Sorry, I should probably have explained this better in my earlier post. I believe there are acually three types of profile in use:
- The first is a trust profile, and it works as I described above. It tells a client that any software sent to it from a particular server is trustworthy. Any client can trust any number of servers, whether or not it is going to enroll with them.
- The second is an enrollment profile. This is not what I described above. Instead it's a command to the client that it should contact a particular server and enslave itself to it. The enrollment is used only to make the enrollment process happen. Once the enrollment process is complete, the enrollment profile can be deleted, and in fact should be automatically deleted.
- The third is the 'remote management' profile that I was calling 'enrollment' above. This tells the client that it should accept commands from the server about what new stuff to install, whether it should let its screen be controlled, whether to lock itself or wipe itself, and other stuff like that.
You can use the Profile inspector in the System Preferences panel to look at a remote management profile and fine out exactly what it allows to be done.
Putting these three together you see that the enrollment process goes like this: first an enrollment certificate is sent to the client. As a human tells the client to accept this (or it's automatically set up to accept it) the client contacts the server and says "I am such-and-such a device, enroll me.". If set up that way, the server makes some notes about this new device, sends it two other kinds of cert: a trust cert, and a remote management cert. And the client can then delete the enrollment cert because the enrollment process is done.
Note: the above is only my understanding. I do not work for Apple, I've just played arount with this for a bit.