ITMS 8.6 RU2
Main documentation on MDM can be found here:
About Modern Device Management
Regarding the "unsigned" label:
It means that Enrollment Profile Signing certificate was not selected in Server Configuration. It is an optional certificate that is used for signing MDM profiles. If it is not used, Mac UI will show red "Unsigned" label
What "unsigned" means also is described in our documentation (please see Step 4 - Obtaining / Generating a Signing Certificate from Setting up MDM for macOS)
Obtaining / Generating a Signing Certificate
Aside from obtaining a certificate for your MDM server, you must also obtain or generate a certificate to sign the profiles distributed to MDM managed devices to ensure their integrity. End users can install unsigned profiles, but they will be labeled Unsigned in System Preferences > Profiles on the device, which may generate calls to the help desk.
To prevent this, you can employ a CA-signed certificate to sign profiles. A certificate issued by a trusted Certificate Authority ensures that profile signing is labeled Verified in the user's System Preferences page.
After you have a certificate to sign profiles, import it by following the steps outlined in Obtaining Apple APNS Certificate section above, but install the certificate as a Signing Certificate when prompted.