Hi DarrenFord, the best way to manage these computers would be using an Agent Handler on the DMZ so computers con reach it through your public IP address and then download policies and software from the repository as if they were inside your network
Thanks Laszlo, was thinking along the same lines!
We have also deployed AHs in our DMZs, we use an agent handler group configuration to give Sudo load balancing and resilience through two different data centres and two different IP ranges.
We sucessfully manage 1000 MacBooks this way, but we did point then to use McAfeeHttp for their primary repository rather than using lazy caching on you AHs to reduce load and attack surface on the DMZ AHs.
Best of Luck
Is there any risk involved by having the public facing AH from the DMZ?