On a recent project in which we use VMware UEM in a managed and registered mode of management the latter is experiencing a bug when pre-registering for enrollment is enabled.
With closed enrollment enabled all devices need to be registered beforehand, this is a form of security to mandate there is no open enrollment possible. This all works fine except for Apple devices, when enrolling the device in an managed state and it’s not registered at all the enrollment would pass the first payload for MDM by Apple and then get a you are not allowed to enroll, this imho is a step to late because you are already communicating and allowing sort of access in the environment.
The second point which we opened up a support case for was that in a registered state e.g. MAM/SDK only this would allow you! Say what, yes you would be able to enroll an unmanaged device without any staged record.
Support acknowledged the bug and is working on a solution for this behavior. In the meantime, a workaround would be that if you use a MAM/SDK enrollment for e.g., BYOD devices try and create a dedicated OG for that and enforce require registration token in addition to the registered device only selection under Devices & Users > General portion of UEM.
Hope it helps!