jss now in dmz - best way to know what devices need to be re-enrolled

I'm pretty sure you don't need to re-enroll, unless you had to change your host name? At least we didn't... Added the jss in the DMZ with the same host name as the internal jss. Set up dns to point to the proper jss. Copied the cert keystore to the dmz so it matched the internal, modified the server.xml, restarted tomcat and we were good to go.

You may need to do is check what you are pointing to: prior to adding the pinholed site we were pointing to OurJSS. What you need to make sure you are pointing to is the fully qualified name: OurJSS.ourserver.com. That change was made in the JSS, and we also created a policy that changed OurJSS to OurJSS.ourserver.com

if you end up having to re-enrol everything (sometimes its needed) you could run an inventory on all devices. then run a report showing only devices that havent checked back in since the change over date.
unsure of the specifics of the report but you should be able to see who hasnt checked in since a certain date

we are going to have to reenroll, we changed the DNS name since we were just using the server name before. So there's no EA or anything we can do to have it pull the current JSS connection?

If you keep your old internal DNS record intact along with the new one that works both internally and externally and then change the management url in the jss, when the clients check in at the old address internally they will update their management plist file with the new address and start checking in using the one that works both internally and externally.

I should say my experience doing this only applies to OS X machines.