I'd like to learn the policy based thing too, but my workaround is just to tunnel through with a device VPN trying different locations until I find one that hasn't been blocked yet.
Discussion
pbr was beyond my bandwidth and willingness. Switched VPNs and it now works fine.
what would be great is an easy way to route device groups or profiles to chosen VPNs. no time to figure that out.