Agent Traffic Manager (ATM) is configured with users and groups based rule. While testing on our VDI environment, all configured rules are being bypassed.

WSS Agent.
VDI/Virtual Machines.

ATM user-based or group-based rules do not work in VDI environment where agent is installed with MCU=1 option. As VDI is used for multi-user environment (with MCU option), WSS agent doesn't have the ability to certify that there is only one user on an VDI device. 

The problem is the conflicts between users on VDIs.  For an example, if user1 is CASB intercept only, user2 is web traffic intercept (port 80, 443, 8080, 8443), and user3 is custom port intercept, the agent can’t resolve if all three of those users are logged on to the machine at the same time. The core point of MCU being it is multi-user - so WSS Agent can’t prevent multiple users from logging in. WSS Agent can’t send per-user information to CTC (Cloud Traffic Controller) for atm rules (and the rules are applied in a single kernel).

In VDI multiuser environments where WSS Agent installed with MCU flag, user-based or group-based ATM rules won't work reliably due to challenges in tracking and enforcing policies on individual users in a shared session environment. However, location-based, IP-based, and policies without a source filter (Any) can still be effectively enforced, ensuring that ATM can protect the VDI environment even without user-specific configurations.