Here is our scenario: We have many Windows 10 laptops that very rarely see our internal company network nor do they see the internet. We have groups of these laptops that are taken to various locations throughout our region and setup on their own closed network using a router that is not connected to a WAN (no internet connectivity). This is done for the day then taken down at the end of the day. The one consistency that they have is that they all can connect to a single server that is set up on the closed network. When not in the field the servers do come back and get connected to our internal network and so they are able to keep Windows and SEP up-to-date. Though the laptops roam between which of the physical servers they are connected to, the servers will always have the same IP address on the closed network (lets use 10.1.1.2 for example). So tablets/laptops can always connect to 10.1.1.2 while on the closed network. I thought that making the servers GUPs and pointing the clients to look for a GUP at 10.1.1.2 might be a solution to how to keep their definitions up-to-date but upon further reading about GUP best practices I read this:
“If the SEP clients you need to update using a GUP are not able to connect to the HTTP port used by the SEPM for client management, consider another method of updating clients.”
Unfortunately it can be many months that pass before the laptops see our internal network and this is usually a manual process when we put hands on each device and update them. Obviously with the laptops being on a closed network there isn’t much of an attack vector and it would be difficult for anything to spread from them as well but ideally we would be able to keep their SEP definitions up-to-date anyway in case staff deviate from our documented policies and processes and connect them another network or plug mass storage devices into them (we do have Windows Group Policy in place but there are some known ways around and we like to try to cover all of our bases).
Does anyone have any suggestions on how we might best keep the SEP clients up-to-date in this scenario?