Right, Global Protect is great in regulated environments. You can turn on its always on functionality and devices can then be used while connected to VPN or not at all. If that setting is configured in an environment where users are connecting their personal devices, it's misconfigured, pure and simple.