If your Telco can arrange corporate APN for your 4G devices and/or can restrict the device public-IP address to a well-defined small range, which can be added as additional exception for serveral ports in your corporate firewall, then it might be possible to use your current DS to also manage them.  Some MobiControl server settings might need to be fine tuned with MCadmin utility in this case.

If the above is not possible for security reasons,  you can consider adding a second DS in DMZ.

However, if your 4G devices need to use MDM policies that require interaction with Google/Apple/Microsoft back-end services, then your DS server(s) might need reconfiguration using public FQDN for the device-management address and a good enough SSL certificate installed.  Depending on your existing DS configuration, such reconfigurations likely mean a lot of work to be done for your existing enrolled devices currently on your internal corporate network.  In such case, you might need to consider whether you should have a separate (second) MobiControl implementation, rather than adding a second DS.

We have Gp VPN set up with certificate authentication. Devices receive app and app config from managed play store and can be set up to connect automatically. Devices go to dedicated subnet with separate FW rules.  APN seemed to expensive and with this solution, existing systems could be easily set up.

Do yourself a favor and migrate your Mobicontrol installation to the cloud. On premise management of external devices with port forwarding, in a DMZ is absolutely possible. Moving to cloud will provide you with global access (internal or external)  to your devices and allow for much easier upgrades to your environment at no cost or internal labor.