When systems fall into the default group, they may not recognize location rule changes for up to 25 minutes.

It is normal for SEP to take around 15 minutes to switch locations. This is because the ICMP timer configured in the default location is 25 minutes (1500000 milliseconds).
     How long it takes also depends on the scenario. For example, there are two different scenarios:
     Scenario 1: User tests by disconnecting from the local network.
                         SEP switches locations immediately because SEP detects a change in IP address.
     Scenario 2: User tests it by blocking traffic through external firewall.
                        SEP only sends an ICMP request after the timer is reached. For the default location, the configured timer is 25 minutes. Therefore, users need to wait <25 minutes to see the location switch.

As of the current version of the ICDm, this timeout can only be changed on the back-end per domain/tenant. Please contact support if you need this value to be shortened.

NOTE: The network traffic generated from significantly shortening the interval may be impactful as it uses ICMP and DNS queries to set the default location, and if all systems are using these every few seconds, it could have an impact. Please consult with your network team on potential impacts if all systems have increased their use of ICMP and DNS.

It is under consideration to expose this setting in the ICDm console.