Zerotrust gateway identify filter not working

Hi There

I have a pretty simple setup,  some users with WARP clients, some not i.e. guest users/etc.  WARP users are configured via email one time code authentication. 

For DNS gateway rules, I'm trying to create an allow rule for certain WARP users based on logon name, group, or email to allow a category e.g. social networks or redirects. The allow policy is above the larger block policy. 

I validated that WARP clients are installed and authorized, and the devices show up in my team. 

Sadly, it does not appear to work. Looking at the logs, something like is blocked by the larger block policy. A clue is that the identity for the block indicates email/device name as none and user ID/device id as 00000000-0000-0000-0000-000000000000.

Help please?