In most cases, VPN usage should be expected, especially if the alert is being generated from a personal device. At this point, the only available option would be to create a rule at the identity or organization level. However, the rule does not support adding a condition to exclude alerts specifically when the activity originates from a personal device.