@PhillyPhoto Are you enforcing FileVault on your Macs? If so there is no network functionality until a user enters their FileVault enabled login to unlock the drive.

Yes, so the workflow would be:

1. User receives the device
2. User enters the local account password/recovery key to unlock FileVault
3. User selects WiFi network
4. User connects to VPN (another hiccup since we would need Cisco to have a login window item too)
5. User logs in with AD creds
6. ??
7. Profit!

The frustrating part is that there is an option to have a WiFi dropdown if you configure an enterprise network config profile:

@PhillyPhoto It sounds like you're not utilizing Automated Device Enrollment to set up your Macs. Any particular reason for that? It really makes the deployment process easier.

Our deployment process using ADE is like this:

1. User receives device that is essentially a new in the box Mac (we make sure the latest macOS is installed before deployment)
2. User connects Mac to their home network
3. User enters their AD credentials to enroll with Jamf Pro
4. Jamf Pro installs our standard configuration and user restarts Mac to enable FileVault
5. Once the initial configuration is verified User ID certificate, corporate Wi-Fi config, and VPN are installed
6. User connects to VPN and complete setup (Outlook, Teams, OneDrive...) 

One word; security. As in our security team micromanages everything. We've been trying to get to the point were we can deliver machine certificates to our devices while off network and now they're reviewing Azure App Proxy. And even if we get that, our security team still requires us to join the devices to AD (I know, I know...). I've been screaming the ADE/DEP method for years and finally got the Jamf Connect buy in at least. Even with that, we have conditional access which would block users from being able to auth for the first time since the device isn't in a state where it could even be registered with Intune to pass compliance. That's why we're still building 100% of devices on-prem and shipping to end users.

Giving this a Kudo solely for the U*******r Gnomes reference.

@PhillyPhoto You may refer this post of JamfNation, see if this helps https://community.jamf.com/t5/jamf-pro/802-1x-not-authenticating-machine-based-to-freeradius-but-windows/m-p/257437#M238418

I'm looking to let users connect to their personal WiFi networks at home, not 802.1x networks. I was just showing that their is precedence to connecting to WiFi at the login screen.

@PhillyPhoto Sadly it sounds like your "Security" team is one that operates under the principle "This is how we've always done things, and we don't care what modern best practices are for Mac deployments".

There's no technical reason you can't enroll a device in Jamf Pro via ADE and then configure it per your organizational requirements. I would categorize my org's Security teams as very conservative (once breached, twice shy) but the process I described above is one that is acceptable to them after working with them to identify and address concerns. We're in the process of integrating with Intune to provide Device Compliance based access to M365 services so users will no longer require VPN connectivity for those services, but that will have no impact on the initial enrollment process.

If your org is large enough to have a support contract with Apple you probably have an assigned Systems Engineer. I'd recommend you contact them and see if it's possible to arrange a meeting between your security team and Apple's Mac Solutions Architects to see if they can help you get to an ADE/DEP world.

May not be a good solution for your environment as it seems like you are AD binding. However, JAMF Connect provides this as it puts an icon in the upper right of the screen to pick a WiFi network.