Short answer: you need an MDM like (no particular order): Jamf, Mosyle, Meraki, Airwatch, etc.
An MDM (Mobile Device Manager) will allow you to put in place all of those restrictions, as well as distribute approved apps and settings. All of the MDMs worth using will also give you location tracking, remote wipe, and remote Lost Mode.
Device Enrollment Program will help you by automatically enrolling the iPads in your MDM. Most resellers will associate iPads with your DEP enrollment ID even after they have sold them to you. I highly recommend using DEP, it’s pretty great. Another benefit of using DEP + MDM is that you can allow people to sign in using their Apple ID (if you want to), since they will not be able to turn on Activation Lock with their Apple ID.
You will also want to look in to Volume Purchase Program. VPP is the correct and approved way to purchase apps for organizational use. (Note: the word “Purchase” applies even for free apps. In VPP terms, you “purchase” multiple licenses for free apps even though you are not charged anything for them) You can then tie your VPP account into your MDM of choice and automatically install the purchased apps on your devices.
Hope that helps! I’m happy to answer questions, though I’m very biased towards a specific MDM