subhani,
a couple of options here come to mind they all have been covered here before...
DLP
Placec endpoint server in DMZ but use different key for these laptops.
Possibly look @ endpoint server for these users in the cloud
Possibly move endpoint and enforce to cloud
setup vpn from users house to office
PGP
force a vpn connection every 5 days for the endpoint to talk with the Universal server
Consider Just PGP desktop delpoyment with out the universal server at least you know it is encrypted.
setup vpn from users house to office