I appreciate that you need to login with a local account to setup the SAML settings initially... but we have a requirement that all access to applications is managed through an IdP and that there's not a "back door" that can bypass the IdP.

We could live with working with support to enable/disable local login if there was an issue with SAML.

Access to MDM grants a lot of power to a fleet of devices - we'd like more central control over who has access...