Need info to bypass system.preferences VPN consent prompt on MDM device for standard user

Hi,

We have a macOS app that uses NETransparentProxyManager (Transparent App Proxy) with a NETunnelProviderExtension. The Network Extension is configured and deployed via an MDM configuration profile. The profile is pushed through Intune MDM as a user-enrolled device (Company Portal enrollment, not ADE/supervised).

The MDM profile sets up the Transparent Proxy extension as follows (sanitized snippet):

<key>VPNType</key>
<string>TransparentProxy</string>
<key>TransparentProxy</key>
<dict>
    <key>ProviderType</key>
    <string>app-proxy</string>
    <key>ProviderBundleIdentifier</key>
    <string>com.example.app.tunnel</string>
    <key>ProviderDesignatedRequirement</key>
    <string>identifier "com.example.app.tunnel" and anchor apple generic and certificate leaf[subject.OU] = TEAMID</string>
    <key>RemoteAddress</key>
    <string>100.64.0.0</string>
</dict>
<key>PayloadScope</key>
<string>System</string>

What we do in code:

1. Call NETransparentProxyManager.loadAllFromPreferences — this correctly returns the MDM-managed profile (1 profile found)
2. We do not call saveToPreferences — the profile already exists
3. We call NEVPNConnection.startVPNTunnel() to connect and NEVPNConnection.stopVPNTunnel() to disconnect

Problem:

On a user-enrolled MDM device, when the app is running as a standard user (non-admin), every call to startVPNTunnel() or stopVPNTunnel() triggers the macOS VPN consent dialog:

"VPN is trying to modify your system settings. Enter your password to allow this."

Console log evidence:

Failed to authorize 'system.preferences' by client
'/System/Library/ExtensionKit/Extensions/VPN.appex'
for authorization created by '/System/Library/ExtensionKit/Extensions/VPN.appex'
(-60006) (engine 881)

Key observations:

• Even if the user does not provide the admin credentials in the popup and cancel the window, still things work properly in the background i.e start/stop works.
• This does not happen for admin users on user-enrolled devices
• saveToPreferences is NOT called — the profile is MDM-managed and already present
• The prompt is triggered purely by startVPNTunnel() / stopVPNTunnel() from a standard user process

Question:

Is there a supported API, entitlement, or MDM configuration key that allows NETransparentProxyManager.startVPNTunnel() / stopVPNTunnel() to be invoked by a standard user process on a user-enrolled (non-supervised) device without triggering the system.preferences authorization dialog — given that the VPN profile is already deployed and managed by MDM?