Scope a config profile to a local (non-mobile) user?

Contributor III

We're using the Jamf/Intune connector to co-manage devices to allow access to O365 resources while users are off network/VPN. In testing, I have discovered that in order to satisfy our security requirements, we need to install a profile with the passcode payload. Since the passcode payload and AD accounts don't play nice together (you get prompted to change your password, but it won't actually work), we need to create a local user account, and then use the Kerberos SSO extension to sync the AD and local passwords.

I believe I have a good grasp on the process to get us to that point, but we have thousands of devices deployed with mobile user accounts on them. I tried migrating to a local account using @rtrouton's script here, but on Big Sur at least, it had a bunch of issues setting permissions. What I'm envisioning is running a script through Self Service (or maybe push it to them) that creates a local account on the device for them. There will be an issue of moving the files over still.

So to make sure not everyone gets the Kerberos SSO profile and prompted to sign-in, I want to limit the scope to only local user accounts. I know there's scripts out there for checking if an account is mobile or local, but I can't build a user smart group off a computer extension attribute. I would need to target specific users on a specific device. Any suggestions?