We are in the middle of migrating between Sophos and Defender and have observed a large percentage of our devices don't have the right Defender Configuration profiles required to onboard our devices. Defender has installed fine through policy, but can't work without its settings which are applied via Config profiles.
The Config profiles for Defender on a lot of active machines were discovered to be "Pending" from the Configuration Profiles view within Jamf, but for most Macs, there are no pending Management commands from the Inventory view, and for some they simply sit there indefinitely saying Pending.
I've managed to replicate the problem with really simple config profiles, such as some Finder config, without finding a fix. We've just upgraded to 10.34.0 in the hope it magically fixed things, but it hasn't.
The devices affected are all active, checking in and updating inventory. There's no obvious commonality between devices affected, almost everything comes in through Prestage enrolment, is running Big Sur, Catalina, or Monterey, etc.
Are you sure its not somting to do with your prestage? I saw something similar when installating configs with networks filters in the past. the app would install and drop the network connection and configs would be left as pending.
As a test set your prestage software install for anything with a network filter to cache only. have the configs apply and prestage, then have another install policy for devices with the app cached with (trigger for enrolement and reoccuring checkin). See if that gets around it.
@pchrichard Have you had the users on Macs with the profile stuck on Pending try restarting? This is a problem we see occasionally in our environment, especially on Macs with uptimes of more than a few weeks, and for some (but not all) restarting allows the profile to install. If that's not helping open a support case with Jamf and they can help you troubleshoot (I've got a case open for this problem myself).
We ended up submitting a ticket in and was eventually working with a level 3 engineer to try to solve the issue. It wasn't with Defender but it was related to a issue when configuration profiles are removed. Until the issue is resolved on their end they recommend that you don't outright delete the config profile but instead unscope the computers and leave it alone until the PI is resolved. They had to clear the database from all the pending configs and after that there wasn't as many issues.