How do I enroll devices while "Can enable remote management" is disabled?

I'm deploying a large number of iPads and Mac Minis in my environment, and I need to be able to enroll them so they can be managed by my server.

In my server "Profile Manager" there is a setting to "Can Enable Remote Management".

enter image description here

By enabling this, I can Enroll a device through the http://myserver/mydevices/ page

enter image description here

If I disable the "Can Enable Remote Management" feature, the "Enroll this mac" button disappears.

This is to be expected since once I have the remote management enabled, I don't want any other users monkeying with it, removing the trust certificate, or otherwise vandalizing my hard work.

What is the right way to mass deploy these devices to my network, ensuring they can't be changed by the users, and disabling the ability for the end user to enable/disable remote management.


Four years after you posted this, Apple's answer to this is Device Enrollment Program to point all the macOS and iOS hardware you buy to your MDM enrollment URL without user interaction.

That way the devices can be enrolled, supervised, managed without needing to train end users.