Interesting post, thanks for sharing!
Why not keep the ability to install apps in your office only to the admin? Isn't that the safest and best way to administer Macs as an admin on your network?
Why use multiple Apple-ID's on the Macs on your network? Use one Apple-ID for all users' Macs and auto-update for macOS updates and security updates?
How do you auto- update the non-macOS - only apps - on all the Macs in you network. Would love to use that tweak
@home for my two Mac Pro's!
Cheers