After banging my head for a year or two on new machines being completely unreachable or at best screen-sharing-only, I think it's because while you can turn ARD ON via MDM, all users by default have no privileges.

So I now have a kickstart script to do this.

It seems to me this should be a fundamental part of the "enable" action. For the device action, it could maybe look like the attached. For an enrollment .. I'm not sure, can you execute scripts at enrol time? If not maybe automatically afterwards?

Some of the necessary kickstart commands are here in my Slack post on the topic:

https://macadmins.slack.com/archives/C0BKLSYSF/p1722474281891989?thread_ts=1707168306.116149&cid=C0BKLSYSF