I am developing an application that runs on OSX and uses the NEVPNManager for IKEv2 connections introduced in El Capitan. In order to setup/activate a VPN connection it requires the "Personal VPN" entitlement.

If I sign my application with a Development certificate it works as expected on my machine, or on others if they bypass Gatekeeper. However if I sign it with a Developer ID certificate the app fails to start. codesign -vvv and spctl -a say that there's nothing wrong with it's signature but in the system.log file I see this when I try to run the app.

Nov 19 11:00:01 taskgated[562]: no application identifier provided, can't use provisioning profiles [pid=22401]
Nov 19 11:00:01 taskgated[562]: killed com.myorg.myapp[pid 22401] because its use of the com.apple.developer.networking.vpn.api entitlement is not allowed (error code -67050) 

Could the Personal VPN capability be forbidden for use outside the Mac App Store? If so it makes no sense as it does not use any Apple service.

UPDATE:

After talking to someone at Apple, it has become clear that the Personal VPN feature is not allowed to be used outside the App Store, thus it cannot be used along with a Developer ID certificate. Here is the list of which feature is allowed for which kind of code signing [the list here]