I'm trying to figure out how the mobile access and firewall policies must be configured to allow access only to specific applications via the capsule connect/VPN mobile apps (instead of capsule workspace app).

i.e. after user connects and assigned an office-mode IP, he/she can connect to all destinations allowed by the firewall-blade policy (if there is a rule for the office-mode IP range as the source), even if a mobile access rule doesn't exist for that user and that destination. Does this make sense? This way all accesses are common for all users.

What configuration is needed to allow only per-user access?