To understand your question, are you looking for ways to use AutoPilot and enrolling Windows PCs out of the network? If yes, it's not supported at the moment, MSFT going to release this feature by Q1 2020.
The way it works with Hybrid Deployment right now, after entering O365 Creds, the PC keeps pinging the ODJ connector internally, if it's not reachable the hybrid deployment fails.
This is another answer if I was misunderstanding-
You can join the PCs Hybrid Azure AD which gives you ability to use Traditional GPOs and Configuration Profiles and Security Baseline in Intune.
You can create VPN configuration profile and scope it for Always On VPN, and then apply PowerShell Script for gpupdate using Intune.