No need for a script.
Cant remember which version of Jamf this appeared in, but use Client Side limitations for you policy in the General tab.
You can set it to deploy when connected to Ethernet only.
Then if you define a network segment for your internal VPN `IP range you can use that as an scope for exclusion, so any devices reporting on that range won't run the policy
Not if you have all your network segments defined and combined in the same policy, sounds like dgreening is using these the same way as we do. As we know what the IP ranges our global VPNs use and what the client will report in on when connected, we can use the network segments for policy exclusions.
Example below is to stop users installing large Adobe CC installs when connected to their local VPN: This exclusion stop the policy running when user connects from a certain VPN range and/or if they are on WiFi (i.e the option to install Adobe CC disappears from their Self Service, but only returns when they are connected the internal LAN)