Solution: Server 3.2.1 "Invalid Profile" w/ Supervision-based Enrollment
After installing Server 3.2.1, I had been fighting an "Invalid Profile" error on Apple Configurator-supervised devices trying to auto-enroll with Profile Manager. Manual enrollment continued to work as expected. This morning, I found this gem in Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/mdm_enroll.php, right at the start of the handling logic in the 'try' block:
// Bail immediately if DEP is not enabled
$settings = GetSettings();
if (empty($settings['dep_service_state'])) DieUnauthorized('DEP is not enabled on this server'); // We'll allow it for any non-zero value
I'm no PHP guru, nor do I have an inordinate amount of free time to try to fully understand this script and its includes, but since this appears to abort further processing if the server isn't participating in the Device Enrollment Program, I commented it out and restarted profile manager. Low and behold, my supervised devices can auto-enroll again!
I compared this file to the same one in the previous version of Server I was running and it looks to be the only change. I'm sure it's a bug caused by unintentional misplacement or hurried consideration, but it's egregious. It sure feels like every single step Apple has taken regarding device management since the introduction of Activation Lock has been carefully designed to punish businesses for not re-purchasing all of their devices through the Device Enrollment Program.
OS X Mavericks (10.9.5)