I have configured the management tunnel on my ASA per the URL below

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html#toc-hId--447213908

I am currently "tunnel all networks" for split tunneling

All is working as expected. The workstations are able to communicate with all trusted subnets and all traffic destined for the Internet gets tunneled as well.

How do I further restrict traffic to the trusted subnets when on management tunnel? Should I use a VPN filter?

Problem: when a workstation is connected using management tunnel the user is able to launch applications due to tunneling all trusted subnets. I would like to restrict this access. I only want applications to be able to connect when on user initiated tunnel.

When connected via management tunnel I only want the client to be able to communicate with domain controllers, SCCM . All outbound Internet will be tunneled and will exit my enterprise firewall in my data center. I will further restrict that outbound Internet access via ACLs on that firewall.

thanks in advance