My response from support: It does look like this is a current Product
Issue, and I have tied this case to that Product Issue. This is
PI-008020. The current workaround for this on enrolled machines is to
change distribution method to 'Make Available ...
Would this process work to unsign, update the removal key/value pair,
and then resign the profile with the JSS CA?