When WSS Policy Management is set to "WSS Portal" you can setup rules (on the portal) that use WSS Agent as a source.
When WSS Policy Management is set to "Management Center" (also known-as Universal Policy Enforcement / UPE) the option to setup rules that use WSS Agent as a source is not available.
In order to setup rules that use WSS Agent as a source the below CPL code should be used.
This CPL entry matches to WSS Agent traffic:
Sample policy to deny an url/domain just for WSS Agents would look like this:
url.domain=example.com client.location.access_type=client_connector deny
Then, to check WSS Reports for WSS Agent traffic, filter based on Agent Type needs to be done.
In the below example, first entry is for access from IPSec location, the second from WSS Agent: