We're running a 9.65 JSS and do light imaging -- we just put the base installer on the computer and then load the packages on triggered by the enrollment event once it's there. Our process seems to work flawlessly with El Capitan even though we are not running the latest version of Casper, so I'm wondering what I have overlooked, confident that something must be broken somewhere.
I know Apple added exceptions to SIP for the jamf binary, at least for now. Self service doesn't seem to crash for me. We have a lot of custom-written bash scripts that function fine, and a directory we've placed under Library -> Application Support with some binaries in it, all functioning fine.
We do know we have to upgrade to the new 10.11 compatible release of the JSS, but that may be the first time we spin up a development server and test it and could take a while. In the meantime we're blocking the El Capitan Installer via restricted software right now for upgrades -- any reason that we should be?
If your question is really whether you should block Macs from updating to El Capitan while still running your JSS on 9.65, I would think that's still going to be a good idea, regardless of what your testing is showing at the moment. Because JAMF will likely not be able to support your environment if things start breaking after clients update to 10.11. Its kind of a risk if you ask me.
We have two methods to get our image on machines. One is via the netboot environment, if we have a computer that should be reimaged. The other is the out-of-the-box DEP one. Based on what you have said I suspect the DEP method, which I haven't tried, is broken, because it puts the client on while the OS is cognizant and could get upset about it.
There's one broken thing. I am now satisfied.