As far as I know there are only three ways to install the SCCM client on devices:
1) Client push settings within SCCM
2) Group Policy
3) Standalone installation
After enabling GPO to allow auto-enroll of client certificate (duplicate of workstation authentication), the client is being installed on devices throughout my domain at the rate of ~10 per day. The interesting thing is, I'm not aware of doing anything that should allow this. I have verified that none of the above three scenarios are possible ("Enable automatic site-wide client push installation" un-selected, no software being pushed via gpo). How are these machines receiving the client?