MDM for iPads - advice and assistance.

Hi all, just reaching out for advice on the various ways to manage a handful of iPads for a client.

They are a small training organization that I have been looking after for many years.
Server, 2016 AD with essentials role added + 365 NFP, 30-40 workstations, cloudtrax wifi, Itarian + AEProtection, pretty smooth and reliable.

With iPads, they (not me) traditionally just set them up with one iTunes account, installed a few apps, then handed them out for usage.
Naturally with no specific policy or locks/restrictions then more apps get installed from staff who know the password, until one day they are all locked out and required a restore/reload.

I have tested the mdm here very quickly on one system and seems quite good.

The only issue appears to be when setting up and adding apps via policy as mandatory or optional a pop-up appears and it requires entering an iTunes password to install, so not a background process?
I could not see where to change this, and honestly, I don’t do apple much at all, except the basics email remote sync etc, so it could looking me in the face and I cannot see it.

What did raise some hopes was the profile section allowing LDAP and SSO, are these a smoother way to manage initial user sign in’s?
Or should I be looking at combining the above with what 365 also offers on device management, but they would need to step up a notch on subscription to P1 so not really cost-effective.

At the end of the day at this stage, it is only 6 units, more to come, but they need to be both usable and restricted at the same time.

Staff uses them, and ad-hoc student classes use them, so prefer not to save too much data except perhaps websites required, no web logins either.

Any advice or help will be great for this non-apple tech