Let me see if I can shed some light on this.
To start, you are experiencing retroactive automated device enrollment (enforcement). It is possible the original owner (your old company) released the asset from Apple Business Manager (ABM). However, if your device was never erased to trigger a call to Apple Activation Server, you are now seeing the retroactive enforcement. Since you are describing the prompt appears after you installed an OS on an external drive, then I suspect they DID NOT release the device. Please note, to fully reset the device, an erase will be required. I will get to that. I also suspect the boot drive is not on Sonoma yet.
Ok, here is the nickel tour. Apple's device management framework has three major components. There is ABM (or ASM (Apple School Manager) if you are an education customer), an MDM (the platform that manages the devices), and Apple's Activation Servers. We have no control over the activation servers but just understand that all modern Apple hardware MUST contact the Activation Server on initial setup. The MDM is what is used to perform management of the device. This includes app installation, patch management, configuration profiles, etc. ABM/ASM establishes chain of custody (ownership of hard and soft assets). Chain of custody appears to be your current problem. The device you have is linked in chain of custody to your prior employer. They legally own the device in the eyes of Apple. Only the prior employer can break that link. The process is relatively simple, but the prior employer is the only entity that can do this.
1: Log into ABM
2: Go to the Devices tab
3: Search for the serial number of the device in question
4: Release the device
Releasing the device breaks the chain of custody, telling the Apple Activation Servers that the device is no longer legally bound to an organization. In a gross simplification, the device will now follow a "retail" activation. Ah, but if your device hit Apple's activation server WHILE the device was still a link in the chain or custody, the activation record is now cached to the device. The only way to reset this association is by erasing the device and reinstalling the operating system.
Now to your specific questions:
1: Start here. The action needed is a device Release. It takes seconds and it removes the device from chain of custody.
2: Back up your data immediately to ensure you are not locked out. Retroactive enrollment will allow an 8 hour deferral and then it is mandatory. If the device is still in ABM but not associated to an MDM, you will be stuck in a loop and you will not get your data. If the device is in ABM AND associated to an MDM, then your device will enroll into the business' MDM.
3: If you allow the device to enroll, the company is the device's admin. They can do a lot. But they are not god. Exact device location is not possible without issuing a Lock command. However, your IP address is recorded so a generalized location can be derived. Also, camera and microphone cannot be remotely triggered. Ideally, don't let the device enroll.
4: You can query your chain of custody with the following command in Terminal (you must have an admin account on the Mac as you will need to enter your password to execute the command):
sudo profiles show -type enrollment
You should get your chain of custody record as a result, showing association to your prior company. Once they release the device, the same command should return no results and the device will no longer be linked to a company. But remember, you should erase the device after it is released to clear the activation cache. Back up your data.
As for your final point, it is possible that they DON'T have your device under management. This is not entirely their fault. Retroactive MDM enrollment was only released with Sonoma. Many Apple Admins would simply issue an unmanage from the MDM and call it a day. Since Sonoma, that is no longer enough. Retired, sold, decommissioned, or gifts company assets need to be released from ABM and then erased to allow for a fresh chat with the activation server. To check, go to System Settings and search for Profiles (click on Install, view, or remove configuration profiles). Are there any profiles in the list? If no, then the device was unmanaged (performed by the MDM) but not released (performed in ABM).
Once the device is released you should consider a clean install of the device to ensure the cached activation record is reset. The device will be free and clear of the prior company.
Hope this was helpful.
