Hi Parag,
Considering the scenario mentioned by you I would suggest the following options.
Install SEPM at the Head Office Site.
Create client packages as per your requirement.
Deploy it to the Head Office Clients first.
You mentioned that there is no internet connection available at any of the branches except the Head Office. However if I undertsand you correctly there would be a LAN or WAN connectivity between these branches right?. If the answer is YES then you can keep the client package that you have created at a shared resource on each branch office, thereby the clients can install the endpoint protection from this location. As far as the updates are concerned since the Head Office has internet connectivity and the SEPM is installed there it would take the updates and distribute it to the clients.
In case you face any difficulty you can also burn the client package on to a CD and then send it accross to the branches(if it is feasible) and they can install endpoint protection.
There would be a file named
administration_guide.pdf(CD1\Dodumentation\administration_guide.pdf) in CD1 this file would be of great help in case you get stuck in between the deployment
Please revert in case of any help