SCEP service without exposing to the Internet
I suggest enabling the use of SCEP in the configuration without exposing the service to the Internet, because this is not a good idea, because the service has poor authorization.
Instead of placing SCEP on the Internet, I suggest using a connector for a service running inside a LAN, just like it was done in Microsoft INTUNE or enabling the use of the service under a private APN.
The proposal is made because we tried to configure the service for mobile phone with Internet access only through a private APN, in which DNS points correctly to the SCEP server from the internal network, but unfortunately the service does not work this way and the devices do not receive certificates, although it would seem that with this configuration everything should work
Sophos Mobile (on-premise) can act as a SCEP proxy, avoiding the publication of the SCEP server externally