Configuration Profile Exclusions Not Working

New computer = recently enrolled Mac? If a computer happens to be in a config profile exclusion group on enrollment, it shouldn't install at all. If a profile is pushing to begin with (and then you have to remove) I'd be curious what your workflow is. I believe group membership is checked during recon.

Right. It should be updating after recon but it doesn't seem to be happening in our environment.

After enrollment is complete then the user is prompted to select their office location in DEPNotify, which creates a flag file that is picked up by an extension attribute. Recon happens right after the selection is made so the extension attribute updates right away. This extension attribute value is mapped to smart groups in order to exclude the Mac from our default configuration profile and include the Mac in the configuration profile that matches their region. In this case the Mac receives the new configuration profile but continues to keep the default profile even though it's scoped to be excluded.

Hmm... if this was working before your issue popped up my first thought some kind of latency issue (assuming the Mac is being setup in a different office location and you're on-prem). Support ticket?

If it's always behaved this way, I would rework the profiles so that nothing pushes on enrollment. Profiles then wait until the office location is set in DEPNotify. So take what's in the broader "default configuration" and split that up by office location. So, I guess that's essentially including X default profile in 9/10 office sites, instead of excluding X default profile from 1/10 office sites.