Is your DMZ server publicly accessible, aka are all the clients talking to it? Or are they talking to your internal server?
Do you have the push notification ports unblocked?
As listed on this KB: https://jamfnation.jamfsoftware.com/article.html?id=34

@rderewianko Yes it is publicly accessible. I can see that the computer i'm testing with checked in while not on my domain or internal network. We have the ports opened (or so I'm told they are). Would anything else stop the APN from going through?

When you built the public jss did it have the same DNS as the private?

Cause the APN's tie to the domain used.
- RD

Yes.

I know when we had probs, it turned out to be our licence key had disappeared..

Jamf also had us run

nc -z gateway.sandbox.push.apple.com 2195
nc -z gateway.sandbox.push.apple.com 2196
nc -z 35-courier.push.apple.com 5523
nc -z albert.apple.com 443
nc -z jssurl jssport

I was able to do all of the successfully except the 35-courier.push.apple.com 5523. did you have to fully open the entire 17.0.0.0/8 range as well?

yes we did, despite our infrastructures unease with it.

thats what i was afraid of. and i've been given the big X on that request. Trying to see if they will do it by address rather then IP.

they own the whole 17.0.0.0/8 address box, which made our case easier.
http://support.apple.com/kb/TS4264

I know this is an old thread but I seem to be having the same issue. I can execute the nc-z to all those addresses except 35-courier.push.apple.com, same as @ddcdennisb . not blocking outbound currently from the DMZ Server or the remote system i'm trying to lock. Any suggestions?

Spoke with JAMF support and turns out the SSL cert on the DMZ server was not in sync with the one on the primary server. Fixed that and all good now. Just sharing incase anyone else runs into this down the line.