You still don't understand how this works. Apple can't complete the provisinig process alone - the user unlocking the keybag on the device with their password is an essential part of provisioning a device.
When a new device is added to the keybag, the other devices report the change - this isn't controlled by the server and isn't optional. Apple can control the transport infrastructure, but they cannot enrol new devices into the cryptographic session without the user being involved.
When a new device is added to the keybag, the other devices report the change - this isn't controlled by the server and isn't optional. Apple can control the transport infrastructure, but they cannot enrol new devices into the cryptographic session without the user being involved.