Thanks to both of you! I figured this might be the cases since it wasn't easy and straightforward with the basic options.

Is it relatively "normal" for admins to assign profiles, etc through DEP, but let the end user set up their own local user on the device? I realize everything important is still managed and controlled through profiles and the agent, but I hoped there was a way to make local user profiles remotely.

We don't have a large amount of Macs. But this is our procedure. The device is assigned to the user with there AD credentials (during DEP) and the appropriate profiles and apps come down. During setup, the local account is an admin account (we call it "techlocal") is created. After verifying that the AD bind was successful (configuration profile) and the login page profile came down, we hand it over to the user - they login with there AD credentials and a mobile account is created. Anytime they are on the corporate network, we rsync via a script at login all there local data (Files on the Desktop, Documents, Photos, Videos) onto there network home (stored in an SMB share). The network home acts as a backup for there data. We played with the idea of ditching AD and using something like NoMAD to "lose the bind", but keep the benefits of AD (kerebos), but decided against it as we have no problem with AD.

Thanks, jared_f. Great explanation, as far as I can tell!

We are not running AD, so maybe that will hold me back from doing what I want to, but I suppose it's not the end of the world to just allow the end user to create their own local user, etc if I really want the ease of not touching the devices before they're given out.

We usually create our admin local user and then run our own script to install custom tools and for creating the user’s profile before handing the device to the user.

caribou