I just created a QuickAdd package with Recon, signed with my wildcard certificate, deployed to a few machines with ARD.
Pre High-Sierra machines (10.11 and 10.12) are enrolled, the MDM profile is properly signed and available. No problem.
In 10.13 (.2 beta I have to say), it enrolls, the profile is installed, but... this needs to be approved, and this needs to be done PHYSICALLY with a keyboard on the machine, so... you can not do it via any remote control.
What am I missing ? How can we do ?
I guess this would not happen if using DEP ?
(at least, the JAMF binary seems fully functional)