Locking down a corporate shared device while no one is logged in
I am looking for ideas on how to lock down a corporate shared device while no one is logged into it. I am not worried that the device is not password protected. More worried that there are no device restrictions, I.E a user can login with an Apple ID, download apps from the app store and pretty much use the device how they please without ever logging in to the Hub app. Hopefully I am missing something simple. It would also be nice to be able to set specific device restrictions without implementing the whole device restriction page. Or like an option to leave some of that long list ' unassigned' where another profile can supersede. At the very least be able to deny the Apple App Store icon and disable Apple ID login but not the rest of the settings.
We have all our shared devices change OG when signed in, to one that will add a profile which puts the device in single app mode and make that app Hub. the devices must be DEP or Supervised by Apple config but it works great.