Short answer: Yes. Make the Wi‑Fi (802.1X) payload explicitly reference the SCEP‑issued identity certificate and anchor trust to your RADIUS CA. When the Wi‑Fi payload is bound to the identity payload, macOS automatically presents that cert and won’t prompt users to choose.

What to change in your profile (Jamf / other MDM):

1. Identity (SCEP) payload
   Ensure you deploy a device (machine) identity via SCEP. This creates the client cert (with private key) in the System keychain. In the Wi‑Fi payload you must select this identity payload as the authentication credential for EAP‑TLS.

2. Trust (CA) payload(s)
   Deploy the full RADIUS server chain (root and any required intermediate CA certs) so the supplicant can validate the server during EAP. If the chain isn’t trusted, the Mac won’t complete EAP‑TLS and you’ll keep seeing prompts. Optionally specify the expected RADIUS server names (CN/SAN) to pin trust.

3. Wi‑Fi (802.1X) payload

   • Security: WPA2/WPA3 Enterprise → EAP‑TLS
   • Identity / TLS Certificate: select the SCEP identity payload from step 1.
   • Trusted Certificates / Server names: select the CA(s) you deployed and, if your MDM supports it, set the trusted server names (this maps to TLSTrustedServerNames).
     With those set, macOS auto‑presents the selected identity and joins without user interaction.

If it still prompts:

• Confirm the identity is present and usable (System keychain, includes private key, EKU for client auth). Twocanoes’ write‑up on macOS EAP‑TLS and eapolclient is a handy reference.
• Set an identity preference (advanced / fallback): If you must script it, you can bind a specific cert to an SSID using an identity preference. Example:

  # SHA-1 of the identity’s certificate
  CERT_SHA1="ABCDEF1234..."; SSID="Mac"
  security set-identity-preference -Z "$CERT_SHA1" \
    -s "com.apple.network.eap.user.identity.wlan.ssid.${SSID}" \
    /Library/Keychains/System.keychain

  (Jamf Nation thread discusses this approach and the com.apple.network.eap.user.identity.wlan.ssid.<SSID> naming.)

• Re‑check RADIUS trust: If the client doesn’t trust the RADIUS cert/hostname, it won’t present its certificate (and you’ll see handshake failures in your NAC logs). Make sure the correct CA(s) and, if required, the server name(s) are in your Wi‑Fi payload.

• Check login keychain for any competing 802.1x certificates and delete them.

Disclaimer: I had ChatGPT help me with some of the formating and wording and this will hopefully will help you.  This meshes with what has helped me in the past.

Thank you, that's exactly what I was missing.