Our current workflow is to erase machines using Internet Recovery or an Erase/Install Script in Self Service, manually crate a local user admin for the assigned user, enroll in Jamf, and then let our DEP-Notify policy kick in upon enrollment to provision.
The end of DEP-Notify calls a script that demotes the local user, and then DEP-notify enables FileVault via a logout as enforced by Configurations profile.
This works well except the management account doesn’t receive a secure a token.
Is there a way to pass the token before the created local user is demoted? Preferably silently as not to interrupt the DEP-Notify workflow.