You are trying to use the option "Prefer CEM gateway connection if VPN connection is established".

What you want to do is that:

1. if VPN is connected before the Symantec Management Agent (SMA or Altiris Agent) service starts, it flips to CEM mode. 
2. If you shut down the VPN connection, the SMA should flip over to CEM mode.
3. Then if you log back onto VPN, then it stays on CEM mode and packages do NOT download over VPN.

ITMS 8.6 RU2 and later

Note:
If the mentioned scenario is not happening and you are still in a ealier version prior to ITMS 8.6 RU2, a pointfix is available for those with ITMS 8.6 RU1. See KB 221269 "CUMULATIVE POST ITMS 8.6 RU1 POINT FIXES"

Two fixes were made:

1. fixed race condition between VPN adapter detection after SMA start and persistent connection establishment

2. download codebase selection prefers HTTPS over UNC and HTTP in case CEM is the preferred connection method

Things you should know

A little background on these "Prefer CEM gateway connection" and "Prefer CEM gateway connection if VPN connection is established" settings:

"Prefer CEM gateway connection if VPN connection is established" setting would force the client to download packages (such as large Office 365 patch packages) over the internet vs. using the VPN adapter.  

Under:
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/it-management-suite/ITMS/Administration/setting-up-cloud-enabled-management-v75537313-d846e4412/configuring-the-policy-v38974730-d846e5222.html

mentions:

This feature should switch Symantec Management Agent (SMA or Altiris Agent) to CEM state, thus SMA will not use VPN traffic and should work through another adapter (through CEM).

We have tested: With and without "Persistent connection" (WebSockets) the feature is working correctly. Switches between modes depending on check-boxes upon policy receive. 

In the case of the "Prefer CEM connection" setting, it does exactly what it has in its name: if selected, then the CEM connection will be preferred by SMA over other connections. When this setting is received - SMA will switch to CEM mode, of course, if CEM settings exist on the agent and are valid, then the agent can connect through CEM mode. When this setting is checked, SMA will not bother with VPN at all, so this setting actually "includes" its "VPN" version of the "Prefer CEM gateway connection if VPN connection is established" setting.

Here are some points which maybe help you understand how to set up this feature correctly:

1. The Altiris Agent icon is a reflection of the connection mode which is used to connect to the SMP Server. The one which is used for policy renewal, Basic Inventory, and other Post events to the SMP Server.
The package download is a separate process and it does not affect the agent icon. Especially if the download is done from some Package Server (PS). 

2. The Altiris Agent itself does not decide which network adapter to use or which network connection to use. It is done by Windows. The Altiris Agent just decides whether it is calling the SMP Server/PS or it is calling the Gateway. And here it is important how routing is done on the machine. Normally the Gateway and the SMP Servers/PS-es are available through different network connections, thus when VPN is ON, CEM traffic is not covered by VPN services. In case when both (SMP Server/PS and Gateway) are routed through the very same network connection (which is covered by VPN), then the "Prefer" checkboxes will not help to avoid VPN traffic.

3. Pay attention that the adapter list in Targeted Settings is called "VPN Adapters Detection". This means that adapters added to this list will be treated by the agent as VPN, and if the agent sees it has any of those adapters "active" on the system, the agent will decide that "VPN is active" and will mark its own connections with a flag to prefer to call the Gateway (if the checkbox is selected), instead of calling SMP Server/PS directly. 

4. If the Altiris Agent is in CEM mode and connected to SMP Server via gateway - and the traffic goes through VPN because the gateway is available in the VPN subnet, then the Altiris Agent connects via VPN because Windows routing is configured this way.

5. If the Altiris Agent is in the direct mode because it sees SMP Server via a VPN adapter - then the traffic goes through VPN.

The Altiris Agent should respect "Prefer CEM gateway connection if VPN connection is established" when using persistent connection to SMP Server and it establishes a direct connection while the second to Task Server (TS) via CEM gateway. Ideally, both connections should go via the CEM gateway.
Two persistent connections are being established - to SMP Server and TS. The first one goes through VPN, and the second through the CEM gateway.

The two lines below from the throttling engine help find out which adapters and which IP addresses are active at the Altiris Agent start:

'Check Point Virtual Network Adapter For Endpoint VPN Client bandwidth controller is referenced by 'Global\AeX {D55B3D95-9785-4A1B-A61F-2A4EB49A787B} 10.1.178.170'

'Intel[R] Dual Band Wireless-AC 826*5' bandwidth controller is referenced by 'Global\AeX {D55B3D95-9785-4A1B-A61F-2A4EB49A787B} 192.168.1.81'

SMP Server persistent connection uses profile {ff291251-7dd6-482c-ac39-c21bf4bec633}', this ID can be found from the line below:

[10:IN: 620 -> 0, RECV: 8007EC19] TLS 1.0, 1.1, 1.2 are enabled in profile '{ff291251-7dd6-482c-ac39-c21bf4bec633}'

Then Agent logs show that a persistent connection to SMP Server is being established via the CheckPoint VPN adapter, which means SMP Server IP address 10.9.2.212 is routable via the VPN adapter:

[10:IN: 620 -> 0, RECV: 8007EC19] Connecting to target server '<SMPserver>.<Domain>' at <IP Address>, attempt 1
Allocated bandwidth channel 255 for adapter 'Global\AeX{D55B3D95-9785-4A1B-A61F-2A4EB49A787B} Check Point Virtual Network Adapter For Endpoint VPN Client' by reference 'Global\AeX{D55B3D95-9785-4A1B-A61F-2A4EB49A787B}<IP Address>'

[10:OUT_SRV: 620 -> 684, CONN: 8007EC16] Target server '<SMPserver>.<Domain>:443' connected

Then TS persistent connection is established and Agent logs say that the CEM connection is preferred here and the connection goes through the CEM gateway

[11:IN: 66C -> 0, RECV: 8007EC19] CEM gateway connection is preferred while connecting to <SMPserver>.<Domain>:443;<SMPserver>:443;<SMPserver>.<Domain>:4726;<SMPserver>:4726', error: The operation completed successfully (0x00000000)

[12:IN: CD4 -> 0, RECV: 8007EC1E] Connecting to CEM gateway '<SMPserver>.<Domain>' at <IP Address>:443, attempt 1