You could transfer based on IP address, if they have a specific IP Range. The settings can be found in System Tree > Group Details > Sorting Criteria.
I cannot think of any other option than this two to quickly move to the right group on first ASC.
Thanks for your input, This is likely the direction we'll be taking, however I do see some inconsistency behaviour when there is a conflicting sorting criteria.
First step here, you have to try all the steps as below for one machine to understand how it behaves then you can plan for mass transfer.
1. Once you transfer the system, if the sorting is not working as expected by default it goes to Lost & Found default group.
If all those machines comes udner same domain or workgroup, mostly it will create a sub group in the lost & found for those systems.
If your environment is lucky is going with this way, and those all 200 belongs to same workgroup or domain, and if you test one machine and it is going to sub group under Lost & Found then you have the answer.... assigning the respective policy what you need to be applied to this sub group to get it stop blocking VPN, then you can do the simplest way to move to respective group.
2. If the systems is dumping in Lost & found group without any sub group and if the policy which you want to apply, if that will not hamper other than these 200 machines, if still it got those policies, then you can apply that policy to the lost and found group it self for temporarily to avoid VPN block and then move it.
3. If either one is not suitable for you, then you need to see matching criteria for these systems as Siushan with IP range or particular subnet it self those 200 laptops is coming from.
But mostly this will not help you, since you said it laptops if user connected via VPN and without VPN the ISP providing IP and dynamically assigned ones are very different you have no control for each ISP provide IP's released to systems.
Other than this, since you telling those are from separate group then you may have a common naming like
System_ABC or so and so, if that matches you can configure any system starts name as system_XXXX apply the TAG as SYSTEMTAG and assign this TAG to the respective group or also to Lost and found group.
SO, for any circumstances, if it is not moved to respective group, atleast in lost and found it will have the TAG applied to those system_XXX system names.
Then, you can apply policy based on the TAG through Policy Assignment rule page.... and those systems will get this policy.
But all the options is not that easy it depends on the situation and all should be tested with one or two systems with all combinations and see which works for you
Also, under server settings - sorting option, you should enable the sorting for every ASCI for a while, even though it will hamper other systems getting sorted for every ASCI... but since those having no change, so it will not hamper.
Once all good, you revert the sorting at once option in server settings.
If you got the answer, you can close the thread, so it helps other to utilize this thread for the transfer systems with the logic to be used... while performing transfer systems.