We are looking into encrypting laptops that will be external to our domain and ePO. EEPC 7 has a new offline activation feature that does not require connecting to an ePO server. However, it says that once the offline policies and local users are applied, they cannot be changed unless connected to an ePO. There is also the need to transfer the encryption key off of the offline activated laptop into the ePO for future recovery. We won't be able to use SSO using AD credentials, but we would still like to manage the laptops via ePO. If I have read correctly, AD accounts are not a requirement for EEPC. So would this be accomplished by having a separate agent handler in the DMZ so the laptops can communicate with the ePO, and thereby have access to most if not all of the management capabilities as if EEPC were deployed to an internal network computer? Are there any best practices guidelines for this scenario? Thanks.