Apple's VPN framework supports layer-3 tunneling for TCP and UDP connections. Apps can be configured to automatically connect to a VPN when they are started. Safari can be configured for per-app VPN with a configuration profile and without an MDM, and on a per-URL basis.
A per-app VPN configuration requires two configuration components.
The per-app VPN framework allows the administrator to limit VPN access to explicit apps only. Specifically, it allows applications to use one F5 Access configuration (or VPN connection).
In practice, some applications may be associated with one F5 Access configuration, and other applications may be associated with other F5 Access configurations.
In this example, only App 1 or App 2 can be active at one time.
Apps associated with different VPN configurations
For per-app VPN, an access policy requires a specific configuration. The per-app VPN process does allow prompts or requests for information (logon and password) during logon. However, Web Logon is not supported.