Hello BlackCat,
Thank you for posting in Q&A forum.
Based on the description above, I under you have AD CS server in your domain.
For the devices not in the domain, you can try to use network device enroll service.
For more information about Network Device Enrollment Service for Active Directory Certificate Services, please refer to link below.
For the users not in the domain, if the users are in another forest, you can try to use Certificate Enrollment Web Services to issue certificate to the users in another domain (such as domain B) using CA in one domain (such as domain A).
Starting with Windows Server 2008 R2, you can utilize Certificate Enrollment Web Services to provide certificates across forests that do not require forest trust relationships. For a lab demonstration of such a configuration using Windows Server® 2012, see the Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services.
Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.