We have a PreStage set up for the techs to assign computers to (we have more than one PreStage)
They need access to the PreStage for computer/Device assignment.
Unfortunately they need to have update access to the PreStages in order to do this.
And you know what happens when techs get update access that lets them change everything, they change everything.
Is there any way to lock the PreStage down but still give techs ability to assign a computer/device to a PreStage?
Unfortunately, I do not think it goes any more granular than what you have found for the permissions. What you could do though is assign the device in ABM to a different location and have that plumbed directly to your prestage as a source. It takes a moment to set up but it's all automatic after that. This, of course, depends on your environment, but it's how I've done it for dropping computers into sites to keep techs out of prestages and such like you are wanting to do.
@BCPeteo In this scenario, recommended way is to use the Site option. I believe if you are using more than one Prestage Settings, then your organisation has one or more entities and all of the entity devices are managed by one instance. Break all the items within Jamf (Profiles, Policies, Restricted Software, Prestage) in to different sites and grant access to tech's to manage only the particular site / entity they are responsible for.