Configuration:

Restrictive Internet Access:
workstation with UA --> On Premise SG --> Internet

Less Restrictive Internet Access:
workstation with UA --> WSS --> Internet

The on premise SG is registered with WSS and taking adavantage of Common Policy.  The default policy on the on premise SG is set to DENY.  The desired result is to allow access to specific sites/categories based on the rules defined in the Cloud.  When the workstation is remote it is then allowed less restrictive rights based on the rules defined in the cloud.

The restricitve rights are enforced with the on prem SG default policy of DENY.  Even though a site in common policy is ALLOWED the on prem SG will still DENY the transaction.

Follow these steps to accomplish the desired behaviour:

1 - the on prem SG's default policy must be set to ALLOW
2 - in the Cloud portal create a rule, as the last rule, to unconditionally BLOCK everything
3 - In the Cloud portal create a rule, as the second last rule to ALLOW everything conditional on "Mobile Clients"

The Unified Agent will go passive when behind the on prem SG and the last rule in the cloud will be the rule to DENY access to anything that is not explicitly permitted.  When the UA is off network the second last rule will be matched that will ALLOW everything due to the condition that this is a mobile client.