Can Per App VPN be configured for MAM only devices 

No, Per App VPN does not support MAM only devices. With the iOS per app-VPN feature, you can leverage the VPN profile in conjunction with the Citrix VPN app on a XenMobile-managed iOS device. There, you can establish an on-demand VPN tunnel to the enterprise network for a desired set of applications installed on the device.


The three main component for Per App VPN are : app inventory , credential policy and VPN policy.
o use Per App VPN the device must be enrolled in the MDM +MAM mode since the VPN policy along with app inventory needs to be pushed from the XenMobile .

You can check more details here with respect to Per App VPN here : https://www.citrix.com/blogs/2016/04/19/per-app-vpn-with-xenmobile-and-citrix-vpn/ 

In such cases VPN tunnel can used , however this feature is only available for the wrapped application and not for public store application, since we need to set the network access to "tunneled through internal network" with "secure browse / VPN".

Q: Configured an "App Attributes" Policy for a special App. The policy failed to install on all devices, where the intended App is not installed. Is there a way to install the policy on devices depending on the app. I do not want to push this app on all devices since only a couple of users need it?

A: Unfortunately there is no if-else functionality to only deploy a policy if a specific condition is met (i.e. If App installed then deploy policy). We can only wipe, revoke, lock app and send notifications, but not deploy policies. If app was a required app then this might be a little easier, but defeats the purpose as not all users would want this app.

Q: Per app VPN does not disconnect automatically when I close the app?

A: There is no explicit setting on the policy nor on the session policy on the gateway that would allow for automatic disconnect functionality.