Per-App VPN without MDM ?

I work for a larger enterprise (4500 fat client computers, 15000 mail users, 55000+ employees), no company owned mobile devices, all are personal devices.
People do not want MDM on their private devices.
They do use their personal device to do company related stuff (work schedule planning, request holidays, report sick leave, get discounts at partners, and some use it as a check in/out for time registration).
Most of the software is web based or off the shelf software.
Is there any way we can create a configuration profile for iOS, that does a per-app VPN ? Looks like "App-to-Per-App VPN Mapping" is not supported on iOS as per the Configuration Profile Reference. But MDM tools supposedly can do something to apps installed though MDM.
If not, does anybody know if the SafariDomains works on Safari only ? Or on all WebViews ? We could most likely live with SafariDomains if they work globally, as signon to most services are SAML based. Then we could do some IP filtering on the SAML server, or firewall in front, to ensure only company network + VPN server can access it. Thus we will have protected these 3rd party services against phishing.
Or is there any other way to create split tunnelling ? That is tunnel only traffic to specific domains ? Currently I am using IkeV2 for VPN.
Should I setup a split DNS, and how ?
Or use ikev2 SupplementalMatchDomains ? And have people hit my inside saml.company.com IP address for the logon ? SupplementalMatchDomains is the only place discussing split tunnel in https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
I see no easy way to run split tunnel VPN, or per app VPN the way I want, to give us more security. Requiring it for for saml.company.com only would be a huge step.
Android users will have to live with a geoIP block filter - and have no access during holidays, but all managers are on iOS.

Replies

Dear Povlhp, Any progress in per app through ikev2? I m also trying for same.