I have tried to reproduce the issue and found that even though you can create provisioning profiles for direct distribution with the Network Extension entitlement, and the UI shows that all is fine, the provisioning profile does NOT contain the required entitlement.
After some digging I found a FAQ on network extensions by Apple [1]. Point #8 clearly says:
> #8 — On the Mac, can Developer ID apps host Network Extension providers?
> Currently this is not possible; only Mac App Store apps can host Network Extension providers.
Thus the missing entitlement is most likely not a bug (and the cert UI is just bad). This is not a technical limitation, just Apple with questionable politics.
I suspect the reasoning is to prevent malware/spyware from setting up an always-on VPN without the user’s permission (i.e. the recent Facebook/Onavo scandal). Without using NetworkExtension, a kext is needed (which now require fairly obnoxious user consent). And using NetworkExtensiom essentially requires Apple’s approval.
I have tried to reproduce the issue and found that even though you can create provisioning profiles for direct distribution with the Network Extension entitlement, and the UI shows that all is fine, the provisioning profile does NOT contain the required entitlement.
After some digging I found a FAQ on network extensions by Apple [1]. Point #8 clearly says:
> #8 — On the Mac, can Developer ID apps host Network Extension providers?
> Currently this is not possible; only Mac App Store apps can host Network Extension providers.
Thus the missing entitlement is most likely not a bug (and the cert UI is just bad). This is not a technical limitation, just Apple with questionable politics.
[1] https://forums.developer.apple.com/thread/67613