We heavily utilize individually assigned profiles for Macs. There are also a few default profiles assigned via group. When a new out-of-box Mac is being enrolled for the first time only those default profiles are installed (around 5). Profiles are installed quickly and reliably. Later on during provisioning our configuration management tool handles installing other required per device profiles.

However, when a Mac from stock is being re-enrolled to be used by another person, every previously assigned profile is installed at setup assistant. Since in my case those individually assigned profiles are usually per user, team, department, etc. and no longer pertain to the new person using the Mac, the device configuration is functionally incorrect. I'd prefer if on re-enrollment they weren't assigned at all. With a significant number of profiles, there's also no guarantee they will all be installed by the time the user hits the desktop, and since MDM has no concept of priority delivery, oftentimes those individually assigned per device profiles from the last user get installed before the default ones.

The current workaround is to use a webhook to watch for lock or unenrolled events and use the API to programmatically unassign profiles. I'd prefer not to though. I'm specifically asking for a setting, globally or per enrollment, to unassign every profile except those assigned to a group at re-enrollment.