InTune - IOS and ZIA Strict Enforcement

We’re testing with distributing company-owned phones to some of our userbase. The phones are very locked down using InTune, but we’re hoping to further lock down this process using ZAPP. We are able to successfully push the app to the phone and enforce the VPN to always connect, we are concerned about software pushes from InTune being able to reach the device in an instance where ZAPP is not logged in / authenticated.

Does anybody know in InTune if the domains for the excluded URLs portion of the VPN setup have inherent wildcards? We’re concerned that we’ll not be able to reach our device and remotely wipe/control it because of missing the right excluded URL.