Managed are looked after by an ePO server, unmanaged are not (i.e. they are a stand-alone installation).
Both managed and unmanaged systems are capable of updating. Unmanaged will typically do so from the McAfee update site directly.
I would guess whoever created the original image was planning on deploying McAfee via the imaging process.
In theory you have VSE installed on the computer in unmanaged mode prior to the imaging. Once the image was blown onto a new computer a new agent install task would be deployed via EPO and the install then would be converted to managed mode. This would get around the duplication of agent instances in EPO that can happen when imaging.
What you should tell the imagers to do is:
Just before they sysprep the image, install the agent and stop (not disable) the framework service.
navigate to the key in regedit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\]
Right-click the AgentGUID and select Delete
(see KB56086 for full details)
Then get them to sysprep the image witout restarting into Windows again.
That way, when the image is deployed to new machines, they will have the agent installed and will recreate the agentguid key when the framework service is started.