I administer a small office using Apple Business Manager and Jamf Now. Most of the Macs were added to ABM via Configurator on the iPhone, and are thus supervised. I've set up Jamf Now as an MDM server, done the certificate shuffle to hook it up to ABM (and unchecked the "allow MDM to release devices" that's offered as part of that procedure), and assigned the devices to my newly-created Jamf Now MDM in Apple Business Manager. The newly-added devices show up in the Auto-Enrollment tab in Jamf Now, and I'm able to assign them to users, assign blueprints and thus push all the appropriate settings etc.
So far so good, but end users with admin privileges are able to go into the Profiles prefpane on their Macs and delete the Enrollment Profile, removing the devices from Jamf Now and kicking the devices in Apple Business Manager to "Released" status, requiring a full backup/wipe/re-enrollment with ABM in order to be able to put them back into Jamf via Auto-Enrollment (and yes, I could still add them in Open Enrollment, but that's not the point, dammit).
I don't like that. It stands to reason that if I have a user who can just unenroll their laptop from the device end, kicking it out of both Jamf and simultaneously releasing it from Business Manager, then there's absolutely nothing at all from preventing that user from wiping and selling the thing to feed their drug habits. Not that they'd do that. Okay, most of them wouldn't do that. Probably.
I've poked around Jamf Nation and The Internet™, and have arrived at the point where I cannot for the life of me figure out if this is a) expected behavior, and that I am an idiot, b) if I've done something blindingly obviously wrong, or c) if there's something I haven't done at all. I would very much like to be able to push a non-removable Jamf Now enrollment profile to those machines so that people would stop breaking things and I could go back to drinking on the job and taking long naps. It's important to have hobbies, after all.
