Realized that despite believing all machines post 2018 (Touch ID or T2 Mac) would automatically have ABM Deployment, this does actually need to be checked within the MDM you're using. Fun moment, but thankfully a quick resolve. If your user's device is currently setup in the MDM but your MDM isn't pulling it/updating info on it, a quick little: sudo profiles renew -type enrollment will fix it for you. You'll still need to do a bit of cleanup, but at the least you know that you're not stuck in limbo and need to clean slate a working and configured user. This process can also help when someone gets stuck on the whole "default user" issue and then went ahead and set everything up on it. Ask me how I know.... Once the user is connected to your MDM properly, just go ahead and set up a new user account for them and allow them to create the password (if that's how your org rolls. We do something better at my org, I'll backlink to this at a later date). When your MDM forces the restart, just have them sign in with that account instead and life will be much easier than trying to reset the account they're currently signed in with. Might be common sense, might not. If it helped someone, it's worth bringing up.