App-to-App-Layer VPN Mapping (com.apple.vpn.managed.appmapping)

A dictionary defining a per-app VPN relationship.

The bundle identifier of the app using the per-app VPN.

The identifier of the per-app VPN payload, which defines the per-app VPN that the app uses. See the `VPNUUID` key of the `AppLayerVPN` payload.

The code signature designated requirement of the app using the per-app VPN.

The code signature signing identifier of the app using the per-app VPN.

The file-system path of the executable using the per-app VPN.

An array of dictionaries. Each dictionary specifies a per-app VPN rule. Use this property to restrict this per-app VPN rule to only match the app's spawned _helper tool_ network traffic. For example, to match network traffic that the `curl` command generates when run from the Terminal.app, create an app mapping payload for Terminal.app and set the payload's `MatchTools` key to an array that contains a dictionary that matches the `curl` command-line tool. If you don't specify the `MatchTools` key, this per-app VPN rule matches all network traffic that the matching app and its spawned helper tools generate.

Specifies a per-app VPN rule to match network traffic that the app's spawned command-line tool generates.

This structure continues with 3 subkeys (deeply nested - 3 subkeys). See Apple's documentation for the complete structure.