Symantec Encryption Management Server (SEMS) has cluster technology, which allows data replication to each node. Part of this cluster functionality is DMZ mode when the cluster node is placed in the DMZ network. Because servers in the DMZ are accessible to the public, DMZ mode has a feature to disable the management of Private keys. Disabling Private Keys on DMZ cluster nodes changes the way enrollment and policy updates can happen.
Disabling the Host Private keys option from Symantec Encryption Management Server will prevent it from running certain services--one such service is enrollment. Because the enrollment process involves private keys, enrolling clients to DMZ nodes not hosting private keys must not be done (both Symantec Encryption Desktop, and Mobile Devices). Enrolling to DMZ nodes not hosting private keys, can have negative consequences, including, but not limited to, keymodes changing w/out warning, which can cause the managed keys to become unusable. Take special care to not enroll to these nodes and enroll only to nodes which host private keys.
The following should be considered when enrolling mobile devices to servers when DMZ nodes are part of the cluster and Private Keys are not being hosted:
Contact Support if further guidance is needed to enroll servers to DMZ nodes not hosting Private Keys.