This might sound silly but how do you login do the hidden Admin account with random password on a machine on enrollment? Is the password stored somewhere or can you change the password somewhere before needing to manage the users machine? How does this tie in with FV2?
Did you thought about something like this:
https://github.com/joshua-d-miller/macOSLAPS https://github.com/NU-ITS/LAPSforMac We do use the 2nd one and find it very useful.
@Tangentism I'm talking about under user-initiated enrollment where you can select the option to randomize the password. For prestage enrollment you can only put a password. That is correct.
You may also test EasyLAPS. I'm the author of this tool which is designed to regularly rotate the local administrator account password of a Mac and store it in a MDM like Jamf Pro or Jamf School.
