So I guess, I should be luck we only started with Mac and JAMF back in 2016 so designed our build around light-touch post-enrolment packages and MDM feature control when apple turned around at the high sierra launch and said, you know what imaging is naff!
Anyway long story short is that i have found about this with our first T2 enabled mac to understand that even building by stick to our current build tested macos version unless we turned off all T2 options as first part of new MBR process but also using the great installinstallmacos.py to cobble together a 2018 high sierra that would work on a T2 device without being able to fall back on Non proxy'd access. as far as im aware apple never released it on the App Store
now working in a 40k plus business corporation, we cannot rely on omnipresent non-authenticated internet access so the above was quite annoying as apple will not be told by anyone. however we could work around it!
now however i am trying to make usb sticks and find that the Mojave installers now give an option to download T2 and 'one' hopes touchbar firmware via the "--downloadassets" option so no internet is needed at the build stage but they only seem to be bootable on non T2 macbooks. is anyone else experience where apple maybe have started signing deivce id's on T2 MBRs??????? (is having APFS related maybe)?
guess only other option would be a perma-cached installer and start using starttoinstall to do clean rebuilds on APFS machines.