recently we noticed VPN wasn’t working, could be the disabled connect on demand option – nope – the entire VPN configuration was inactive?!
a bit history: apple introduced VPN on demand (VPoD) still in iOS 5, it’s required setup certificate authentication – at first it was just possible to define single domains, over the years it advanced to ignore, evaluate or disconnect for certain domains – along with iOS 7 apple intoduced Per-app VPN to connect specific apps – since iOS13 it is even possible to tunnel just mail/calandar/contacts domains
noticed that this just happed for VPoD configuration, even if a single domain overlap in OnDemand rule, always the last pushed VPN configuration is active
you either manually enable the desired config or repush the config via MDM to remote enable