You can configure a machine level VPN tunnel to be active when the user logs out. 

Below is the sequence:

• User boots up the laptop

• Internet connectivity exists

• User hasn’t logged on

• Pulse client brings up a VPN tunnel in the machine context using machine certificates / machine credentials

• IT or SCCM admin can remotely connect back to the laptop or push updates etc

• User hits CTRL+ALT+DEL and logs onto the domain as the domain controller is reachable.

• Once the user desktop is loaded and user is within the user context. At this point the VPN tunnel can be configured to be active using the machine tunnel or drop the machine tunnel and reconnect using user credentials with 2 FA etc. VPN will be established

• User logs out of the workstation

• Machine VPN becomes active

• VPN is always on in the above scenario with an exception of when the user is in a trusted network (office location etc)