Welcome back.
Sounds like you're making some assumptions that in some instances aren't accurate. See my comments in blue font.
Question # 1:
The laptops connect to AD through VPNs but they are not always on VPN. From what I have seen if the VPN is on and a login session is simulated, the latest settings are always fetched. But when VPN is off, it uses cached credentials.
That behavior is expected. In order for a system to get directory updates (like GPOs) or authenticate users in real time, there has to be connectivity to the directory. In absense of connectivity, after a configurable timeout, it will fall-back to cached credentials. Nothing off here.
The question I had was other than the login event, when does the client fetch the settings? I assume adgpupdate is not supported for Express - so is there some standard periodicity for refresh?
Innacurate assumption - even if you don't get access to the over 400 GPOs available in the commercial version, does not mean that GPOs aren't applied. In the Windows world (and to over-simplify) let's assume that GPOs apply to computers and user accounts. There are GPOs like password complexity, length, expiration, account lockout thresold, Kerberos ticket lifetime, etc that will be enforced per transaction basis, some settings will be cached or stored in config files. Other GPOs that may apply to the computer, perhaps a logon banner, are applied when the system is online and maintained as a configuration management item. E.g. the
Computer Configuration>Windows Settings>Security Settings>Local Policies> Message text for users attempting to log on may translate in a UNIX/Linux system to the system banner for an SSH session. This is performed by the Centrify mappers.
This means that the default group policy refresh interval of 90 minutes still applies as well as the execution of adgpupdate.
The problem I have is when users log out and log back in, their VPN is gone and so if that is the only event triggering a refresh it may never work for some users.
That is expected because by definition you can't trigger a refresh because to connect to the SYSVOL folder (that holds the GPOs) if you can't establish connectivity with your DCs. I would not worry about this because unless you're using the licensed version on heavily configured systems (like Macs), this isn't an issue. The account, kerberos and lockout policies are pretty static and typically enforced globally.
Question #2:
I am having a tough time understanding which all policies get applied on Ubuntu laptops. I did some searching and saw many posts around group-policies/templates etc. But our requirement is fairly basic - for eg, locking screen with idle time of 2 minutes and forcing a password-unlock. If I set those policies in AD through "Group Policy Management Editor > User configuration > Policies > Administrative Templates > Control Panel > Personalization > Screensaver timeout" I do not see them getting applied on Ubuntu.
The problem here, is that although your research is totally accurate if you were dealing with a Windows system, Ubuntu is a Linux system, so the "Screen Saver Timeout" GPO you refer to, will work in a Windows but not in Ubuntu. This is why Centrify has worked hard to develop a portfolio of GPOs. As a basic premise, a GPO is basically a template that indicates the state of a registry key (a configuration item on a Windows system); in the case of UNIX, Linux or Macs, there's no registry but config files; to complicate matters worse, although Linux has matured in many aspects, the industry seems to not pick up their minds on a standard Desktop!!!!! Therefore such GPO should take into account all the variations of Gnome, KDE and any other new forks that have some decent adoption.
Your confusion is understandable, all you need to do is close the cognitive gap. The group policy guide contains a nice introduction: https://docs.centrify.com/en/css/suite2017-html/index.html#page/Group_policies%2FGroup_policies_in_Active_Directory.1.html%23 <= I would say, this is the right place to start.
We also provide extensive GPOs for OS X and Gnome.
I do not have a /var/centrifydc/reg folder too. So does it mean these kind of policies will not work in the Express edition? Password length etc constraints seem to work fine. Hence the confusion. Please let me know if there are other ways of enforcing a screen lock if not through these group policies.
Like I stated above, password complexity, expiration, kerberos, lockout will be enforced regardless of the edition (commercial or express), the configuraiton management GPOs (in the links I provided above) for UNIX, Linux, Windows, OS X or Gnome require a valid commercial license.
My advice is that config management should be dealt by a DevOps solution like Chef, Puppet or Ansible. GPO management may not be the right way to go here, especially since there's no guaranteed support for all the variants of desktop interfaces in Ubuntu.
Tip: Centrify's help is online, indexed and readable by anybody. If you need to research a topic, all you need to do is go to your favorite browser and type: [topic] site:docs.centrify.com; for example
screen saver group policy site:docs.centrify.com will yield these results:
https://www.google.com/search?q=screen+saver+policy+site%3Adocs.centrify.com&ie=utf-8&oe=utf-8
A good place to start also if you want to understand Centrify basics, is the Getting started part of my blog (even if I've been busy to maintain it lately): http://centrifying.blogspot.com/search/label/Start%20Here
R.P