do the laptops never connect in to the main network over the internet via VPN for policy updates/reporting?
i remember reading this ancient thread about it, it sounds like an interesting idea. And it wouldnt suprise me if Mcafee implement it in a future release. Microsoft are doing it with SCCM i believe, where there is like an external facing gateway server in the DMZ meaning clients do not need to establish a VPN connection to be managed
ePO 4.5 introduces the concept of an "agent handler" which sits in the DMZ and communicates between internet clients and the internal ePO server. You can read more about this on the McAfee support portal in the beta section.