Reading this, two things come to mind: retroactive DEP enrollment and activation lock. First a bit of a clarrification on the proper decommissioning process.
The best method for decommissioning is to first release the asset from ABM/ASM. This breaks the chain of custody for the hardware asset, effectively converting it to a retail activation device. Ah, now the next step, which is new as of Sonoma. You should ERASE the device, allowing it to communicate fresh with Apple's activation server during Setup Assistant. This process will ensure that the device does not cache the ABM/ASM activation information. This has become a problem in the following scenario:
A T2 or newer Mac is running an OS older than Sonoma and it is unmanaged from the MDM and the device is released from ABM/ASM. However, the device is NOT erased. Yes, it is unmanaged which will remove the MDM enrollment. But, this means that the cached activation record still sees the machine as an institutional device, associated to an ABM/ASM and retains the MDM enrollment details. Everything is fine until the user upgrades the machine to Sonoma and then retroactive DEP kicks in. The user is prompted to enroll into management and is given one opportunity to defer enrollment for 8 hours. After 8 hours, the device is a brick and data is inaccessible. To recover, you must erase the machine, allowing it to go through Setup Assistance and thus do a fresh query to the Activation Servers.
Is this what you are seeing? I had an EDU customer that started unmanaging devices and allowing staff to keep them. They would unmanage first, then release from ASM. They did not erase. Users started upgrading to Sonoma and began being trapped in the retroactive enrollment prompt.
If this is your experience, communicate with the users and encourage them to backup their devices and erase all contents and settings. Start over. Start fresh.
Ok, now there is a second possible issue that you may be experiencing. This is activation lock triggered by a user enrolling the device in Find My. In this case, a device is now linked to a person's personal Apple ID. If you had a bunch of machines that you handed out to users, it is possible that you have devices activation locked to a different employee. When resetting the device, it will ask for the Apple ID password of the person who activation locked the device, preventing continued use of the device.
If this is what you are experiencing, then you may be in a bad spot. Coming in the Fall, Apple will provide the ability to clear activation lock directly in ABM/ASM for institutional devices. However, until then, you must open a ticket with AppleCare to request an activation lock unlock. However, you must be able to prove ownership of the device. If you still have access to ABM, you may be able to use that as proof of chain of custody, even though the devices have been released. I've done this in the past and Apple has removed the lock from released assets (sometime IT departments get a little overzelous an jump the gun on releasing assets from ABM).
Hope this is helpful. Sadly, to truly disassociate, you need to erase the devices to clear the activation cache.
