Thanks for the input really appreciate it.  We are using basic authentication with AD with email.  So for starters, at the top level disable MEM_dep04 which is company2

Now got stuck on the inherit part as both are set at the parent OG and can't be set lower.

At the parent OG I went into Boxer assignment for company 2.  Was thinking would need to change the highlighted to point to the same as the parent no?

Now here's the problem.  There is a trust with company 1 and company 2 AD but don't think that will be relevant here right now.  So Company 1 is cloning the "usernames" for everyone in Company 2 into company 1.  Because their naming format is different don't think there is much overlap.  So if there is syarbrou with password 12345 in company 2 that will also show in company 1's AD with syarbrou for the username and I will have to manually set the password.

So if that makes sense and I'm on the right track, my problem is how do I change all the existing company 2 users to point to company 1's AD and use that to login going forward without re-enrolling?  So I guess based on your wording, how do I move a user from company 2 to company 1 in WS1?  I'm going to guess it's not as simple as going down to company 2 OG and setting to inherit?

Maybe I scared everyone.  Let's try one thing first.  Moving the user.  I kind of consider the Company1 AD to be separate from Company2 but they don't fully think so.  So company2 username in WS1 is like

company2\syarbrou

Company 1 their login in WS1 is:

company1\yarbrous

The ObjectGUID is not the same between them.  One thought I had is to take all the new company1 versions and bulk load them into MDM  at the higher level.  I then have the challenge of re-associating the installed devices with the new accounts.  Not sure if that is an approach.

Here is where I'm at and kind of manual right now. 

1. Add other domain user into WS1 at a higher OG

2. In the DB found the EnrollmentUserID of the current user and the new user

select * from mobileManagement.EnrollmentUser

3. Current user had an EnrollmentUserID of 99 and new user in the higher OG had an EnrollmentUserID of 100.

4. Then I identified all the tables that used this EnrollmentUserID value and ran an update on them replacing 99 with 100

I then went into the GUI and moved the device to the BYOD OG of the other domain.  Because of the change in owner to a higher OG it let me move it "up" to a higher OG.

OK so now I have the device moved from Company2 OG and AD to Company1 OG and AD in a higher OG.  So the Hub updated itself or being inpatient hit send data.  All the settings in the Hub app changed so showed company1 AD and username instead of company 2.

If I open Boxer it says there is a new account added.  Internal WS1 app store shows the store from the new user not the original one so that changed.  Everything seemed OK, however one issue.  Boxer and Web hang on loading.  Both are basically using SSO (not Access) to login as one is email and the other an authenticated SharePoint site that is it's default page.    Even reinstalled those apps but same deal.

So now trying to figure out how to get beyond that.  Think the SCEP profile on the device is causing this as still shows cert info from the "other" user.