How can I programmatically manage a "Per-App VPN"?

Question

I have an iOS app which contains a Network Extension that subclasses NEPacketTunnelProvider, acting as a packet-tunnel VPN. After deploying the app on the device as a regular app, it runs the following code fragment:

NETunnelProviderManager.loadAllFromPreferences { managers, _ in
  self.manager = managers?.first ?? NETunnelProviderManager()
  self.manager.protocolConfiguration = getConfiguration()
  self.manager.saveToPreferences { error in
    // Handle errors or show a "Connect" button in the UI
  }
}

This asks the user to install the extension as a "Device VPN". I can then use self.manager.connection.startVPNTunnel() to start the VPN. So far, this works fine and is exactly my expectation.

Now, I want to deploy the app with an MDM and set it up as the "custom VPN" of a "Per-App VPN". After setting it up with an MDM, the "Per-App VPN" indeed shows up as a VPN in the "Settings" app, prior to even launching my app.

However, I am unable to retrieve, configure or use the "Per-App VPN". The code fragment posted above returns no NETunnelProviderManager at all. When instantiating one on my own and triggering self.manager.saveToPreferences(), it queries the user to install a "Device VPN", again. This results in two VPN connections on the device, one that works (the "Device VPN") and one that is just for show without any functionality (the "Per-App VPN").

What is the correct way to retrieve and use the NETunnelProviderManager of the "Per-App VPN"?