This payload is crazy complicated. The manifest for this contained within the Apple Configurator 2 has a ton going on and at the end of the day, does do a better job at visually presenting only the applicable preferences given a selected VPN type. See screenshots below:

vs.

Notably, there are several pfm_exclude arrays that reference nested preferences within a larger preference dictionary. This is because there are certain preference keys that have the same name but are contained within different dictionaries. For example, a VPN type of IKEv2 (iOS only) has a pfm_exclude that references the DisconnectOnIdle preference within the dictionary. It does this by separating the dictionary and subkey with a period. The applicable portion of the manifest dictionary is below, notice the pfm_target:

		<dict>
			<key>pfm_description</key>
			<string>Length of time to wait before disconnecting an on demand connection</string>
			<key>pfm_exclude</key>
			<array>
				<dict>
					<key>pfm_target_conditions</key>
					<array>
						<dict>
							<key>pfm_n_range_list</key>
							<array>
								<integer>1</integer>
							</array>
							<key>pfm_target</key>
							<string>IKEv2.DisconnectOnIdle</string>
						</dict>
					</array>
				</dict>
			</array>
			<key>pfm_name</key>
			<string>DisconnectOnIdleTimer</string>
			<key>pfm_title</key>
			<string>Disconnect on Idle time</string>
			<key>pfm_type</key>
			<string>integer</string>
		</dict>
	</array>
	<key>pfm_title</key>
	<string>IKEv2</string>
	<key>pfm_type</key>
	<string>dictionary</string>
</dict>

Interesting as well is the use of dictionaries for the pfm_default key, which allows you to define subkey preference defaults at the dictionary key level, and all in one place, rather than at the contained individual preference key level. Example below:

<key>pfm_default</key>
<dict>
	<key>DiffieHellmanGroup</key>
	<integer>14</integer>
	<key>EncryptionAlgorithm</key>
	<string>AES-256</string>
	<key>IntegrityAlgorithm</key>
	<string>SHA2-256</string>
	<key>LifeTimeInMinutes</key>
	<integer>1440</integer>
</dict>

Here is the link to my fork with the manifest has it currently exists: apizz@32bd3a8

Yes, this is why I've waited with this payload. And it will have to wait a bit more as I need to add the new method of editing nested arrays first.

This issue has been the longest open on the project, which makes me very happy to announce that alongside our update earlier today of iMazing Profile Editor, which includes a major overhaul to the VPN section, making it clearer, more organized, and more workable, we are now committing the manifest that powers it to the project.

@apizz I just pushed branch digidna_vpn where we can test and make any necessary changes to the manifest as we discussed last June, before eventually merging it to master.