Easiest way is to have an open SSID, either temporarily available or always available. If always available, I would recommend limiting it to just being able to get to Apple and your Jamf instance. We use an open ssid that is just broadcast in one location and limited in what it can access.
In your prestage, you would assign your managed WiFi profile (with auto join selected),so that the devices can connect after successful enrollment.
On MacBooks, once the profile is installed, it willI join the managed WiFi after the profile installs, so I have a script that runs after enrollment complete that removes the open ssid from the device.
On iPads, the device will not automatically switch to the managed WiFi, you have to manually change it over (which is a bummer, but has been confirmed by both Jamf and Apple).
We had an open Wifi called Enrollment that had no password, but only allowed access to JAMF and APNS. The device then received the profile for the secure wireless. Rebooted and it would select the profile wireless over the manual one. This was a few years ago, not sure how that would work today.