@Mideto Admittedly not best practice, but I just use a full admin
account for API calls - in general I think the obfuscation provided by
the script parameters is pretty good. As far as I know the only other
ones you might need is the Send Set Recover...
Finally got a chance to revisit this and wanted to share: I came up with
a group/policy workflow that runs automatically if Macs somehow manage
to go through PreStage enrollment without Recovery Lock being
enabled.First step is the script (full credi...
Thanks @Steven_Xu - yes, that was going to be my alternate approach -
convert to a shell script. I'd probably make it a deployable script that
would run automatically when a device is part of the no_recovery_lock
group.
