Signature based detection is dead. Are you using signature based detection for your travelling users?
Use
This Test on a remote user/mobile/tablet to download a safe 'malware' with a unique hash.
BAD: If you can download the same file twice, you are likely not performing detonation at all.
OK: If you can download it only once, you are likely detonating, but not real time.
GREAT: If you can't download the file at all, you are performing realtime detonation and blocking