I had a similar issue in that I was trying to scan and deploy updates to Servers in a DMZ from Shavlik Protect which was located on my Domain. The work around which I used was to create a user account in AD then replicating this username and password on the server you want to scan. Not the best way but it was the only way I could get it to work.
I am able to manually run scans and deploy patches, but unable to setup scheduled scans because the scheduler is looking for default credentials. The default credentials on the console server do not have permissions to the servers in other domains. For regular scans and deployments I am able to define a different set of credentials, but the scheduled scans seem to require the default console server credentials.
In regards to the Shavlik Scheduler. Credentials set as Default Credentials are used to kick off the scan, their not used to connect to and scan the target machines. In Protect 9.1, set Default Credentials that have admin rights to the Protect server, the scheduled job will start using those credentials then use whatever credentials are set in the Machine Group to scan/deploy to the machines.
Let me know if you have any questions.