What's the difference if the evidence replicates through the McAfee Agent or UNC? It's gonna end un on the epo server in both cases (most of the times, depening on where sql is stored). You can provide credentials for replication in case you have problems with machines from multiple domains.
Anyway, the evidence is stored until the machine has connectivity to transfer it. The parameters for storing the evidence are under the agent configuration (max total size, file max size, min free space in MB and %)
Thanks for your response. Unfortunately, some laptops will never be on our WAN (working completely remotely), so there will never be the opportunity for the machine to connect to the UNC path, hence wondering whether it could be forced out via the EPO client. Not to worry though, I realise it's going to be a limitation of the way our network is setup at the moment.
Thanks for the other pointers though. Makes sense
Alterinative: You can put an agent handler in DMZ that will allow you to get the events, but still won't get the evidence. You still get the event though.....