Very good thought,we do not have this option as of now, but i think the objective can be achieved.
You need to have all the 3 components installed , however the action can be controlled by policies.
1) We can set your default firewall policy to blank, meaning it does nothing( same like not having NTP installed, process would run but no action)
2)You can set a "additional location by following this document"
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040212410248
while configuring the condition.
select the option , client can connect to management server
now select second option cleint cannot connect to management server
this will add a location.
you can set a firewall rule according to your security settings.
with this, when they are able to connect, rule 1 is applied
when they are not able to connect rule 2 is applied.
It would be good if you have have this idea setup under our ideas section.