It looks like normal user device enrollment with device management is optional, hence why I think business probably makes sense.
https://support.apple.com/en-sg/guide/apple-business-manager...
The you can force all traffic through a proxy.
https://support.apple.com/en-sg/guide/deployment/dep7ba46fcd...
And since you have root certs on the devices, you can decrypt traffic and uniquely identify devices and block internet from your central management, at any time, regardless if the phone is on your wifi vs a friend's vs mobile data.
I think it should work.
It looks like normal user device enrollment with device management is optional, hence why I think business probably makes sense.
https://support.apple.com/en-sg/guide/apple-business-manager...
The you can force all traffic through a proxy.
https://support.apple.com/en-sg/guide/deployment/dep7ba46fcd...
And since you have root certs on the devices, you can decrypt traffic and uniquely identify devices and block internet from your central management, at any time, regardless if the phone is on your wifi vs a friend's vs mobile data.
I think it should work.