Lots of questions :)
How can this be automated? ---> In SP1 the brokercert can be included in the agent installation
Also do I need to add 0.0.0.0 to the firewall for all my public laptops? ---> Better empty the list of Allowed, as you never know from where a devicewill conect. The blocked list is tricky and you should evaluate the predefined entries very carefully as they block quite a large range...
Is this only necessary for the certificate request? ---> No, the firewall is for all communication
Can i block the administrative page to the public? ---> Currently not. But if you store the direct link somewhere yourself, you can go in the filesystem and change the opening page to not display the link.
In terms of policy and groups, i'm assuming i can create some smart group based on public IPs or hostnames? ---> If devices are 'out' most of the time than IP should be the key.
i know it says not to, but has anyone tried to put this behind a netscaler load balancer? ---> Never tried, but i think quite tricky to configure especially with the https certificate communication.