You are mixing to features. The first feature which is location awareness, this feature tells the client to don't connect using vpn when the client is inside the corporate network. The client opens tries to open https connection to the gw, after the gw receives the request it checks from which interface the request come from, if it is received from internal it will tell the client to disconnect (There are other options to detect if the client is inside or not but https connection is the most reliable and requires good design and if you have too many client you can DDOS the gw and vpnd will run high cpu or crash).
The second feature which is desktop policy. it is a set of firewall rules will be installed on the client. I think your problem in the configuration and enforcing the default policy. the trick is when you use specific users group in the desktop policy that will be enforced while the client is connected. whenever you use all users group in the desktop policy that will be enforced when the client is disconnected.