MobiControl - Separate services from single server to multiple
If you want to achieve what you said:
"So, as a way around this, I need to separate out the deployment server and management server into 2 servers so I can have the web console on it's own instance with TLS 1.0/1.1 disabled, and then the deployment server for the device communication will have them enabled. I can then whitelist the firewall for TCP/5494 for only the source device IPs which we will always know to make our security team happy for that and also https will not have TLS 1.0 enabled."
then, the simple approach is probably to keep the deployment server on the same server instance that has your current public IP/FQDN communicating to all enrolled devices, and then install in another Windows server instance a new MobiControl management server, which you do not need any license and can in principle install as many insance(s) as you want. Then run MCadmin to reconfigure your implementation to point to the new IP/FQDN of your new Management server. Finally, start your web-console to connect to the new management server instance.
The above is a brief description of the general approach I would take, based on your limited description of your case, to minimize impact to enrolled devices. Of course, there is always a risk that you can mess up things if you miss some steps or do them in the wrong order. Please note that taking snapshots and simply falling back if something goes wrong may NOT always be able to restore full control of your enrolled devices. The worst case will be recall of enrolled devices for re-enrollment, and possibly need factory reset if your enrolled device are DEP/supervised iOS devices or Android-Enterprise devices in device-owner mode. So, evaluate your risks, especially for mission critical implementations with large number of enrolled devices, and you might need to find Soti professional service team or someone with the right expertise and experience to do it for you.
I'd say consider a reverse proxy using nginx instead: allow port 5494 to "pass-through" as-is (through your firewall rules) but force port 443 (HTTPS) connections to the management web server to ride on TLS 1.2+. You can then keep a single server or split your services later on with greater ease.
Here is my configuration to get you started.