...and 24hrs later, issue appears to be resolved. Tried to resend invitation again, and this time went without issue, and the user accepted. #shrug

Hi, We're looking to enable federation within ABM and so expect to encounter the same challenge when we do. We're taking some precautions, and so I've created some ABM accounts with admin role but used the @mydomain.appleid.com suffix, so that if it does create an issue, I have a method of getting back in & fixing things. I've also used 2 of these IDs to create accounts with App Store Connect with admin roles to proof that too. The other thing you could do is transfer the account holder to an account which is not on your domain, temporarily, and then transfer back once done. HTH, Piers

I suggest you learn more about the capabilities of MDM: If you want to prevent uninstallation / force reinstall of MDM client, you'll need to use some type of DEP (ABM) enrollment and device configuration If you use the above DEP for this capability, you'll need your customers to only buy their devices from you, which seems very impractical, unless being done on a small scale If you tried this using MDM & BYOD principle, then there is a limit to which apps you can control and which config/restrictions you can apply, which are not the capabilities you list above. In short no, this wouldn't work.