Hi Victor,
Currently, authentication is a user-level option, and not an agent-level option. As you have correctly observed, the agent will attempt to connect to the server when the service is run and create an enrollment request if it is missing its configuration sent from the server. There is no way to “gate” agent enrollment requests on the server side at this time, and there is no way to block the requests so they will no longer show up in the pending list UI.
Basically, once an agent has been approved by the admin, it is considered trusted and available. It can be disabled server-side so that it can’t take on work or attempt another enrollment. It can also be deleted, but the agent can attempt to enroll again.