Review the following deployment guidelines and security considerations as you plan your deployment.
MDM Device Management Server Placement
MDM Device Management Server is a domain member and should be located within the internal network. Only one instance of MDM can exist per Active Directory® forest.
To install the required MDM databases successfully, the account that executes the MDM Device Management Server installation script must have local administrator credentials on the computer that is running Microsoft® SQL Server®.
Communication Between the Gateway Server and the Device Management Server
By design, at no point should MDM Gateway Server initiate inward-bound sessions. Only authenticated clients can initiate sessions.
Because MDM Gateway Server management is to be remote, MDM Gateway Server accepts incoming IP sessions from MDM Device Management Server for configuration and reporting.
Security Recommendations for Device Management Servers
Ensure that MDM Device Management Server is part of the enterprise infrastructure and is included in all update-management processes to keep it up to date with security and operating system updates.