Have you tried this -
Give them user rights to the MMC snap-in but mask that via Powershell or other scripting tools in a GUI, that hides the fact that it is accessing the server.
On a workstation all you need to run the MMC Help Deskt snap in --- is the MGMT Agent and the Help Desk msi ---
use your scripting tools to house that in a program that brokers the transaction via a GUI based prompt.
The really nice thing here is SEE ver 11 has a CLI tool builtin just like the older PGP encrypted clients --- if you set the appropriate level of access to those components you can remote manage all these clients as long as they are on line - if its a communication issue that is time when the commands would need to be from the server - to unlock the client.