I’ve just experienced an issue enrolling iOS devices using JIT Web Registration, and the device compliance policy was assigned to a Dynamic Security Group. The time it took for a Dynamic Security Group to catch up with life, resulted in the iOS Enrollment failing due to lack of compliance policy, because it timed out before the dynamic queries had been performed.