The enterprise support is actually pretty bad. they offer some cool stuff like DEP but there's so many strings attached that for enterprise it's rarely actually possible in practice. Many things are boneheadedly designed.

For example, Apple federated accounts are a great idea. But, in your global directory the UPN and email must be the same. For us it's not, with good reason. We're not going to change our entire setup globally to suit Mac users that make up 0.5% of our systems. And there's never going to be more unless they become more accommodating. We even looked at JAMF but it's too much work to implement a whole separate management system. And the options in apple's configuration profiles are way too limited.

Another issue, every account that has already been created as a private Apple id on the corporate email must be manually resolved. Impossible with many tens of thousands of users.

AD binding while rudimentarily supported, causes so many issues. If someone's password expires there's no way to log in unless they're physically on the company network. The problem is that our security team demand we bind to AD. Not Azure AD. That's just reality in enterprise.

Having a managed local admin account is also a really big problem and there isn't really any tooling for that.

Maybe if you go all in on Apple like IBM did, then yeah you could adapt your environment to all their quirks. But it's a big blocker for small deployments. And really besides IBM nobody in enterprise did this. Apple meanwhile doesn't really care anyway. They only care about the customer market.