I finally got around to setting this up, beginning with a few tablets.

Locking down a ZTE Android tablet worked just great, but I struggled with a Lenovo one as certain UI customization clashed with the MDM policy in a broken way. The policy ultimately worked but it was still possible to view broken menus and so forth.