It has been asked of me if McAfee endpoint encryption has the facility of a "remote kill" in the event of a laptop being stolen/lost.
Previously I have created a new group within the machine groups which basically removed all users from the machine.
I know there isnt much use unless somebody actually managed to get into the laptop, connected to the VPN (2 seperate logins) but nonetheless they are still asking if there is any other way. Pretty sure there isnt but I'm happy to be enlightened.
Short of removing users, and sending a remote reboot command to force the machine to reboot, I'm not aware of much that you could do. Even then, you really aren't "killing" the computer, or wiping data, just making it inaccessible.
Just make sure you have PBA-enabled on all machines, and don't use Auto-boot. And educate, educate, educate users not to leave their computers unlocked while unattended. They won't listen, but you have done as much as you can.
Setting the Disable access if not synced for x many days is a good way to automatically kill the machine without having connectivity to it. Your users will have to know that they need to sync at least once every x days or they will be locked out.
I wrote a "panic button" script for a TLA a while ago which nuked the pre-boot area, but that's more of a local kill than remote.
You are right though, if you don't expose policy sync to the internet (no reason not to, it's encrypted..) you can't remotely control anything.
by "remote kill" I think you mean is there a way to disable the machine? We set a machine property to "disable access if not synchronized" for 90 days. You can set this value to anything you want but it can create problems for you if your users don't connect very offen to your network and sync. This is a Machine property on the Synch screen.