UTM EndPoint integration with SEC

Greetings!  We currently use Sophos UTM (9.5 at this moment) but also have the Sophos Enterprise Console (SEC) to manage our endpoint clients.   Management has requested a method to be able to monitor internet activity on work owned devices (laptops) after they have left the network, so I am playing around with the integration between Sophos UTM and SEC.  At first things were working well, I enabled the 'Endpoint' section on our UTM and created a 'Full Web Control' policy in SEC with the appropriate URL and KEY, then applied that to a device.  The device does now indeed follow our UTM policies for websites and logs all of the traffic in the "EndPoint Web Protection" log.  The problem is that when the device returns to the network, it keeps using the Web Control of the Endpoint, which does have limitations in regards to both functionality and logging, compared to using just using the UTM only.    Ideally what I'd like is that while a device is behind the UTM, that it just uses only the UTM for all web functionality, and when off network, it uses Web Control of Endpoint, which is then tied to the UTM.   Any thoughts on this?  

One example of an issue is that all of the logging the Endpoint does while on our network only shows the UTM IP address for all destinations, which makes sense for it, but the UTM can log everything properly.   The endpoint logs are also missing certain fields as well.    

I just want to see if there is a possible workaround/solution before I have to start looking at 3rd party software to monitor the devices.

 

Thanks for your time!