I have been asked to enable my JSS environment for Apple DEP and also ensure that it is secure. My current setup is an internal JSS with mysql on it and file share.
I understand that we need an internet facing JSS. Is this correct? would a limited access JSS in DMZ work?
Do we need a external CA other than build in JSS? If yes, would an existing PKI thats on my domain work? or we need to go for 3rd party CA.
You'd only need a JSS in the DMZ if you are wanting to enroll Macs that are outside of your internal network.
If your only needing to use DEP to enroll Macs that are within your network, you only need to ensure that your JSS has the necessary network ports (see admin guide) open to communicate with the Apple Push Notification Service.