I would like to add something here. This works for sure, but I have experienced in a couple of cases that the IP address can't keep up with package deployment. We were changing our VPN client and it was important for them not to be on VPN at the time (so they wouldn't be stranded).
I made a collection like this with a heartbeat schedule to deploy the new VPN client, but in a couple of cases we saw that people who had recently been on-site, shut down their computer, gone home and then started the computer and logging on to VPN, would take a little time to update in the console. Their status as online would show first and the package would deploy (maybe it was just before the scan could complete)... they would get their VPN uninstalled and then the deployment would fail.
What I have learned is to copy the files to their local drives and run them from there in these cases.
A couple of things I still don't know though: 1. Will a deployment fail locally on the computer midway through a step if it loses connection to the PDQ server? Would a script step that is only halfway done, when connection is lost, continue to run?