Can't comment too much on the 1st question, although I don't see any real advantage one way over another.
As for #2... Generally it is preferable to separate them. MUCH easier troubleshooting, and much easier to disable a specific setting for one or all machines if necessary when they are separate. If you need to back out something like a security setting on a single machine, you can do just that, without disabling everything else.
1. - Binding should be done pre-user login/account creation..
- Only for policies you can set to run at certain time(ie. enrollment complete policy after login, in regards to when those should run). Config profiles however, are downloaded once the mdm profile is installed(during enrollment).
2- Separate them for reasons [~Taylor.Armstrong] stated.
@ralvarezOES +1 for separating your profiles. When I first started using config profiles to manage Macs I only setup 3 profiles, which I thought was simplifying the enrollment and deployment. Cut to 2-3 months later when you want make changes, or your security policies need to be updated. You'll save yourself a lot of stress by grouping things by topic, so I have one profile for FileVault, another for the rest of our security settings, one for login screen settings, one for the dock, etc.
As far as your first question, Jamf 10.10 will introduce Await Configuration support for configuraiton profiles. This means that you can set your PreStage enrollment settings to prevent the Mac from reaching the login screen until all your desired profiles are installed. Without that feature, the profile push to the Mac is generally reliable (and they are all present within a couple of minutes of a user reaching the desktop), but every once in a while a you'll find a recently-enrolled machine that didn't get 1 or 2 profiles installed for some reason.
Thanks for all your responses. Good information. There's more to think about then I though, so I've got a test Mac I'm going to enroll and actually watch the process now.
