Admin is concerned about users signing in to their device in dev mode and extracting device secrets (crbug.com/893420), and would like to prevent users from signing in to devices in dev mode and exfiltrating policy (things like wifi passwords, etc).

So it's probably valuable to have an option to require a VA check before letting users sign in. Given that the device could have been tampered with by the user (to circument the VA check) I'd suggest an additional check, which would be to only allow user signin on enrolled devices (i.e. if the user is not affiliated, don't allow signin).