New Platform SSO with registration during Automated Device Enrollment on macOS

In step 1 the targets you mention that the targets are user groups, but in step 3 it is mentioned that the devices need to be targeted? So, do we need to scope to user groups or device groups?  Other sources on the internet claim it should be device groups.

I do not understand how you get this working with static (device) groups.  The ABM device is known in Intune fom the sync between ABM and Intune. But, it is just a serial number registration and a pointer to an enrollment profile.  The ABM device then starts the enrollment, and only at that moment an equivalent real device is created in Intune that could be added to a group.  So the device will go through the setup flow and hit a point where it would need the company portal and configuration for SSO, but does not get the required configuration policies as it is not in a group yet.  Or, an Intune admin must be sitting behind his/her desk adding it at exactly the right moment?  What am I missing?

From the documentation it is also not clear what needs to happen to existing devices.  My original plan was to keep the settings for new devices separate from existing devices.  I wanted to create a dynamic (device) group that is based on the EnrollmentType, so that I can make the distinction between new devices that should use the new settings, and existing devices that remain with the old SSO settings. But I noticed that that property is empty for all devices in our tenant, which is also odd.

Or, is it possible to use the existing configuration profiles and simply add 'Enable registration during startup'?  That way older devices that need to re-install could get the same new experience?