So, a few things:
1. There isn't a passcode "reset" for iOS, there is only a "clear" passcode. As far as I can see, this doesn't need a supervised device, if Apple's website is to be believed, but it certainly WON'T work for a User Enrolled Device. An my colleague in support is correct: You can't systematically set a new passcode on the device remotely. That's an Apple restriction
2. It would be useful to know the connectivity of the device during the period that you needed to perform the reset: If the device was offline, no amount of coercing would achieve your requirements. Something that I've seen in the past
So, what could you have done? If the requirements was to lock the user out of the device, you could have placed the device into kiosk mode with some completely unrelated application. Notes, for example. This would have prevented the user from using the device whilst keeping the device online.
The other alternative would have been to have completely wiped the device (if the device was in DEP). The user would have been forced to have enrolled the device. The only downside to this is that you'd have lost visibility of the device.