ZPA interface connected when on trusted site

We have noticed that when a user is on-site (GRE Tunnel enabled) the ZAPP interface is still showing as connected even though the status shows “Service Status Disabled Trusted Network”.

This seems to be a problem with our SCCM configurations using IP networks to define boundaries.
If a user is local use their local network then use local repository, if the user is remote (100.164.x.x) pull from the cloud.
So if the SCCM client sees that 100.64.x.x interface is active then instead of pulling local it will start pulling updates from the cloud. Not so bad when 1 or 2 users are pulling, but if everyone is pulling from the cloud rather than local they will be saturating the internet circuit.

Please advise…