I am a n00b so take this with a pinch of salt. As resource policies apply to roles, I would check your authentication realm settings to see if there are rules that map your users to a different role when they are connecting from their phones. If so, check that split tunneling is enabled under the VPN tunneling > Options page for that user role. Then check the settings under Resource Policies > VPN Tunneling > Split Tunneling Networks, and make sure that the policy that allows access to the new subnet includes the role that the phone users are mapped to. Hope this helps!
... View more