Local account control on user initiated enrolment devices

Being User Enrolled or enrolled via ADE should not matter. Managing user accounts should be the same. 

However, due to Apple limitations, if a user has a Secure Token (i.e. can unlock the FileVault), then the system will not let Jamf change the password. (I assume deletion is similar, but never tried it.) 

We have a similar situation, so what we do is issue a Lock computer command. if the user is online, the command is nearly instantaneous, and if they are not online, it will lock the computer as soon as they come online. Once we retrieve the computer, a tech unlocks it using the PIN code in Jamf and resets the user password using the FileVault recovery key, 

To cut the sales talk. There is technically no such thing as migrating a device in to a new MDM instance. If you actually want to manage Macs and move from one MDM to another, you need to wipe and load. Beyond Secure Tokens which only provided with Automated Device Enrollment, there are many other management limitations when using Device Enrollment or User Enrollment when it comes to MDM.

It is best practice to reprovision a device when someone is done using it. However, you can use scripts to handle all of this. Or you can use the users tab in the inventory record. 

As far as getting a tool, that may be a really good idea. JAMF is anything but an IDP tool, a proper IDP tool will do identity management far better than JAMF Pro ever will.

We use a similar workflow to Tribruin. Send a lock code -> record said lock code and FV2 key in separate living document for our service desk -> use Filevault2 key to change pw when device is returned if we need to access the data of the device.