We are upgrading from VPN 560’s for our clients and we cannot administer the router remotely without first connecting a VPN. Is this a new security feature?

This has ALWAYS been the case with ALL of our VPN Router products! You must first modify the access rule for Administrative Access to ALLOW ANY network to administer the unit. The RF560's were no different - You had to enter the Advanced->Administration Settings Section and "Tick" the Remote Configuration checkbox and if you had a setting in the field this is equivalent to the ANY parameter within the RF6xx or RF8xx.