if using external UNC for packages, just add reading rights to your AD group "domain computers", on your UNC NTFS+Share ACL.
This group provides the right for "system" or "network" local accounts to read your packages. Not able by default. So you will not have to put "specific credential" to pull all clients, with domain user reading + local admin all computers, and a security "hole" your domain, as I can tell you those credential are not "high crypted" on all your computers NS agent policies storage...
Best to run a MSI package using local system. Notice, that the install run from a local replica those packages, any way. If you want to run directly your packages from the UNC (part a DFS, so already local your clients) without replicate your client: just build "empty" no package soft component: and launch install command like "msiexec /i \\dfs\share\mymsi /qn"
I am agree with you this platform do not "show" and explain clearly what's happen, and what are mechanism inside. I do not get yet how image packages are back replicated all sites servers, and how to get a clear report all package servers & details package replication status, as we were having in version 6 :(
Most of the Site service "Deployment & boot" part, are obviously done from a separate development group thans others into NS (SMP). The setting are another place in the console the other PS+TS+OOB services. Site management are not correctly integrated the NS console, and annot be used into custome console, etc... Lot improvements must be done from Symantec to simplify & clarify, and improve reliability.
Another tricks: do not install/activate package services on your SMP server: we can do that, we should never !! If more than 500 clients, create a Site server and activate as the PS(package)+TS(task)+BS(boot).
A Client Management Platform, cannot be success deploy without planning about 15 days consulting/training with an expert, or you plan at least 30 your days of self-training, LAB, testing... And keep a testing LAB your Altiris to make those changes before moving in PROD... We can mistake easily.