Authenticated scan

In order to get an authenticated engine scan (not agent) does the target computer need to be on VPN, or just connected to wifi?

It just needs to be reachable from your scan engine. You should have a * Firewall rule from your engine to all the devices you are scanning. I always tell me people that IVM shows the vulnerabilities on a box, not the compensating controls like firewall blocks. So you want to make sure that your engine isn’t getting blocked resulting in False Negatives.