the app is installed (not an enterprise signed ipa)

• The device is running iOS 14

If any of the above conditions are not true, the VPN can be started without any issues. Because of the requirement to use the App Store version of the app to reproduce, it's very difficult to debug. What I would like to understand is if something changed in iOS 14 that would make an app with a network extension behave differently when under MDM management.

I did try sysdiagnose, and I see this pattern of messages generated by nesessionmanager:

Code Block 
default	2020-09-25 14:42:32.086975 -0700	nesessionmanager	<NESMServer: 0x102904140>: Register Enterprise VPN Session: NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]
default	2020-09-25 14:42:32.087013 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Successfully registered
info	2020-09-25 14:42:32.088550 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)] starting with configuration: {
    name = <13-char-str>
    identifier = 5FC13677-04FA-46AD-B91B-4BB9E6307DA2
    applicationName = <App name redacted>
    application = <bundle id redacted>
    grade = 1
    VPN = {
        enabled = YES
        onDemandEnabled = NO
        disconnectOnDemandEnabled = NO
        onDemandUserOverrideDisabled = NO
        protocol = {
            type = plugin
            identifier = D7017CED-21BA-461D-B347-79611DD4AFC0
            serverAddress = <5-char-str>
            identityDataImported = NO
            disconnectOnSleep = NO
            disconnectOnIdle = NO
            disconnectOnIdleTimeout = 0
            disconnectOnWake = NO
            disconnectOnWakeTimeout = 0
            includeAllNetworks = NO
            excludeLocalNetworks = NO
            pluginType = <bundle id redacted>
            authenticationMethod = 0
            reassertTimeout = 0
        }
        tunnelType = packet
    }
}
info	2020-09-25 14:42:32.088586 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)] is no longer idle, beginning transaction
info	2020-09-25 14:42:32.088598 -0700	nesessionmanager	Active session count is greater than 0, setting hasActiveSessions flag
default	2020-09-25 14:42:32.088674 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: status changed to connecting
default	2020-09-25 14:42:32.089080 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)] in state NESMVPNSessionStateIdle: plugin NEVPNTunnelPlugin(<bundle id redacted>[inactive]) dispose complete
default	2020-09-25 14:42:32.089113 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)] in state NESMVPNSessionStateIdle: received start message
default	2020-09-25 14:42:32.089184 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Leaving state NESMVPNSessionStateIdle
default	2020-09-25 14:42:32.089222 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Entering state NESMVPNSessionStatePreparingNetwork
info	2020-09-25 14:42:32.089482 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Network available via interface en0
default	2020-09-25 14:42:32.089560 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Leaving state NESMVPNSessionStatePreparingNetwork
default	2020-09-25 14:42:32.089595 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Entering state NESMVPNSessionStateStarting
default	2020-09-25 14:42:32.089607 -0700	nesessionmanager	NEVPNTunnelPlugin(<bundle id redacted>[inactive]): Sending start command
default	2020-09-25 14:42:32.089621 -0700	nesessionmanager	<bundle id redacted>[inactive]: starting
default	2020-09-25 14:42:32.090400 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Received a start command from <App name redacted>[378]
default	2020-09-25 14:42:32.090434 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Skip a start command from <App name redacted>[378]: session in state connecting
default	2020-09-25 14:42:32.090482 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Received a start command from <App name redacted>[378]
default	2020-09-25 14:42:32.090513 -0700	nesessionmanager	NESMVPNSession[Primary Tunnel:<App name redacted>:5FC13677-04FA-46AD-B91B-4BB9E6307DA2:(null)]: Skip a start command from <App name redacted>[378]: session in state connecting
default	2020-09-25 14:42:32.094130 -0700	nesessionmanager	<bundle id redacted>[384]: XPC connection went away
default	2020-09-25 14:42:32.094188 -0700	nesessionmanager	NEVPNTunnelPlugin(<bundle id redacted>[inactive]): Tearing down plugin connection

Is there something in these logs that provide any clues to the issue? Any recommendations on what further troubleshooting steps I can try?