The basic question is: how are you grouping and organizing your devices, and how do you keep them separated?
Historically, we have used Pre-Stage Enrollment as the starting point for grouping everyone. We are also an Active Directory school. So I started using Departments as a way of organizing various grade levels and relying on that to scope configs and apps....The difficulty comes when you have a multi-user device such as a computer that controls our theater booth or a shared mac mini that lives in a classroom used by many teachers. If I tie the device to the theater teacher, that device will receive all sorts of configurations that are meant for that individual user and I would have to remember to put exclusions all over the place.
The reason I have wanted to get away from Pre-Stage enrollment scoping is that I find it unreliable. For example, one day, we had a certificate suddenly expire and despite the fact that the devices are supposed to automatically recieve the renewal if they are on, we had many that didn't which meant they had to be re-enrolled, which would mean the device would have to be either wiped or re-enrolled using User-Initiated Enrollement...obviously this removes it from the Pre-Stage group that the device belonged to and creates a cascading number of configs and apps to fall out of scope. What a nightmare.
I had the idea to create generic users that have speicifc departments so I could use that to assign, but we don't like the fact that there would be generic AD accounts floating around out there and the security audit team does not like this idea at all. What do you all do?