You've got a prestage enrollment and a device enrolled, but now what? How do you install software? How do configure settings? Policies and Profiles!
Policies in jamf are how you install software, run scripts, and perform other management tasks.
Configuration Profiles are a way to manage macOS device settings. Anything from global settings all the way to custom application settings. They're the bread and butter of an MDM and they make it so you don't have to change the timezone on 500+ devices manually.
There are a couple of different ways you can make profiles. You can make them in your mdm gui, build them by hand, or use something like profile creator to make them for you.
Most people will tell you not to use the built in MDM gui's for building profiles. Why? It's because with most of them you can't exclude certain settings from the profile payload. A good example of this is the Login Window payload. Maybe you want to set a login window message, but by using the gui (in jamf at least) you also have to choose if the login window has just the username and password fields, or a list of users. Maybe you don't want to manage that and let the end user decide if they see the list of users or just a username and password field. You can't, unless?
To rememdy this you can export the profile and modify the plist, but if you upload it into jamf it will see that it's a login window payload and add the additional fields back in that you didn't want to manage. So what's the solution? Signing your profiles! If you sign your profile with a certificate before uploading it, jamf will NOT be able to manipulate the payload, therefor only managing the settings you specifified.
The below command will allow you to sign a profile with a signing certificate in your keychain.
/usr/bin/security cms -S -N "[Signing Certificate]" -i "[input]" -o "[output]"
You can either sign up for the Apple Developer Program, which will allow you to generate developer certificates that will be trusted by all Apple devices, or you can generate one using your MDM's root CA. I reccomend the former. Either way you go, you will need the certificate AND the Private key to be able to sign the profile.Here is a basic guide on how to do this with your jamf CA.