Yes but then it's up to the device admin typically to enroll some additional keychain into the enclave. I only know 1 group using the "trust 3rd party" over "trust ours" because they don't want users sticking mint on the company Ubuntu machines.