Recommended IOS BYOD ZCC Config Advice

While I’ve found plenty of articles for deploying ZCC on IOS and setting config options, I can’t seem to find much on recommended forwarding/app profile configuration and/or pac files.

The use case is we want users to use ZCC on IOS purely for:

  1. Access to a few internal web apps over ZPA
  2. Leverage our existing O365 SIPA config for
  3. Detect/Block potential security threats

However we DO NOT want to inspect or log any traffic except for the above since these are BYOD devices-- users should feel free to surf facebook or whatever without having their traffic recorded.

I would figure this is a fairly common use case, but I can’t get it working the way I want. With “per-app” VPN I can get the internal apps available on-demand, and adding as a safari url works via SIPA (though it seems to mess with sso or create an auth loop of some type, and for some reason breaks the reporting of device compliance status in azure for the logon entry via safari, which is the main issue), but it doesn’t filter or block and malware style traffic, which I guess is expected since it’s only forwarding specific URLS. If I go full on demand VPN, I can’t figure out how to write a bypass in a PAC file that basically bypasses everything except for a few URL’s but maintains security monitoring.

Anybody have a sample IOS BYOD config they could shed some light on?