Configure Proxy Authentication for Mobile clients
It's too bad you can't set Network Location specific Internet Explorer\Internet Settings GPOs because that would quite neatly solve this issue. Oh well.
WPAD is really just a protocol for clients to acquire their Proxy Auto-Config (PAC) file. The PAC file contains the information that browsers need to find and authenticate to their local proxy and is really just JavaScript. In this situation, I would create a PAC file that contains enough logic to check whether or not the client is connected to your internal network and can access the proxy locally, is connected to your internal network via a remote VPN connection (you may still want to proxy remote clients) or is connected to a completely foreign network and then pass the appropriate proxy information to the browser. See this question for an example of how to do this.
You could then build a GPO that:
- Pushes the PAC file out to client's C:\ so its available to them when they're not on the local network (
User Configuration\Preferences\Windows Settings\Files) - Configures Internet Explorer to use it (
User Configuration\Polices\Windows Settings\Internet Explorer Maintenance\Connection\Automatic Browser Configuration)
I should also mention that many OEM's provide 3rd party tools to do "Network Profile" management. I believe Dell had one called Network Connection Manager that was bundled with their NIC drivers, although the inability to centrally manage it made it a non-starter in our environment. There is likely other paid 3rd party applications that provide Network Profile/Location-specific management of these settings.